[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] xen/arm: p2m: Populate pages for GICv2 mapping in arch_domain_create()

  • To: Julien Grall <julien@xxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Thu, 20 Oct 2022 07:45:15 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pakc4jwgdwAmapOlRtJkMWGKWBnO41Nij/FL96uvn18=; b=NwwpffyN5TEgSpsDsHTBGfTN0djJtf9Rhk3TulOKCsE3/aeeudT7/hp8MMVf0G/gLrZcSJZn6tejY2dIRE7tRhnJ5EISwsWiDXIwAwAtr93xjb4rIMwvfUsBhkZaLDBG6OmJDV60HgqX6Sc2EcQFlwfRRWvaZMyKL3i/7mNMzrorju9mTSunpSY9agbf4y+9FDFp3T7a4FbbCwKGrVOR1IMpqw/X2p1XGmKLQToQF1AGGa2hY/VO1NFCiLMAC04kl4ZYYoOo073FJHRMW64HbDAlTcNJ+ycfdltoIeItZHSLtnUY5wbWeNiTIXauNmsZQiSEqb130L2SEP7vaGz3Cg==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pakc4jwgdwAmapOlRtJkMWGKWBnO41Nij/FL96uvn18=; b=ms3m+/nA2l89hz4YODGUIvJbz41XAsU8Q9bwAmPqFG6Fa4kRhqNl08qiDgcgPbjS2kE32GrNiywkWRL+a9mRcBY3s67Kv8wWlTlCwHTTAlT5n8NWeNQ4+IPqYe1tO+Mvnsi85gKgtD9WoUiJS4vMlqwbpljuOwP3ium18JmV/ZKBSHEUppTn9PtrASolNAhwRYAkLsGZp5G+vtuSUrFTLiAylv+Q9V79fpSst3Y3DcfE7B0SznpcE24GMwpXRK4VN2+qXW+XMxQD7D8nVcZhkqgRvkVjfiyptbmO9RbXWfqk2YYiZkNjZJS8RC0Cf/wxpHYd9oaR1/7p3agcf6iQUQ==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=XNsW2v1v9PTkpX7rMysTQymiQZTXy78X4Y2rTlxinvGbJ3FkDaZKuN5eTIMKX02uGN+CC8wVtT2MVFQwEkORmR9OlgFuziO1etWn2SlmnEQMIBMnTKgjHWmwRegKFik6rm5W8ART+WbsexT01U3vJb9BjO0MBUMU8gzS9TJNheKUVTmiOiPtfGOeOLXxIumF4AKv1mHB2Qz32shKr9O1Na8m3d89K6SybGtz8GfXCZ1UUlR3YM50RBun5S79cfWSP1w4n2cJ23Yuyp5IXZXS75EeF4dSfehy+0ZcH5JXLAZaf6XR5OZkdwsWUDlcZO6U8b8Nvq3B8ucfAt27/KUTeg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RNwx7000mYo9GhqIyXLOcAWnaUmmvXTpVTtoos3TDkXAkr/QAHzJGNRrZkZO1kGjen1lGqDE5sxJw+WZ0sDhwBF+l+YyskK6PlRSsinoHPLhiVNvpwUV3OwUQdPdriX6xW1DK71fQZ7BzuX69ksDyetlknmx31mpc5NsCEp7yKiqJvAMDNPRaV1iwwYlNklq9fm0V7Uj1vrvXBsjpxzlctC7LS4yRa19BTGjypKoy56tKSLAq2k06uBaU767w+v2Ggdvfsqo5Aehp6dFeQVstYcWsXE4MyXeoWRldZULZn10pTQu/S42MHVm0QFayTykAfFFcu7Bc/Sggq2/YdvGFQ==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Delivery-date: Thu, 20 Oct 2022 07:45:39 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHY4lyDZWCrsBxeFk+1cow2xbojCa4TC2qAgAAU4ACAABPHgIADC1WAgAARXoCAAJpKAA==
  • Thread-topic: [PATCH 2/2] xen/arm: p2m: Populate pages for GICv2 mapping in arch_domain_create()
Hi Julien,

> On 19 Oct 2022, at 23:33, Julien Grall <julien@xxxxxxx> wrote:
> 
> Hi Andrew,
> 
> On 19/10/2022 22:30, Andrew Cooper wrote:
>> On 18/10/2022 00:01, Julien Grall wrote:
>>>>> ... you are hardcoding both p2m_teardown() and p2m_set_allocation().
>>>>> IMO this is not an improvement at all. It is just making the code more
>>>>> complex than necessary and lack all the explanation on the assumptions.
>>>>> 
>>>>> So while I am fine with your patch #1 (already reviewed it), there is
>>>>> a better patch from Henry on the ML. So we should take his (rebased)
>>>>> instead of yours.
>>>> 
>>>> If by better, you mean something that still has errors, then sure.
>>>> 
>>>> There's a really good reason why you cannot safely repurpose
>>>> p2m_teardown().  It's written expecting a fully constructed domain -
>>>> which is fine because that's how it is used.  It doesn't cope safely
>>>> with an partially constructed domain.
>>> 
>>> It is not 100% clear what is the issue you are referring to as the
>>> VMID is valid at this point. So what part would be wrong?
>> Falling over a bad root pointer from an early construction exit.
> 
> You have been mentioning that several time now but I can't see how this
> can happen. If you look at Henry's second patch, p2m_teardown() starts
> with the following check:
> if ( page_list_empty(&p2m->pages) )
>   return;
> 
> Per the logic in p2m_init(), the root pages have to be allocated (note they 
> are *not* allocated from the P2M pool) and the VMID as well before any pages 
> could be added in the list.
> 
>>> But if there are part of p2m_teardown() that are not safe for
>>> partially constructed domain, then we should split the code. This
>>> would be much better that the duplication you are proposing.
>> You have two totally different contexts with different safety
>> requirements.  c/s 55914f7fc9 is a reasonably good and clean separation
>> between preemptible and non-preemptible cleanup[1].
> 
> The part you mention in [1] was decided to be delayed post 4.17 for 
> development cycle reasons.
> 
>> You've agreed that the introduction of the non-preemptible path to the
>> preemptible path is a hack and layering violation, and will need undoing
>> later.  Others have raised this concern too.
> 
> [...]
> 
>> Also realise that you've now split the helper between regular hypercall
>> context, and RCU context, and recall what happened when we finally
>> started asserting that memory couldn't be allocated in stop-machine context.
>> How certain are you that the safety is the same on earlier versions of
>> Xen?
> I am pretty confident because the P2M code has not changed a lot.
> 
>> What is the likelihood that all of these actions will remain safe
>> given future development?
> Code always evolve and neither you (nor I) can claim that any work will stay 
> safe forever. In your patch proposal, then the risk is a bug could be 
> duplicated.
> 
>> Despite what is being claimed, the attempt to share cleanup logic is
>> introducing fragility and risk, not removing it.
> 
> I find interesting you are saying that... If we were going to move 
> p2m_teardown() in domain_teardown() then we would end up to share the code.
> 
> To me, this is not very different here because in one context it would be 
> preemptible while the other it won't. At which point...
> 
>>   This is a bugfix for
>> to a security fix issue which is totally dead on arrival; net safety,
>> especially in older versions of the Xen, is *the highest priority*.
>> These two different contexts don't share any common properties of how to
>> clean up the pool, save freeing the frames back to the memory
>> allocator.  In a proper design, this is the hint that they shouldn't
>> share logic either
> ... why is your design better than what Henry's proposed?
> 
>> Given that you do expect someone to spend yet-more time&effort to undo
>> the short term hack currently being proposed, how do you envisage the
>> end result looking?
> 
> The end result will be p2m_teardown() & co to be called from 
> domain_teardown().
> 
> Anyway, this discussion doesn't make us closer to come to an agreement on the 
> correct approach. We have both very diverging opinion and so far I haven't 
> seen any strong reasons that is showing yours is better.
> 
> So unless Bertrand or Stefano agree with you, then I will go ahead and merge 
> Henry's patch tomorrow after a final review.

At this stage, I still do not get the NULL pointer case as from my point of 
view the list_empty done at the beginning is making that case impossible.
We have a currently blocked status where any GICv2 based board is not booting 
and we all know that Henry’s solution will need to be reworked post 4.17.

So I will give my reviewed-by on Henry’s patch so that we have a short term 
solution giving us more time to discuss and find a proper solution.

Cheers
Bertrand


> 
> Cheers,
> 
> -- 
> Julien Grall

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.