Xen project Mailing List

Re: [PATCH] x86/irq: Skip unmap_domain_pirq XSM during destruction

To: Jason Andryuk <jandryuk@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Wed, 30 Mar 2022 14:27:52 -0400

Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1648664891; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=V2Cdfw3qsK6arRjmn+bz49KzU3r8AsJyQmv3h+FjNVo=; b=Fyoy4bkvX0d8PKAk22h3RWjg6IeERLrmfY1TL29fNlGyhzn7qAXpT7Beq5J4L5MnhiPDXzZ/LWESgV5U8hHDZaa9vw/SIf6jidxo6+MtesKz4k47wlh4jLtaB+KoQ3esBRTJKFrYVXYUE7q4wyfHVHwwu/jh0O1bxMXeayn0pjI=

Arc-seal: i=1; a=rsa-sha256; t=1648664891; cv=none; d=zohomail.com; s=zohoarc; b=npZtWjcW4Y/J370lH6QVMiYy9WI+s2IOK+SeiAbizYO9bdln5eUaKsMeFGpPv0i1pSgb7gnBT0QmaUY48HgBkvrHKqRekcEPfjHCxY/XymldtDWqXQ9XRaqYWhLECfFbfR2BYg8rmMNHm2rP/lFi1cBgotu+i3n/hfYY26FFUDQ=

Cc: Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Wed, 30 Mar 2022 18:28:29 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 3/30/22 14:17, Jason Andryuk wrote: > xsm_unmap_domain_irq was seen denying unmap_domain_pirq when called from > complete_domain_destroy as an RCU callback. The source context was an > unexpected, random domain. Since this is a xen-internal operation, > we don't want the XSM hook denying the operation. > > Check d->is_dying and skip the check when the domain is dead. The RCU > callback runs when a domain is in that state. > > Suggested-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> > Signed-off-by: Jason Andryuk <jandryuk@xxxxxxxxx> > --- > Dan wants to change current to point at DOMID_IDLE when the RCU callback > runs. I think Juergen's commit 53594c7bd197 "rcu: don't use > stop_machine_run() for rcu_barrier()" may have changed this since it > mentions stop_machine_run scheduled the idle vcpus to run the callbacks > for the old code. > > Would that be as easy as changing rcu_do_batch() to do: > > + /* Run as "Xen" not a random domain's vcpu. */ > + vcpu = get_current(); > + set_current(idle_vcpu[smp_processor_id()]); > list->func(list); > + set_current(vcpu); > > or is using set_current() only acceptable as part of context_switch? > > xen/arch/x86/irq.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c > index 285ac399fb..16488d287c 100644 > --- a/xen/arch/x86/irq.c > +++ b/xen/arch/x86/irq.c > @@ -2340,10 +2340,14 @@ int unmap_domain_pirq(struct domain *d, int pirq) > nr = msi_desc->msi.nvec; > } > > - ret = xsm_unmap_domain_irq(XSM_HOOK, d, irq, > - msi_desc ? msi_desc->dev : NULL); > - if ( ret ) > - goto done; > + /* When called by complete_domain_destroy via RCU, current is a random > + * domain. Skip the XSM check since this is a Xen-initiated action. */ > + if ( d->is_dying != DOMDYING_dead ) { > + ret = xsm_unmap_domain_irq(XSM_HOOK, d, irq, > + msi_desc ? msi_desc->dev : NULL); > + if ( ret ) > + goto done; > + } > > forced_unbind = pirq_guest_force_unbind(d, info); > if ( forced_unbind ) I think this is sufficient though IMHO it would make it stronger if current accurately reflected the idle domain and the condition was added to the if statement check this fact. Reviewed-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.