[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/hvm: Clean up track_dirty_vram() calltree

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Tue, 28 Jul 2020 16:54:09 +0100
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Tue, 28 Jul 2020 15:54:26 +0000
  • Ironport-sdr: fNUJfxBsaAtfnz8WwdLmKRjJy4+x5tliyGcJyedIBFbzqOIKLKwIVZD9b285TXQU2XXIL5adQJ owlFaLNCsN0hZcHd2uXpPb9AQzZhGpnjCEbK5HtTxM+TY3ps8A14yxPAbqBQ/svf0CLb5BDSOR A3W+KSbgRpTDUe7Nd8BgsaGGyYuZ9Wo60anePXdIihv5QTPUS956Oa9LpOjmRkoM3LDQgWz+Do JiOye1H0/4exIvUVgiMWsmrqx6JrqN/3QAEn+8rYvhTygr+oyJXK/vTL3pmnpcTpInS26PqCv2 hko=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 23/07/2020 11:25, Jan Beulich wrote:
> On 23.07.2020 11:40, Andrew Cooper wrote:
>> On 22/07/2020 17:13, Jan Beulich wrote:
>>> On 22.07.2020 17:15, Andrew Cooper wrote:
>>>>  * Rename nr to nr_frames.  A plain 'nr' is confusing to follow in the the
>>>>    lower levels.
>>>>  * Use DIV_ROUND_UP() rather than opencoding it in several different ways
>>>>  * The hypercall input is capped at uint32_t, so there is no need for
>>>>    nr_frames to be unsigned long in the lower levels.
>>>>
>>>> No functional change.
>>>>
>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>>> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>
>>> I'd like to note though that ...
>>>
>>>> --- a/xen/arch/x86/mm/hap/hap.c
>>>> +++ b/xen/arch/x86/mm/hap/hap.c
>>>> @@ -58,16 +58,16 @@
>>>>  
>>>>  int hap_track_dirty_vram(struct domain *d,
>>>>                           unsigned long begin_pfn,
>>>> -                         unsigned long nr,
>>>> +                         unsigned int nr_frames,
>>>>                           XEN_GUEST_HANDLE(void) guest_dirty_bitmap)
>>>>  {
>>>>      long rc = 0;
>>>>      struct sh_dirty_vram *dirty_vram;
>>>>      uint8_t *dirty_bitmap = NULL;
>>>>  
>>>> -    if ( nr )
>>>> +    if ( nr_frames )
>>>>      {
>>>> -        int size = (nr + BITS_PER_BYTE - 1) / BITS_PER_BYTE;
>>>> +        unsigned int size = DIV_ROUND_UP(nr_frames, BITS_PER_BYTE);
>>> ... with the change from long to int this construct will now no
>>> longer be correct for the (admittedly absurd) case of a hypercall
>>> input in the range of [0xfffffff9,0xffffffff]. We now fully
>>> depend on this getting properly rejected at the top level hypercall
>>> handler (which limits to 1Gb worth of tracked space).
>> I don't see how this makes any difference at all.
>>
>> Exactly the same would be true in the old code for an input in the range
>> [0xfffffffffffffff9,0xffffffffffffffff], where the aspect which protects
>> you is the fact that the hypercall ABI truncates to 32 bits.
> Exactly: The hypercall ABI won't change. The GB(1) check up the call
> tree may go away, without the then arising issue being noticed.

The ABI is equally as like to change as the 1G limit.  Either both
issues will be fixed (and almost certainly together), or neither will
change forever more.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.