[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 1/7] xen/evtchn: Make sure all buckets below d->valid_evtchns are allocated

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Rahul Singh <Rahul.Singh@xxxxxxx>
  • Date: Tue, 23 Aug 2022 13:37:53 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r6iR3S46dWIUjSMBrPPm3OsX7PDxF1r1RXfppAAM7wI=; b=HAawhK/imx6EiKcAg7XIRopRnaVoV7qE/XQShZGA+IWoX8xyG++9/+9TbiLsMI7PKkeJQn2Y1dYMc/e/ayxQUHdH02E9FLEWkFukPC3WFmdi7+4SEBffk9sSIDQcbH5w7ktKpkO4mekPYA63hksM0sxOOFZpuYU3kUvZ9OfHO+gfrYnsK5e4uCHX3jgEmubj+BKavDrkcucNxlEp4UCnBds80eJuiTCzzMjYGTaBatrrwdETX4VlWJVSTcfr5XSEqRrEGEi/nvsR/41EfA59bMOpyL19sITSfPWlWrtFxIJWfR1lxDUCR1cILRXNCy2Hh0om3s2dffj4G45PzTWFUA==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r6iR3S46dWIUjSMBrPPm3OsX7PDxF1r1RXfppAAM7wI=; b=Xc/3AtYyA86VwGipgrUYE7oqqQUiwZpiZ3rc8RdCZHGszvU55+Q4r073Egr7J/luBZPfwSSqdXbyeH9oh0vH5d5UBvz4+EYRuVA2oT2aVSH+4QM+xwDiAvXWuEIKq7B3JQMVlapaTNvAJJ/0QQaC/Tb2B1CSmjNQ76Up2w5O+CfKd77qgLvXmWMPj0hIcuAnBEEo38AbfJhAmrDw1BWOpUK1ut+ZujMaqWhlYi7EDBgtTMGWENSsRI5cMBPQfhqxfDUatyi6bjaEwZoGBgz2Jl4d4v7kgsIQF0shYmZa5ubcL461lEbFdB+XoqvuBnFB49YCaQ0zGtAiszdC9cenIA==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=g/mYTfwnyG3Myi76WbOAV/O4ewHwS18BxLpmQP9wReuHSaXFHqNQi2bvxWWRsD2DzJiALWOpg8ObnYX14fV0g5W3EwpXLf3V8ebXd4ZwDxiQMDOSR/MoEYchAhauwxlCSsV8orI7x1zYae3QAeVezk3/v4KlpI+jzAAT0+2ykclQEygfrOIT1leClBHsSOVGmxTHhHDIJDbwMAFTY1DScEmM7PEfdUCyirht84V5+h9u5A9Zh4KLQv7sgVjMchjxsccgIB4yqDMkeHBs/TNjwQGAVfM7ATGzvGjYaQoPk+WDtp2CMvlwcO8wdMzhOwV/NYO3uXO/NHHm/gd5cqpvRA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wa2OagDb4oOsqvcoLjTyCI1rybCwlJWYA2lukZzfvm6AhaVOhbBBZnk5olBNIsTo52Bmc8dFNwV3Gh5YqsFUNYZ9s8hKHqedYN/eH5+JGt/fxIAFZG2JdxBMGN+RyXKbpuSJOUQoXULo6cufEV6BUyt83ejFuKl7/s4+vQPR5EumSQ7RaFJuZFB5+qF+5znUduhbWBtpn4YCdA9L7Q0WIkjwpXHMi79p+qOgQQeFueKA9s8WNeeZM5J4dld94etMfYErDTJTnCfIq1ZE06trPST6lWnPpG8jbZFpQ4FdqsERQa2s90+fwVBSleYconLmBTvuJMie3Y4dywsVc5Jg3Q==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Julien Grall <jgrall@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 23 Aug 2022 13:38:30 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHYs7Lvc0AvEyJ80UCxAzG31ZD5Bq266TIAgAGaf4A=
  • Thread-topic: [PATCH v2 1/7] xen/evtchn: Make sure all buckets below d->valid_evtchns are allocated
Hi Jan.

> On 22 Aug 2022, at 2:08 pm, Jan Beulich <jbeulich@xxxxxxxx> wrote:
> 
> On 19.08.2022 12:02, Rahul Singh wrote:
>> From: Julien Grall <jgrall@xxxxxxxxxx>
>> 
>> Since commit 01280dc19cf3 "evtchn: simplify port_is_valid()", the event
>> channels code assumes that all the buckets below d->valid_evtchns are
>> always allocated.
>> 
>> This assumption hold in most of the situation because a guest is not
>> allowed to chose the port. Instead, it will be the first free from port
>> 0.
>> 
>> When using Guest Transparent Migration and LiveUpdate, we will only
>> preserve ports that are currently in use. As a guest can open/close
>> event channels, this means the ports may be sparse.
>> 
>> The existing implementation of evtchn_allocate_port() is not able to
>> deal with such situation and will end up to override bucket or/and leave
>> some bucket unallocated. The latter will result to a droplet crash if
>> the event channel belongs to an unallocated bucket.
>> 
>> This can be solved by making sure that all the buckets below
>> d->valid_evtchns are allocated. There should be no impact for most of
>> the situation but LM/LU as only one bucket would be allocated. For
>> LM/LU, we may end up to allocate multiple buckets if ports in use are
>> sparse.
>> 
>> A potential alternative is to check that the bucket is valid in
>> is_port_valid(). This should still possible to do it without taking
>> per-domain lock but will result a couple more of memory access.
>> 
>> Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
>> Signed-off-by: Rahul Singh <rahul.singh@xxxxxxx>
> 
> While I'm mostly okay with the code, I think the description wants
> changing / amending as long as the features talked about above aren't
> anywhere near reaching upstream (afaict), to at least _also_ mention
> the goal you have with this.

Ok. I will remove this and add that we need this patch to support static event 
channel.
Something like:
“ When static event channel support will be added for dom0less domains
  user can request to allocate the evtchn port numbers that are scattered
  in nature."

> 
>> Changes in v2:
>> - new patch in this version to fix the security issue
> 
> I guess you mean "avoid", not "fix".

Ack. 
> 
>> @@ -207,30 +216,35 @@ int evtchn_allocate_port(struct domain *d, 
>> evtchn_port_t port)
>>     }
>>     else
>>     {
>> -        struct evtchn *chn;
>> -        struct evtchn **grp;
>> -
>> -        if ( !group_from_port(d, port) )
>> +        do
>>         {
>> -            grp = xzalloc_array(struct evtchn *, BUCKETS_PER_GROUP);
>> -            if ( !grp )
>> -                return -ENOMEM;
>> -            group_from_port(d, port) = grp;
>> -        }
>> +            struct evtchn *chn;
>> +            struct evtchn **grp;
>> +            unsigned int alloc_port = read_atomic(&d->valid_evtchns);
>> 
>> -        chn = alloc_evtchn_bucket(d, port);
>> -        if ( !chn )
>> -            return -ENOMEM;
>> -        bucket_from_port(d, port) = chn;
>> +            if ( !group_from_port(d, alloc_port) )
>> +            {
>> +                grp = xzalloc_array(struct evtchn *, BUCKETS_PER_GROUP);
>> +                if ( !grp )
>> +                    return -ENOMEM;
>> +                group_from_port(d, alloc_port) = grp;
>> +            }
>> 
>> -        /*
>> -         * d->valid_evtchns is used to check whether the bucket can be
>> -         * accessed without the per-domain lock. Therefore,
>> -         * d->valid_evtchns should be seen *after* the new bucket has
>> -         * been setup.
>> -         */
>> -        smp_wmb();
>> -        write_atomic(&d->valid_evtchns, d->valid_evtchns + 
>> EVTCHNS_PER_BUCKET);
>> +            chn = alloc_evtchn_bucket(d, alloc_port);
>> +            if ( !chn )
>> +                return -ENOMEM;
>> +            bucket_from_port(d, alloc_port) = chn;
>> +
>> +            /*
>> +             * d->valid_evtchns is used to check whether the bucket can be
>> +             * accessed without the per-domain lock. Therefore,
>> +             * d->valid_evtchns should be seen *after* the new bucket has
>> +             * been setup.
>> +             */
>> +            smp_wmb();
>> +            write_atomic(&d->valid_evtchns,
>> +                         d->valid_evtchns + EVTCHNS_PER_BUCKET);
>> +        } while ( port >= read_atomic(&d->valid_evtchns) );
> 
> This updating of d->valid_evtchns looks a little inconsistent to me,
> wrt the uses of {read,write}_atomic(). To make obvious that there's
> an implicit expectation that no 2nd invocation of this function
> could race the updates, I'd recommend reading allocate_port ahead
> of the loop and then never again. Here you'd then do
> 
>            smp_wmb();
>            allocate_port += EVTCHNS_PER_BUCKET;
>            write_atomic(&d->valid_evtchns, allocate_port);
>        } while ( port >= allocate_port );
> 
> at the same time rendering the code (imo) a little more legible.
> 
> Jan

Ack. I will fix this as suggested by you I next version.

Regards,
Rahul

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.