Re: [PATCH v2 5/8] evtchn: drop acquiring of per-channel lock from send_guest_{global,vcpu}_virq()

[Julien Grall <julien@xxxxxxx>]

On 30/10/2020 10:49, Jan Beulich wrote:
> On 30.10.2020 11:38, Julien Grall wrote:
> > On 22/10/2020 17:17, Jan Beulich wrote:
> > > On 22.10.2020 18:00, Roger Pau Monné wrote:
> > > > On Tue, Oct 20, 2020 at 04:10:09PM +0200, Jan Beulich wrote:
> > > > > --- a/xen/include/xen/event.h
> > > > > +++ b/xen/include/xen/event.h
> > > > > @@ -177,9 +177,16 @@ int evtchn_reset(struct domain *d, bool
> > > > >     * Low-level event channel port ops.
> > > > >     *
> > > > >     * All hooks have to be called with a lock held which prevents the channel
> > > > > - * from changing state. This may be the domain event lock, the per-channel
> > > > > - * lock, or in the case of sending interdomain events also the other side's
> > > > > - * per-channel lock. Exceptions apply in certain cases for the PV shim.
> > > > > + * from changing state. This may be
> > > > > + * - the domain event lock,
> > > > > + * - the per-channel lock,
> > > > > + * - in the case of sending interdomain events the other side's per-channel
> > > > > + *   lock,
> > > > > + * - in the case of sending non-global vIRQ-s the per-vCPU virq_lock (in
> > > > > + *   combination with the ordering enforced through how the vCPU's
> > > > > + *   virq_to_evtchn[] gets updated),
> > > > > + * - in the case of sending global vIRQ-s vCPU 0's virq_lock.
> > > > > + * Exceptions apply in certain cases for the PV shim.
> > > > Having such a wide locking discipline looks dangerous to me, it's easy
> > > > to get things wrong without notice IMO.
> > > It is effectively only describing how things are (or were before
> > > XSA-343, getting restored here).
> > I agree with Roger here, the new/old locking discipline is dangerous and
> > it is only a matter of time before it will bite us again.
> >
> > I think we should consider Juergen's series because the locking for the
> > event channel is easier to understand.
> We should, yes. The one thing I'm a little uneasy with is the
> new lock "variant" that gets introduced. Custom locking methods
> also are a common source of problems (which isn't to say I see
> any here).
I am also unease with a new lock "variant". However, this is the best 
proposal I have seen so far to unblock the issue.
I am open to other suggestion with simple locking discipline.

> > With his series in place, this patch will become unecessary.
> It'll become less important, but not pointless - any unnecessary
> locking would better be removed imo.
They may be unnecessary today but if tomorrow someone decide to rework 
the other lock, then you are just re-opening a security hole.
IHMO, having a sane locking system is far more important than removing 
locking that look "unnecessary".
> I'd also like to note that the non-straightforward locking rules
> wouldn't really change with his series; the benefit there really
> is the dropping of the need for IRQ-safe locking.
Well, it is at least going towards that...

Cheers,

> Jan
--
Julien Grall