Xen project Mailing List

Re: [PATCH] common: guest_physmap_add_page()'s return value needs checking

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 2 Sep 2021 09:00:17 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Du1n8tHvw2rKWfhNlde3mS2ais71qjhr//pscVaPcMY=; b=C/fWVH+ZsZzQaLVwa1JdOvT5CmkAbiYGUGbt9f8V1qlKSyNGCGrvlOnYznquIj8+Vg2CLTxPNpotNjS8cL62EXWsEkRrN+qiZ7JsleI9Y5V4ydv9CkO+XNm++lMtOvr8nBiJObIbEbytueZ1eDce8gpucl8FJ+pXdDAGra+XwEs0xBdkoFk4u/wOJ0J9yXTZrMPt7OQbt7pbyxZ+oduyzilKUjUeGmvkZeFSMLu/gDp1zF4JJnmcD144hBLzEtpGiYvpQEKhQwE3x3gk9t29+B29rPlwjOYfGHJza+4kU//0mn/SWCMuMOGz/mYeuDDd+uCQ2nrReMk+6Sf2bsxVyw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UlP1RISFv3UfrAUtTSxlXQ4IYloSQULwD6SZE/1E+Im4fflCi6MjkjLMXY10ia1jUxi1+q0k3265Cl4LxNpCXbwI+C+HDRUjMnGjFoKRjEsvMq+30IK1myP7c1LOdwmVpkSGmb4jDwu9pDKboyo4gwqH66Y2qSwJ2p+4ijDF6kbJaOkpI/WjZb6mAcK42xugWllIg5sTYXATQLrQtxo9ffWr7EBMOi4ve9X6Pn8UIPRqR6GwIjVwSmK3UkShYFUlwuZ8TQL89y3czIrpHLDKI0avaS2CB7DgZ+aEdYcZhS/oQ8uksyiPkc0rNy0JQKd/CV09KlHpmugdigTOB6kP5g==

Authentication-results: lists.xenproject.org; dkim=none (message not signed) header.d=none;lists.xenproject.org; dmarc=none action=none header.from=suse.com;

Cc: George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 02 Sep 2021 07:00:32 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 01.09.2021 22:02, Andrew Cooper wrote: > On 01/09/2021 17:06, Jan Beulich wrote: >> The function may fail; it is not correct to indicate "success" in this >> case up the call stack. Mark the function must-check to prove all >> cases have been caught (and no new ones will get introduced). >> >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> >> --- >> In the grant-transfer case it is not really clear to me whether we can >> stick to setting GTF_transfer_completed in the error case. Since a guest >> may spin-wait for the flag to become set, simply not setting the flag is >> not an option either. I was wondering whether we may want to slightly >> alter (extend) the ABI and allow for a GTF_transfer_committed -> >> GTF_transfer_completed transition (i.e. clearing GTF_transfer_committed >> at the same time as setting GTF_transfer_completed). > > Considering there are no production users of gnttab_transfer(), we can > do what we want. It was introduced for (IIRC) netlink2 and never got > into production, and then we clobbered it almost entirely in an XSA > several years ago by restricting steal_page() to PV guests only. > > As a consequence, we can do anything which seems sensible, and does not > necessarily need to be bound by a guest spinning on the bit. Is this a "yes, let's go that route" then? Or rather leaving it to me, i.e. translating "we can do anything which seems sensible" to "feel free to do anything which seems sensible"? Which might as well be what is there right now, and hence there could be the implied question of whether your reply could be translated to an ack. > The concept of gnttab_transfer() alone is crazy from an in-guest memory > management point of view. We could alternatively save our future selves > more trouble by just Kconfig'ing it out now, deleting it in several > releases time, and fogetting about the problem as nothing will break in > practice. I might ack such an initial patch. I might even consider making one myself as long as it's agreed that the option will need to default to y. I might also ack such a subsequent patch. But I would not want to be the one to propose a patch removing functionality. I think I did say more than once in the past that I don't think we can validly remove anything from the public interface, as we will never be able to _prove_ there's no user anywhere. An exception might only be in cases where we can prove certain functionality could never have been used successfully for its intended or any other purpose. (For example, recently I've [again] been considering to fully disable XENMEM_increase_reservation for translated guests, rather than just leaving it useless by not reporting back the allocated MFNs.) Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.