[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH][4.17?] x86: also zap secondary time area handles during soft reset

  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 25 Oct 2022 17:58:10 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TRC46gAylqR+KERkvSuW4X0HQ7Hd1weNXfSpL0gBtG8=; b=oVEuT/nw1kR4NqIk7guabnypFXzK07FuRPf2rCqzlgSFSxM5DkZNliPbrsr28pQxcyi8v2ypjXj2M6jyviGYfPxV3e+fy/aszZvuvkalAxnCRxnYSZPj36e2njwZYHRDY0ixydgrSNNP3VW2Jlwb5TBVayv9SOC69SCQAZE49o3CVaRBxJDR5+Wrqz12Nj1adourF06UmmB5CQLBC3oo14YvZRkyBEJTPkGsi3oosLocIcgSHHnoN3lRy8kjfMBuLjzPxZ/NKuHLPxj3D2FUzHyupKuzlW5RaPBPPrvsNpUJkoNJxLmg+7LzA0Jph7Zz9FioibqFzXzO7lerbGi1nw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gW8s4Die/PZFLnTMlWwnrjtwHN/rzRD/CyU+bP5FIe6EdAFXv67TuHIM5sSKX6kNJQ3R3lS3Rfv6WmzdoZEMkZW5Vw0lOJbrhwAYgOugU+iw/1seFKPHVqze8CXaVTXoMqidyjuzuRhKQ+eMjTpwj2Txy3wD0tln16+GaZeoLJ6Yj1LnMpEcHX7tFmb+hqy8c/MNcRpvgZaoA+AgDQAX8n9zR9fyv+Ps8ykabB4nuVKIiw/V8r9LnfycXYkLrO9cBVaIUuSkA5HatlyyGZkn9ebxhHfoTufisBxlnfu0WdAuQanV++AzlTJcasIlTn0et2VtB0rF3/EFwMdpofDBgg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>
  • Delivery-date: Tue, 25 Oct 2022 15:58:22 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 25.10.2022 17:23, Roger Pau Monné wrote:
> On Thu, Oct 13, 2022 at 08:48:21AM +0200, Jan Beulich wrote:
>> Just like domain_soft_reset() properly zaps runstate area handles, the
>> secondary time area ones also need discarding to prevent guest memory
>> corruption once the guest is re-started.
>>
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Thanks.

>> ---
>> To avoid another for_each_vcpu() here, domain_soft_reset() could also
>> be made call a new arch_vcpu_soft_reset() out of its already present
>> loop. Yet that would make the change less isolated.
>>
>> In domain_soft_reset() I wonder whether, just like done here, the
>> zapping of runstate area handles and vCPU info mappings wouldn't better
>> be done after all operations which can fail. But perhaps for this to
>> matter the domain is left in too inconsistent a state anyway if the
>> function fails ...
> 
> We would need some kind of recovery anyway, so given the current code
> and lack of recovery it doesn't seem to matter much.
> 
>> However, at the very least I wonder whether x86'es
>> restriction to HVM shouldn't leave PV guests undisturbed if a soft-reset
>> was attempted on them. Right now they not only have state partially
>> clobbered, but (if the arch function is reached) they would be crashed
>> unconditionally.
> 
> It's a toolstack initiated operation by a domctl, so I'm fine with
> saying that it's up for the toolstack to prevent soft resets from
> being attempted against PV domains.  Would be nice to reject the
> operation earlier on the hypervisor, maybe by moving
> arch_domain_soft_reset() earlier in domain_soft_reset() so that we
> can return without crashing?

I wasn't sure about moving arch_domain_soft_reset() as a whole, but
yes, if that wouldn't cause other interaction issues this might be
an option.

> In any case it's unlikely for a domain that was attempting a soft
> reset to survive the hypervisor rejecting the operation, so it doesn't
> matter much whether the domain is crashed by Xen or left as-is I would
> think.

I'm sorry, I don't think I understand what you're saying here. For
PV I'd very much expect the guest to survive; it may of course then
be crashed or destroyed by a further tool stack operation.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.