Xen project Mailing List

Re: [PATCH v2 5/8] evtchn: drop acquiring of per-channel lock from send_guest_{global,vcpu}_virq()

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 22 Oct 2020 18:00:55 +0200

Authentication-results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Thu, 22 Oct 2020 16:01:15 +0000

Ironport-sdr: WnF1brx971V3mH0zByaXpVYo/7QElDkSbf7CJ+0Mu4aF1TXQfgP6m/1tAKRdbv5sMQSpqTVT7O sf4cUlwJawvZ/hPJwlMx5YMVCKYb/kjomjuP1nY/ydukI8xgbN6FrGD5lmvQB77mgN3BlsNvrI G/yQKzamKKTZpgmRhHjnawAwqgUm2BkClNVqOLKAXWoQHEsbas/dthAtEM4u7HhjajsIyVqGGn 2XLrFWnGClNTVqh3suCTvpVn2KQKwFKMFToWzdEmUfqEoytX9GYZ6HVfgVUQmF3LWdfeogGfnq Ji8=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Oct 20, 2020 at 04:10:09PM +0200, Jan Beulich wrote: > The per-vCPU virq_lock, which is being held anyway, together with there > not being any call to evtchn_port_set_pending() when v->virq_to_evtchn[] > is zero, provide sufficient guarantees. This is also fine because closing the event channel will be done with the VIRQ hold held also AFAICT. > Undo the lock addition done for > XSA-343 (commit e045199c7c9c "evtchn: address races with > evtchn_reset()"). Update the description next to struct evtchn_port_ops > accordingly. > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > --- > v2: New. > > --- a/xen/common/event_channel.c > +++ b/xen/common/event_channel.c > @@ -794,7 +794,6 @@ void send_guest_vcpu_virq(struct vcpu *v > unsigned long flags; > int port; > struct domain *d; > - struct evtchn *chn; > > ASSERT(!virq_is_global(virq)); > > @@ -805,10 +804,7 @@ void send_guest_vcpu_virq(struct vcpu *v > goto out; > > d = v->domain; > - chn = evtchn_from_port(d, port); > - spin_lock(&chn->lock); > - evtchn_port_set_pending(d, v->vcpu_id, chn); > - spin_unlock(&chn->lock); > + evtchn_port_set_pending(d, v->vcpu_id, evtchn_from_port(d, port)); > > out: > spin_unlock_irqrestore(&v->virq_lock, flags); > @@ -837,9 +833,7 @@ void send_guest_global_virq(struct domai > goto out; > > chn = evtchn_from_port(d, port); > - spin_lock(&chn->lock); > evtchn_port_set_pending(d, chn->notify_vcpu_id, chn); > - spin_unlock(&chn->lock); > > out: > spin_unlock_irqrestore(&v->virq_lock, flags); > --- a/xen/include/xen/event.h > +++ b/xen/include/xen/event.h > @@ -177,9 +177,16 @@ int evtchn_reset(struct domain *d, bool > * Low-level event channel port ops. > * > * All hooks have to be called with a lock held which prevents the channel > - * from changing state. This may be the domain event lock, the per-channel > - * lock, or in the case of sending interdomain events also the other side's > - * per-channel lock. Exceptions apply in certain cases for the PV shim. > + * from changing state. This may be > + * - the domain event lock, > + * - the per-channel lock, > + * - in the case of sending interdomain events the other side's per-channel > + * lock, > + * - in the case of sending non-global vIRQ-s the per-vCPU virq_lock (in > + * combination with the ordering enforced through how the vCPU's > + * virq_to_evtchn[] gets updated), > + * - in the case of sending global vIRQ-s vCPU 0's virq_lock. > + * Exceptions apply in certain cases for the PV shim. Having such a wide locking discipline looks dangerous to me, it's easy to get things wrong without notice IMO. Maybe we could add an assert to that effect in evtchn_port_set_pending in order to make sure callers follow the discipline? Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.