[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH][4.17?] x86: also zap secondary time area handles during soft reset
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Tue, 25 Oct 2022 17:23:53 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/88wvwer32U7YwhPNUHSKw72rNArH639qgiKLW7EDBU=; b=kN0tnVFCrvQdtODytCiIG71Ojqwh6YalRHFn17Un7UgHZqOQCo8jlSjBH0uFEMUqKhAABp/HnEyL2VMTQug6V5ODDiZeccFzhMuc0NF1wwVx/X3w37SXVgd75QI+YVp1XDoZoc3+zGnN7LrErlW91G/z8KcKJl9V/DqYcMyzqZJI1bRxdEWZ5/qTExtU6TAGKf9CrfSb2DjAYdHxPKe0AgM8lkSHX6Qp8X81n5K7TEfGsD9VhAMwbFfrJYZYa0DHxowyf1YN5mtjSGYnOSurT2Y4VarsFQ9uy6j1bS599Z8IAHCagYNFV4mZ/ytA+cQUdCJJRic2iFd62aoZRnP+Ww==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l0MsOL3oRIwUeCUuJOnZdrTe62kvEAM+9FysIk4VCJAU0ulZQZbh2EvB6IUUstA38BaDVsIX2xaA7NRogAlIT+0+3sYnRXAGaRRpbI8ansHaK794nLUCxFycNRAx7iy8HR/ws72Pk9/KHFhx5cwvg7/7kOASWYO1Vuj/wJrbxVVy+fHNeWWo8XlHC33csXLTAfxifrEzUwD5xLUfP9oTLZooAzQadfMdUK/A7d/H6Sq2KD8k7BJzNHfnsoCtRJoq9eRv4gQOQJ8pv08HBSeGvvb/Tfxzbq489QLGnvbIBm2VjL8fHaMnWpUUqy79eoJ+fx7/C6UUcqWJiWplWLS9rg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>
- Delivery-date: Tue, 25 Oct 2022 15:24:19 +0000
- Ironport-data: A9a23:8jPezahvyrjapi3sGBy1fEQ1X17brhtd9Lp4u6ucsGZSdtCo9fiXrREDcFrAX2WIxW/j1+WfGzWLvwv/H6Du2j2ifQID4o8Ju2P6zlksR+abM4At7a5sNiYR7i4uhsItnFTuUsX/wzN8BJ2GtxSt1XszJr/cIODWCayKYZdqMPmC3cCAlYY6OnreM4rqpxYTdGCirf80P3gj6rZny8VsK14x2j2iU4olvUjf+rGIhdYHRFH2EcfFnXWulGfLd3G9q155ZlsYxv1NlxwFcpSDX/FfONdiy4y1X3t75ZwtNpE4z7kXBjrVdVUPzlDJ31ljxK5pgbh/Su5Y/wmU3gK17YOdjE5HJ92gWVzIgDZkTlM75SM/QXSeC2Vlgha84vEz3MXf+574JOXxOeTFY7SyYCuLUd1VNbA+kAy5IiHFXAmsjat8VNQyRPkM7d3D9TzCdHIiPOyn+YF6RGFOI2UQKVaWZlXx80EhWO6jOS9ikQsH/vWGwDZwd5JN0hYMsbMLMX9DqR8I2Cn0AqGmCtIz4CQZdTHee27Qq9+pFVS+hyu6YjR4A+vdHe8e/2kXA3jUh4yzQ4G+H0dVDyAD0yL9GL+HEt2UycyOLFiRSEO8/xlkKoWwoAsaosDK7ugT7kdoN9tskMi4Tg5TIsqNCiBLECOJ9rFZzgBoFG4oADQBRPiewx1Cqps5WZXzzWsodNthpSXlV/h5jgrf59fd8ro2h5s9ggoL2BUeEd/Tk8yWaM9wZneWD946RAMxhLoiHKAnenyK/jxHhUFHti5lbWEikbjqY7pKCEHlwb9q/yXERHx1oZyQpy35wBBXzkoZg7+jBHzeBMATqnYKPdj3fmiSAtrNQ0D64O6NkF+sM9S+qDYmxfnz/Nm5ElvkSoVD4hVokXKB60YUHcdiwHPxWahj50JEtpyHZQUkw4xl7BQQ1dannpZLb7oP2++Cfc0XQMSEdjg8C9/ljukwApkodQcuR79bW9wmLOW3/1sEGyOPA1daO6RRiDgq2jCuS5jrEDdV81skXUEVWyVO9yuiPUa8VWhxvf8WKxRxkX5U3iohFBHPNYb7UEBAx69iJbASrSuTF/6NQ3c5XFls3y4DD04EIU0yNTuRCmLailhBqhTO6+5BPH7hCK/ADOvrDNXZBdE2YAYSFiGJ9ieDa3p8mZLJL1gyjbUyANLiiwD/CEbcqrhCt6bBx+DS5cSszziJ/ukb7nONXde5WGfNL4VdBXndDgMidMoS+0gvVUns3KxAc4KSpn0HMyKX9CbrByhUOokuvhQmrIuiGMDqxUni47XITieDN6ywb0wxqnke7JPL/56UxKwMP8ipJf2jZGnLITtXL233XfncBUqrEXki4CryYHuaMrwfo97c6ozOM7s/DS8T2JBOguWmbkHE1Rr22sE9EDSqJA4ZTkpmdY/Copgr051qBJHirLPlK8ma/N+UfbxOVhJjwY99Y+M4IGfcpQ0veVNdDUt+xlD5dJJFsdJwa5bdn80+oRK2fWU6EV4I0427prvbXaVVU6a/dKj+DI6MWIGs4igmnmqU1l4UYOsVpHiuoTmvGvXWfLh8e70rS8a+iG4YdZ3blvEmyDY2JglJKyE2qPFWu96BXCsXyHSLpXlQR243xTo6Y9nIC0gUjTfff9PBLxwLrWRcAHwa1/3gLcK8LKR/uLe1oYsJRSBqsP6kt4+nH6D+lpFhJoIwJ40M+c8BJWPI7ZKu+2Kgk35riDr38JcOeqoLSWHmbiR3E8xbBheLlZNQW+ta3svQSD97pzveLQ/rauf9WGH3ye4AwisTF/zv7AlgPifKGs8GMntoSV1YlXuVUIqM/1FntefJQG+fr1EkdhawQRbVe3tekrIstjjCPJmmfBYj3IinYzLzU60juqcSREjGIjRT3uZo+j6xFZuS/fzvBVeeMGdFIW5o3BJYnmv5VqeJIrtZHqNPiRkYndDDVUmoCU4dCVRywIxmbwsEIZUY7/GVfDMjSf4gzfsRD2WO5T9A0BVt2wJ2EsjE9tzZG1wiDcsntnldObZ+T0PE42UmmmfdQ2F1UhyiUyLTZCFbs5IbLqzeqB5z1XZhGHGcW9H6QIxvvd6ObmulL9zE+mEI4KhXHj+BJEMJ6h8LDV6UkNtmuKNHnuWy+IoJB6cNxXNsZy5PNL2qZbUNZMph72Kwd7I86c2yhRvqP1nRIj2RiTqL1IRpXpM+roKPT0MdjxWOjNavx2jSAmI3DbCxC8c26ez0aO054LG1PWI6MVAL/e78JD4FL6Es1PxmIn5UscQ7KKG/TQb55sYfOuUUUQgG3F9EQvzWcFyys4rz/Yaqt/TYM4UQT/tdWzPMKrxeSsZW7dBjC2haDbI5xleYtQD5S9cpjIrT9cdqgO487oKsxa3IbnhwavjG6sMRFDGQ/t4k1Y4tGLfdt/kWNjBmUuj3rL5uA52h7Sckak2V
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Oct 13, 2022 at 08:48:21AM +0200, Jan Beulich wrote:
> Just like domain_soft_reset() properly zaps runstate area handles, the
> secondary time area ones also need discarding to prevent guest memory
> corruption once the guest is re-started.
>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> ---
> To avoid another for_each_vcpu() here, domain_soft_reset() could also
> be made call a new arch_vcpu_soft_reset() out of its already present
> loop. Yet that would make the change less isolated.
>
> In domain_soft_reset() I wonder whether, just like done here, the
> zapping of runstate area handles and vCPU info mappings wouldn't better
> be done after all operations which can fail. But perhaps for this to
> matter the domain is left in too inconsistent a state anyway if the
> function fails ...
We would need some kind of recovery anyway, so given the current code
and lack of recovery it doesn't seem to matter much.
> However, at the very least I wonder whether x86'es
> restriction to HVM shouldn't leave PV guests undisturbed if a soft-reset
> was attempted on them. Right now they not only have state partially
> clobbered, but (if the arch function is reached) they would be crashed
> unconditionally.
It's a toolstack initiated operation by a domctl, so I'm fine with
saying that it's up for the toolstack to prevent soft resets from
being attempted against PV domains. Would be nice to reject the
operation earlier on the hypervisor, maybe by moving
arch_domain_soft_reset() earlier in domain_soft_reset() so that we
can return without crashing?
In any case it's unlikely for a domain that was attempting a soft
reset to survive the hypervisor rejecting the operation, so it doesn't
matter much whether the domain is crashed by Xen or left as-is I would
think.
Thanks, Roger.
|