[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/CET: Fix __initconst_cf_clobber

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 3 Mar 2022 08:35:16 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VbeiCm2e1x/yLymCk0s7vQDaAs+AoczwFGivaOIU1IU=; b=UlN563YoiJnCDWyE0YDlk01gARZvvr34BgxhUBNzidipWWHBfCwqmf07jw2V0GoW5uV2QL6xg100TW0wjEj/wzjXQjxaWuL1ACyuGjyjEhEvp656WHLBbwqNeePzvhhBHH/usaY6H06B4jb/OsHtwcgqFCpODdUR1khRaA1uHJeDL9yxOy3//09ivYcnZNbRyPgdOWTFEKHpyHlg4b5Md7aXbJlrfbA7kvmZ7hkSIbtgsOjoI+pO3KXhKBHYzN8ZOKFPMmsxQzOiuRSRzEtL/bOhl01FxhiLKnI8JAVUjih3LjjIvuaWGcq3cVSA6ajk4o79vc/pVyIQ729VHtopww==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h6w8Par4tztUlh96tKk6ol+FFWGwBnLuTZi5zoDZd87i2RwnJY1gWTWE8ycpGGLf7APgzM6yWgyXJfrhFHpI6ML+oqqgKzzhOSOwpEiQXLO5s4W9P8ZwQLz51RuK1TFufjG37uHpHLNM8bbcFqw5V9R5XBL3Mv/cMT5YQFoXgP0LeYwx0G6Jv15SqIlob9xuKO+ROINPumWuiI7WaxsCggRqfVtZKqAyhztCfb4+4zLi2TMbDFbmxUXhq3TAai4gjRgxz/KBVcsOI87ZD6DLwh8zEHPAwJkA7qCVKdNZCdDgnwafS8dDcIxUb70Azb2QpP9f+nIsRBNY0lrs0MD/Ww==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 03 Mar 2022 07:35:46 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 02.03.2022 23:10, Andrew Cooper wrote:
> The linker script collecting .init.rodata.* ahead of .init.rodata.cf_clobber
> accidentally causes __initconst_cf_clobber to be a no-op.
> 
> Rearrange the linker script to unbreak this.
> 
> The IOMMU adjust_irq_affinities() hooks currently violate the safety
> requirement for being cf_clobber, by also being __initcall().
> 
> Consolidate to a single initcall using iommu_call() (satisfying the cf_clobber
> safety requirement), and also removes the dubious property that we'd call into
> both vendors IOMMU drivers on boot, relying on the for_each_*() loops to be
> empty for safety.
> 
> With this fixed, an all-enabled build of Xen has 1681 endbr64's (1918
> including .init.text) with 382 (23%) being clobbered during boot.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

This will do for the immediate purpose, so:
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

> I was unsure whether to go common or x86 spefific IOMMU code, so went with the
> conservative option.  The final hunk can trivially move if preferred.

The hook is x86-specific, so the wrapper should be too (and the existing
inline wrapper also is).

> --- a/xen/arch/x86/xen.lds.S
> +++ b/xen/arch/x86/xen.lds.S
> @@ -210,6 +210,12 @@ SECTIONS
>    DECL_SECTION(.init.data) {
>  #endif
>  
> +       . = ALIGN(POINTER_ALIGN);
> +       __initdata_cf_clobber_start = .;
> +       *(.init.data.cf_clobber)
> +       *(.init.rodata.cf_clobber)
> +       __initdata_cf_clobber_end = .;
> +
>         *(.init.rodata)
>         *(.init.rodata.*)

I wonder if this shouldn't really be two sections. Live-patching will
need to supply two ranges to apply_alternatives() anyway (one for each
section, unless you want to start requiring to pass a linker script to
"$(LD) -r" when generating live patches, just to fold the two sections),
so in the core hypervisor we may want to follow suit.

> --- a/xen/drivers/passthrough/x86/iommu.c
> +++ b/xen/drivers/passthrough/x86/iommu.c
> @@ -462,6 +462,12 @@ bool arch_iommu_use_permitted(const struct domain *d)
>              likely(!p2m_get_hostp2m(d)->global_logdirty));
>  }
>  
> +static int cf_check __init adjust_irq_affinities(void)
> +{
> +    return iommu_call(&iommu_ops, adjust_irq_affinities);
> +}
> +__initcall(adjust_irq_affinities);

I assume it is intentional that you didn't re-use the inline wrapper,
to avoid its (then non-__init) instantiation to stay with an ENDBR.
Yet then you could at least _call_ that wrapper here, instead of open-
coding it. And I further think the iommu_enabled checks should move out
of the vendor functions, plus the hook also has no need anymore to have
a return type of int. I guess I'll make a follow-on patch if you don't
want to fold this in here.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.