[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] tools/libxc: use uint32_t for pirq in xc_domain_irq_permission

  • To: Julien Grall <julien@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
  • From: Igor Druzhinin <igor.druzhinin@xxxxxxxxxx>
  • Date: Thu, 8 Jul 2021 03:06:00 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wOrYbItSG9VbjUWIXGRVeYj+90dusnZu5+vaJUfv72M=; b=HPAStzO9OW4V4RWtYnLY8MHXl6JZqMqXv6cH+J3lcjwPHYd/c6A/4C9FebdRKnItxyP6Od8AYiQpTQ3Kf9ZoNwwZ3FQYjLDJfqfZHK0eRZcOXZ6UqN318t3e1dxB7qYhsfTlG2/pC0et896FDXiBLG6tnJWeRQUIQVxf+PlHQ6EFCwYzTu220RVmd3CNjF+qlshWIox+1pUyes31m86MNy+CUJSBzgkyU9LxPffSJZ9WUKK4gYV8SGMsk0Cn1W8FdBt+bryrKP8OFdhQ7Mptjh7J4RTGJAKWsF/S/6AH02MQ3OVwAF6xpwO0IiONg651lpnPGkjfCRigsF+3GIQPGA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LaVSX26S6AiB52xOD4iC8oBjlRmkE/6yVkq7pq0e4XGaNLI8dBig1fJr5kFwAGY7H30TLAtMnN+jJ8DDCZj+e2fLyz0XcsQgz6IOdii3INCT9XT+WkrnYvzRNCCSIcgwwOYsg+K5RPQf1ufZ0F1w3Hq+2RxUk8b0NiG2YV8YGp3Sl2gX3xF/TS55bImVKpj84SEUn8NN8OGREuq7FWg5vJwkODdYSloX5zaquN8Ffn3Zqk1dgumUM4YawqblnzV0T1kXfxU+ugCvJl6J0JmeDyX9BNIiFJzZ/3rRPv4th/IrKhzvpxH1QzaceqddPYhsLH/HNcr2Eu+jphY1pz0uxA==
  • Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <iwj@xxxxxxxxxxxxxx>, <wl@xxxxxxx>, <andrew.cooper3@xxxxxxxxxx>, <george.dunlap@xxxxxxxxxx>, <sstabellini@xxxxxxxxxx>, <jgross@xxxxxxxx>, <christian.lindig@xxxxxxxxxx>, <dave@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 08 Jul 2021 02:06:21 +0000
  • Ironport-hdrordr: A9a23:y189FKione9kr20LZYSxuj59HXBQXzR13DAbv31ZSRFFG/FwyP rBoB1L73DJYWgqNE3I+erhBEGBKUmskqKdkrNhQotKOzOWxldATbsSkbcKpgeAJ8SQzJ8n6U 4NSdkGNDS0NykGsS+Y2njKLz9D+qj+zEnAv463pB0BPGIaCdAU0+46MHf8LqQffng3OXNTLu v42iMonUvFRZ1aVLXAOpFTNNKz1uEj2aiWLiIuNloC0k2jnDmo4Ln1H1yx2QofaSpGxfMH/X LemwL0y62/u7XjoyWsllP73tBzop/M29FDDMuDhow8LSjtsB+hYMBEV6eZtD44jemz4BIBkc XKoT0nI8NvgkmhMF2dkF/I4U3NwTwu43jtxRuzmn34u/H0Qzo8Fo5omZ9ZWgGx0TtjgPhMlI Zwm06JvZteCh3N2A7n4cLTah1snk2o5VI/jO8oiWBFW4d2Us4TkWUmxjIQLH48JlO81Gh+e9 MeSv00pcwmMW9yVkqp+1WGm7eXLy0O9n7seDlxhiSXuwIm1kyRgXFonPD2Mx87hdsAoqJ/lp P525JT5fpzp/8tHNZA7dg6ML2K40z2MF/x2TGpUBja/J9uAQOEl3ew2sRv2N2X
  • Ironport-sdr: N9pNVU/J6k6tWZkopQdavz1+mSioRJyQE5qCeio68Fdf/axsevV2Tbx6nN3sEEYd87sP+5w+w+ qQ1GJ8feBn2WYIu0eC+ssba1YnvZiqXiDx0Nx6iZt+g09xlUjvVrvAIIIg4X3tIg3a6LQ5Dody TL2mX3m4ns4+e+dukTztCUc+nGGY4EzQpXsuug2PMtW4n7fobsi1BJYSMBEj7VcOX1rBoDh7F3 gKsZSDNB3ykZygHeVZxTHwXRJe2iUJgW7762MvlnwG82gcAvDyG4rRCuVGMwTewVI0PecJIsMG olQ=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 07/07/2021 14:21, Julien Grall wrote:

On 07/07/2021 14:14, Jan Beulich wrote:

On 07.07.2021 14:59, Julien Grall wrote:

On 07/07/2021 13:54, Jan Beulich wrote:

On 07.07.2021 14:51, Julien Grall wrote:

On 07/07/2021 02:02, Igor Druzhinin wrote:

Current unit8_t for pirq argument in this interface is too restrictive
causing failures on modern hardware with lots of GSIs. That extends down to
XEN_DOMCTL_irq_permission ABI structure where it needs to be fixed up
as well. Internal Xen structures appear to be fine. Existing users of
the interface in tree (libxl, ocaml and python bindings) are already using
int for pirq representation that should be wide enough.


By "int", I am assuming you imply "signed int", is that correct?


Yes, just "int" in the meaning "signed int" - I can clarify that in the 
description.


If so, should the function xc_domain_irq_permission() interface take an
int in parameter and check it is not negative?


Please let's not make things worse than they are, the more that


Well, what I am trying to prevent is surprise where the caller
mistakenly pass a negative value that will be interpreted as a positive
value...


This happens all the time when converting from signed to unsigned
perhaps just internally.


I am not sure what's your point... Yes there are place in Xen that switch 
between signed and unsigned. We likely have some (latent) problem because of 
that...


Callers of libxc interface shouldn't have been using signed int at all.
They just happen to do it at least in-tree - that's what I found and mentioned
in the description. At the same time "int" type is for now wide enough so there
is no immediate rush to fix them up.

That gets a little bit tricky with bindings - they themselves expose pirq
as int. So a negative value could be passed by the caller and, given other
similar interace functions like xc_physdev_map_pirq() are using "int pirq"
to signal an error as negative value, that could be misinterpreted by lower
levels.

We can add extra checks in bindings to avoid passing all negative values to
libxc level. Would this be good enough?


Such issues are beyong annoying to debug...


No worse than any other out-of-bounds value, I would say.


  > ./CODING_STYLE is unambiguous in cases like this one.

Hmmm... The coding style mention the fixed size but nothing about the
signedness of the type...


Oh, sorry, yes. The adjustment for this even pre-dates the two
patches to ./CODING_STYLE that I've on record as pending for
nearly two years.


The alternative suggestion is to keep a unsigned type but check the bit
31 is not set.


Why? Why not bit 30 or bit 27? There's nothing special about
bit 31 in an unsigned number.


Bit 31 is the signed bit for signed number. The check would make sure that:
  1) The value will fit other hypercall (the PIRQ is described as int in a few 
of the structure)
  2) Catch potentially caller that would use the number that could potentially 
be interpreted as negative by other part of the hypervisor.

That said, I can live with the implicit signed -> unsigned convertion, however 
the commit message should at least be clarified because it is misleading.


Could you specify which statement exactly is misleading (or needs clariying)
in the commit message?

Igor

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.