Re: [PATCH] xen: io: Fix race between sending an I/O and domain shutdown

[Julien Grall <julien@xxxxxxx>]

Hi,

On 06/05/2022 15:09, Durrant, Paul wrote:
> On 05/05/2022 18:51, Julien Grall wrote:
> > From: Julien Grall <jgrall@xxxxxxxxxx>
> >
> > Xen provides hypercalls to shutdown (SCHEDOP_shutdown{,_code}) and
> > resume a domain (XEN_DOMCTL_resumedomain). They can be used for 
> > checkpoint
> > where the expectation is the domain should continue as nothing happened
> > afterwards.
> >
> > hvmemul_do_io() and handle_pio() will act differently if the return
> > code of hvm_send_ioreq() (resp. hvmemul_do_pio_buffer()) is 
> > X86EMUL_RETRY.
> > In this case, the I/O state will be reset to STATE_IOREQ_NONE (i.e
> > no I/O is pending) and/or the PC will not be advanced.
> >
> > If the shutdown request happens right after the I/O was sent to the
> > IOREQ, then emulation code will end up to re-execute the instruction
> > and therefore forward again the same I/O (at least when reading IO port).
> >
> > This would be problem if the access has a side-effect. A dumb example,
> > is a device implementing a counter which is incremented by one for every
> > access. When running shutdown/resume in a loop, the value read by the
> > OS may not be the old value + 1.
> >
> > Add an extra boolean in the structure hvm_vcpu_io to indicate whether
> > the I/O was suspend. This is then used in place of checking the domain
> > is shutting down in hvmemul_do_io() and handle_pio() as they should
> > act on suspend (i.e. vcpu_start_shutdown_deferral() returns false) rather
> > than shutdown.
> >
> > Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
> Reviewed-by: Paul Durrant <paul@xxxxxxx>
Thanks! I have committed it.

Cheers,

--
Julien Grall