[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v6 2/7] xen/events: don't allow binding a global virq from any domain

  • To: Jürgen Groß <jgross@xxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 8 Jan 2025 10:34:02 +0100
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 08 Jan 2025 09:34:25 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 08.01.2025 10:02, Jürgen Groß wrote:
> On 07.01.25 17:38, Jan Beulich wrote:
>> On 07.01.2025 17:07, Jürgen Groß wrote:
>>> On 07.01.25 16:34, Jan Beulich wrote:
>>>> On 07.01.2025 11:17, Juergen Gross wrote:
>>>>> @@ -479,8 +486,13 @@ int evtchn_bind_virq(evtchn_bind_virq_t *bind, 
>>>>> evtchn_port_t port)
>>>>>        */
>>>>>        virq = array_index_nospec(virq, ARRAY_SIZE(v->virq_to_evtchn));
>>>>>    
>>>>> -    if ( virq_is_global(virq) && (vcpu != 0) )
>>>>> -        return -EINVAL;
>>>>> +    if ( virq_is_global(virq) )
>>>>> +    {
>>>>> +        if ( get_global_virq_handler(virq) != d )
>>>>> +            return -EBUSY;
>>>>
>>>> Hmm. While this eliminates the problem for the common, race free case,
>>>> the handler changing right after the check would still mean the bind
>>>> would succeed.
>>>
>>> Are you fine with me adding a paragraph to the commit message saying
>>> that a future patch will handle this case?
>>>
>>> This future patch is patch 4 of the series, which will need to be
>>> modified to check the handling domain inside the event_lock.
>>
>> I think this would be okay, so long as patches 2...4 are then also all
>> committed together.
>>
>>>> Plus this way you're breaking a case that afaict has been working so
>>>> far: The bind happening before the setting of the handler. With a lot
>>>> of unrelated if-s and when-s this could e.g. be of interest when
>>>> considering a re-startable Xenstore domain. The one to take over could
>>>> start first, obtain state from the original one while that's still
>>>> active, and be nominated the handler of the global vIRQ only in the
>>>> last moment.
>>>
>>> This is a racy situation, too. If the old domain receives the virq after
>>> sending the state, this would need to be handled by transferring the virq
>>> information to the new domain, which can result in a never ending story.
>>>
>>> This is the reason why the domain state bitmap is reset to contain all
>>> existing domains to be flagged as "changed", as otherwise a change might
>>> get lost.
>>>
>>> I'd rather be able to handle today's use cases in a sane way than to try
>>> handling any weird future use cases which we don't know yet.
>>>
>>> I think today's behavior is more or less insane and the new behavior is
>>> much easier to understand and more intuitive.
>>
>> Hmm, I'd like to leave this then for input by other maintainers.
> 
> Just one additional remark to your re-startable xenstore domain scenario
> above:
> 
> It wouldn't be possible today to do the same with a xenstore daemon in
> e.g. dom0, as binding the virq another time from within the same domain
> would be rejected by the hypervisor. In the xenstore domain case you'd
> either need the old domain to ask dom0 to change the handler (so much
> about less communication needed),

Not quite. There needs to be an indication anyway of info transfer being
complete. That'll be where Dom0 would then (also) put in place the new
handler. The vIRQ first arriving in the new XS domain could then serve
as an indication that it is now in charge of the system; I didn't check
whether a courtesy one would be sent right away, or whether such sending
might need adding. (Plus anyway - XS is only an example here.)

Jan

> or you'd need to give the xenstore domain
> the right to do the handler change itself, requiring to use flask or to
> modify the dummy XSM rights of the xenstore domain.
> 
> 
> Juergen

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.