Xen project Mailing List

Re: [PATCH v4 02/11] vpci: cancel pending map/unmap on vpci removal

From: Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>

Date: Tue, 16 Nov 2021 07:32:59 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Y8zwRjpqEgAH1u+6gJqAScxRLLTyPrOUQWRInWp2P8Q=; b=IJO/jzqkJ8T/Ejp22A6brAue0KTDUWgA5xWL8jRacW5p8/LxaXluG03wKy1pat8+gktZhyZ5DV4cnq4YyEfR862wrEoFuyzLrNdCVgo0M5LW8IiwwZrmam9w4R/l0FfwSQC/oN6vtMDyfFY8/nmwwbtdVvspnj1HuxHIbARFrLdKtTChvph3ECqiyygK0oox+HarsyxNtYpoSawb9tOabYI89RIrTy0kD6lLTL8JsBA0C3VFdzgbdqv5e3TpyNIEK1ZUYI2I6GrNuZW90fgApFW5UDcF8C5/Zh3huIQLYkrT4NueJ1k6cvYInYFKvZQtOaIRwtLKOWtfvt0Q7qYBsQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WQMuunp5xFIsubNP7ymA2Ea/3l8V4L5RxAIKmYv1s9wTueCdi0vXRJNWarYIveA8594axpwUgb9FmKs8l5zg1zpQw24PByhkpwKc8WwFbhaXv6IbYCPLA/67ofaP1l3byIjZj4rw1uzJl7MZj6egbpc03AkriqzZL5cvwRUrvWHoebnt/j6IwxJmXeP3aZfhuM9yR5aCQM1hZF5/nCWWWembPfnlZV/zE2rXJcD5piCH58yAYyUiO2BASw7EWrUjAL/Tb2S0R7kho9Mf5qz+VEcAxOsgUEuLu9ycgVmpkRgiZFr0ZOsYnoxIQVbMU8QDo/LDNPsvIlJOeVqM4L+cJQ==

Cc: "julien@xxxxxxx" <julien@xxxxxxx>, "sstabellini@xxxxxxxxxx" <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Artem Mygaiev <Artem_Mygaiev@xxxxxxxx>, "roger.pau@xxxxxxxxxx" <roger.pau@xxxxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "george.dunlap@xxxxxxxxxx" <george.dunlap@xxxxxxxxxx>, "paul@xxxxxxx" <paul@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Rahul Singh <rahul.singh@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>

Delivery-date: Tue, 16 Nov 2021 07:33:31 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHX0hJIYALl/D9fL0OD6N0XGDJh2awE30EAgAD09oA=

Thread-topic: [PATCH v4 02/11] vpci: cancel pending map/unmap on vpci removal

On 15.11.21 18:56, Jan Beulich wrote: > On 05.11.2021 07:56, Oleksandr Andrushchenko wrote: >> From: Oleksandr Andrushchenko <oleksandr_andrushchenko@xxxxxxxx> >> >> When a vPCI is removed for a PCI device it is possible that we have >> scheduled a delayed work for map/unmap operations for that device. >> For example, the following scenario can illustrate the problem: >> >> pci_physdev_op >> pci_add_device >> init_bars -> modify_bars -> defer_map -> >> raise_softirq(SCHEDULE_SOFTIRQ) >> iommu_add_device <- FAILS >> vpci_remove_device -> xfree(pdev->vpci) >> >> leave_hypervisor_to_guest >> vpci_process_pending: v->vpci.mem != NULL; v->vpci.pdev->vpci == NULL >> >> For the hardware domain we continue execution as the worse that >> could happen is that MMIO mappings are left in place when the >> device has been deassigned > Is continuing safe in this case? I.e. isn't there the risk of a NULL > deref? I think it is safe to continue > >> For unprivileged domains that get a failure in the middle of a vPCI >> {un}map operation we need to destroy them, as we don't know in which >> state the p2m is. This can only happen in vpci_process_pending for >> DomUs as they won't be allowed to call pci_add_device. > You saying "we need to destroy them" made me look for a new domain_crash() > that you add, but there is none. What is this about? Yes, I guess we need to implicitly destroy the domain, @Roger are you ok with that? > >> @@ -165,6 +164,18 @@ bool vpci_process_pending(struct vcpu *v) >> return false; >> } >> >> +void vpci_cancel_pending(const struct pci_dev *pdev) >> +{ >> + struct vcpu *v = current; >> + >> + /* Cancel any pending work now. */ > Doesn't "any" include pending work on all vCPU-s of the guest, not > just current? Is current even relevant (as in: part of the correct > domain), considering ... > >> --- a/xen/drivers/vpci/vpci.c >> +++ b/xen/drivers/vpci/vpci.c >> @@ -51,6 +51,8 @@ void vpci_remove_device(struct pci_dev *pdev) >> xfree(r); >> } >> spin_unlock(&pdev->vpci->lock); >> + >> + vpci_cancel_pending(pdev); > ... this code path, when coming here from pci_{add,remove}_device()? > > I can agree that there's a problem here, but I think you need to > properly (i.e. in a race free manner) drain pending work. Yes, the code is inconsistent with this respect. I am thinking about: void vpci_cancel_pending(const struct pci_dev *pdev) { struct domain *d = pdev->domain; struct vcpu *v; /* Cancel any pending work now. */ domain_lock(d); for_each_vcpu ( d, v ) { vcpu_pause(v); if ( v->vpci.mem && v->vpci.pdev == pdev) { rangeset_destroy(v->vpci.mem); v->vpci.mem = NULL; } vcpu_unpause(v); } domain_unlock(d); } which seems to solve all the concerns. Is this what you mean? > > Jan > Thank you, Oleksandr

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.