[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v6 2/7] xen/events: don't allow binding a global virq from any domain
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Jürgen Groß <jgross@xxxxxxxx>
- Date: Tue, 7 Jan 2025 17:07:41 +0100
- Autocrypt: addr=jgross@xxxxxxxx; keydata= xsBNBFOMcBYBCACgGjqjoGvbEouQZw/ToiBg9W98AlM2QHV+iNHsEs7kxWhKMjrioyspZKOB ycWxw3ie3j9uvg9EOB3aN4xiTv4qbnGiTr3oJhkB1gsb6ToJQZ8uxGq2kaV2KL9650I1SJve dYm8Of8Zd621lSmoKOwlNClALZNew72NjJLEzTalU1OdT7/i1TXkH09XSSI8mEQ/ouNcMvIJ NwQpd369y9bfIhWUiVXEK7MlRgUG6MvIj6Y3Am/BBLUVbDa4+gmzDC9ezlZkTZG2t14zWPvx XP3FAp2pkW0xqG7/377qptDmrk42GlSKN4z76ELnLxussxc7I2hx18NUcbP8+uty4bMxABEB AAHNH0p1ZXJnZW4gR3Jvc3MgPGpncm9zc0BzdXNlLmNvbT7CwHkEEwECACMFAlOMcK8CGwMH CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCw3p3WKL8TL8eZB/9G0juS/kDY9LhEXseh mE9U+iA1VsLhgDqVbsOtZ/S14LRFHczNd/Lqkn7souCSoyWsBs3/wO+OjPvxf7m+Ef+sMtr0 G5lCWEWa9wa0IXx5HRPW/ScL+e4AVUbL7rurYMfwCzco+7TfjhMEOkC+va5gzi1KrErgNRHH kg3PhlnRY0Udyqx++UYkAsN4TQuEhNN32MvN0Np3WlBJOgKcuXpIElmMM5f1BBzJSKBkW0Jc Wy3h2Wy912vHKpPV/Xv7ZwVJ27v7KcuZcErtptDevAljxJtE7aJG6WiBzm+v9EswyWxwMCIO RoVBYuiocc51872tRGywc03xaQydB+9R7BHPzsBNBFOMcBYBCADLMfoA44MwGOB9YT1V4KCy vAfd7E0BTfaAurbG+Olacciz3yd09QOmejFZC6AnoykydyvTFLAWYcSCdISMr88COmmCbJzn sHAogjexXiif6ANUUlHpjxlHCCcELmZUzomNDnEOTxZFeWMTFF9Rf2k2F0Tl4E5kmsNGgtSa aMO0rNZoOEiD/7UfPP3dfh8JCQ1VtUUsQtT1sxos8Eb/HmriJhnaTZ7Hp3jtgTVkV0ybpgFg w6WMaRkrBh17mV0z2ajjmabB7SJxcouSkR0hcpNl4oM74d2/VqoW4BxxxOD1FcNCObCELfIS auZx+XT6s+CE7Qi/c44ibBMR7hyjdzWbABEBAAHCwF8EGAECAAkFAlOMcBYCGwwACgkQsN6d 1ii/Ey9D+Af/WFr3q+bg/8v5tCknCtn92d5lyYTBNt7xgWzDZX8G6/pngzKyWfedArllp0Pn fgIXtMNV+3t8Li1Tg843EXkP7+2+CQ98MB8XvvPLYAfW8nNDV85TyVgWlldNcgdv7nn1Sq8g HwB2BHdIAkYce3hEoDQXt/mKlgEGsLpzJcnLKimtPXQQy9TxUaLBe9PInPd+Ohix0XOlY+Uk QFEx50Ki3rSDl2Zt2tnkNYKUCvTJq7jvOlaPd6d/W0tZqpyy7KVay+K4aMobDsodB3dvEAs6 ScCnh03dDAFgIq5nsB11j3KPKdVoPlfucX2c7kGNH+LUMbzqV6beIENfNexkOfxHfw==
- Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
- Delivery-date: Tue, 07 Jan 2025 16:07:52 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 07.01.25 16:34, Jan Beulich wrote:
On 07.01.2025 11:17, Juergen Gross wrote:
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -120,6 +120,13 @@ static uint8_t
get_xen_consumer(xen_event_channel_notification_t fn)
/* Get the notification function for a given Xen-bound event channel. */
#define xen_notification_fn(e) (xen_consumers[(e)->xen_consumer-1])
+static struct domain *global_virq_handlers[NR_VIRQS] __read_mostly;
Nit: While you move this line around, it would be nice if the attribute
could then also move to its canonical place (between type and identifier).
+static struct domain *get_global_virq_handler(unsigned int virq)
+{
+ return global_virq_handlers[virq] ?: hardware_domain;
+}
+
static bool virq_is_global(unsigned int virq)
{
switch ( virq )
@@ -479,8 +486,13 @@ int evtchn_bind_virq(evtchn_bind_virq_t *bind,
evtchn_port_t port)
*/
virq = array_index_nospec(virq, ARRAY_SIZE(v->virq_to_evtchn));
- if ( virq_is_global(virq) && (vcpu != 0) )
- return -EINVAL;
+ if ( virq_is_global(virq) )
+ {
+ if ( get_global_virq_handler(virq) != d )
+ return -EBUSY;
Hmm. While this eliminates the problem for the common, race free case,
the handler changing right after the check would still mean the bind
would succeed.
Are you fine with me adding a paragraph to the commit message saying
that a future patch will handle this case?
This future patch is patch 4 of the series, which will need to be
modified to check the handling domain inside the event_lock.
Plus this way you're breaking a case that afaict has been working so
far: The bind happening before the setting of the handler. With a lot
of unrelated if-s and when-s this could e.g. be of interest when
considering a re-startable Xenstore domain. The one to take over could
start first, obtain state from the original one while that's still
active, and be nominated the handler of the global vIRQ only in the
last moment.
This is a racy situation, too. If the old domain receives the virq after
sending the state, this would need to be handled by transferring the virq
information to the new domain, which can result in a never ending story.
This is the reason why the domain state bitmap is reset to contain all
existing domains to be flagged as "changed", as otherwise a change might
get lost.
I'd rather be able to handle today's use cases in a sane way than to try
handling any weird future use cases which we don't know yet.
I think today's behavior is more or less insane and the new behavior is
much easier to understand and more intuitive.
Juergen
Attachment:
OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
|
