[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held

To: Jan Beulich <jbeulich@xxxxxxxx>, Tamas K Lengyel <tamas.k.lengyel@xxxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Wed, 23 Dec 2020 14:44:05 +0000
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Tamas K Lengyel <lengyelt@xxxxxxxxxxxx>, Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>, Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 23 Dec 2020 14:44:13 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>



On 23/12/2020 13:41, Jan Beulich wrote:

On 23.12.2020 14:33, Julien Grall wrote:

On 23/12/2020 13:12, Jan Beulich wrote:

 From the input by both of you I still can't
conclude whether this patch should remain as is in v4, or revert
back to its v2 version. Please can we get this settled so I can get
v4 out?


I haven't had time to investigate the rest of the VM event code to find
other cases where this may happen. I still think there is a bigger
problem in the VM event code, but the maintainer disagrees here.

At which point, I see limited reason to try to paper over in the common
code. So I would rather ack/merge v2 rather than v3.


Since I expect Tamas and/or the Bitdefender folks to be of the
opposite opinion, there's still no way out, at least if "rather
ack" implies a nak for v3.

The only way out here is for someone to justify why this patch issufficient for the VM event race. I am not convinced it is (see more below).

Personally, if this expectation of
mine is correct, I'd prefer to keep the accounting but make it
optional (as suggested in a post-commit-message remark).
That'll eliminate the overhead you appear to be concerned of,
but of course it'll further complicate the logic (albeit just
slightly).

I am more concerned about adding over complex code that would justpapering over a bigger problem. I also can't see use of it outside ofthe VM event discussion.

I had another look at the code. As I mentioned in the past,vm_put_event_request() is able to deal with d != current->domain (itwill set VM_EVENT_FLAG_FOREIGN). There are 4 callers for the function:

   1) p2m_mem_paging_drop_page()
   2) p2m_mem_paging_populate()
   3) mem_sharing_notify_enomem()
   4) monitor_traps()

1) and 2) belongs to the mem paging subsystem. Tamas suggested that itwas abandoned.


4) can only be called with the current domain.

This leave us 3) in the mem sharing subsystem. As this is call thememory hypercalls, it looks possible to me that d != current->domain.The code also seems to be maintained (there were recent non-trivialchanges).

Can one of the VM event developper come up with a justification why thispatch enough to make the VM event subsystem safe?

FAOD, the justification should be solely based on the hypervisor code(IOW not external trusted software).


Cheers,

--
Julien Grall

Follow-Ups:
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Tamas K Lengyel
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Jan Beulich

References:
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Julien Grall
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Jan Beulich
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Julien Grall
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Tamas K Lengyel
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Julien Grall
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Tamas K Lengyel
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Jan Beulich
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Julien Grall
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Tamas K Lengyel
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Jan Beulich
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Julien Grall
- Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
  - From: Jan Beulich

Prev by Date: Re: [PATCH for-4.15 4/4] xen/iommu: x86: Don't leak the IOMMU page-tables
Next by Date: Re: [PATCH for-4.15 1/4] xen/iommu: Check if the IOMMU was initialized before tearing down
Previous by thread: Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
Next by thread: Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.