[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [PATCH v5 2/8] xen/arm: allocate static shared memory to the default owner dom_io

  • To: Julien Grall <julien@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Penny Zheng <Penny.Zheng@xxxxxxx>
  • Date: Mon, 4 Jul 2022 07:20:24 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hTKVQx3g0DNIMIBckUhZBcEWumL0Uzie8AvhI3YjEE4=; b=hDg3yqwLMH2MAn5g3B3SUXeW/BQXb1V+Tt6UcorwLgUafUASYr9f2RR5lGthqf+pd45VlRXVA2T9mFXH6tbpX+lt6d/JrWSIC6BkQJXqQ9PPh96piDP/0N2SRYzNFi62WFBnn8uBwNJBNWwsrdt6GKyTdPszuy5AxfGWaQd7fOnhOFTHVl204bU8V29Ifc+1fqCShqdTtDAE/QnWKzR/8d5mA/5yUKhm6ip0V/hEgXwPcpjrlBjxkQNGAwPQvto5tu7QSnQUtoo0rkWUpwznan1TFpB+hq1+0PngJfleJdHXjYb5DThlFLy7kigFvYuRIkzdEO+j8hFuXYVQceS/sw==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hTKVQx3g0DNIMIBckUhZBcEWumL0Uzie8AvhI3YjEE4=; b=WNphd5Knq2JC8uVEQVdySgRx0TMZUWRpyY0MipgWu+Dp7dfu/lKE9UjrfeX9kYCPR/tBhWQP7FphRIx1a+SdFMO6pJ9QGaENfftaSI48yYihUV58Qhi5ByiqmPSCP1cSOxZMWr7qp6gaqlc2ZMo54zFBQtglLYGqKGV8DbmppePIjTBb+PWUMu05TCt7Ycro/l9ZInjKUtuflRbDg8gLrAQXTHsYZAnDGA6wS2GeNnrtWjiuv/Ldhsvyr2ex+aYcdZiX40br+n68EShAqOv0GgcH1CU/pzr9OvDy/6X2GUmW2xjXk+jkS9DVvfN5kIAAx23+1F13rc3SnnT74b8zKQ==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=EZqQVAp9pvDTva3kyDU0xWKJ3ZutlgJv11lisuMtFptt0mklNXjM+aar/0TJobmYnY93E3RlHoykyR52XvyNoZASuH30f6X27q5ZHSBDi0YaBQish4ietkddM1a3nW2r6ZOUDtqautKkdso8So2HHbgKa/0zIJPFwUJiiF0icjJ8ho36MxyigkjBr+30ImOM1/ZdO2sZOmJJ/DmKgaUgV3GdircI19yef28s1Fp0EMM88kZdVEFPoRnLYoIfmsuX5EfZ263lUkh9c4pfQHaCOxmGnb5LFjgdb9wFoNLW1pO6+H2mM31GfZoVqySvzUlrgOT1Dr7LCu56CPTSxm+VfA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZT/haiCQ+VGNCp/oi03Zj/1KqM/2ZJwR1hE6i0rIw23q51WUevZgQthHRo62oc2qfZ5iEThyjcOPdcpKDFDw+SAuiL/rKfsphiuVGvCl9CFlw2MFRI1ZxNMZgIRwp76knx3iogEpBLD0nyCRZ4yEoK4jROtcGy9O2MczfI3ehfNIJbw95ehczlzgE12eioe8LLCJSKRDJIrhu1sv/zqc4/vtpHkvM+sac19Kefk2Bnr0zBp3U3jPPWwr4UBPnCsCFVUBfo+wzAjkpTWjloFwKM10GZhNK5DeOijcuhMxVAfhgIkUpC8SDzelcZE+3LQf760bQ4p5cLLTZF0y1lh/rw==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Wei Chen <Wei.Chen@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Mon, 04 Jul 2022 07:21:03 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHYhGQ84mRcoOoQ8UiRh2nj8rBdHq1e5e0AgAcJLcCAAE/NgIAHooTQ
  • Thread-topic: [PATCH v5 2/8] xen/arm: allocate static shared memory to the default owner dom_io
> -----Original Message-----
> From: Julien Grall <julien@xxxxxxx>
> Sent: Wednesday, June 29, 2022 6:35 PM
> To: Penny Zheng <Penny.Zheng@xxxxxxx>; xen-devel@xxxxxxxxxxxxxxxxxxxx
> Cc: Wei Chen <Wei.Chen@xxxxxxx>; Stefano Stabellini
> <sstabellini@xxxxxxxxxx>; Bertrand Marquis <Bertrand.Marquis@xxxxxxx>;
> Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>; Andrew Cooper
> <andrew.cooper3@xxxxxxxxxx>; George Dunlap <george.dunlap@xxxxxxxxxx>;
> Jan Beulich <jbeulich@xxxxxxxx>; Wei Liu <wl@xxxxxxx>
> Subject: Re: [PATCH v5 2/8] xen/arm: allocate static shared memory to the
> default owner dom_io
> 
> 
> 
> On 29/06/2022 08:13, Penny Zheng wrote:
> > Hi Julien
> 
> Hi Penny,
> 

Hi Julien
> >
> >> -----Original Message-----
> >> From: Julien Grall <julien@xxxxxxx>
> >> Sent: Saturday, June 25, 2022 2:22 AM
> >> To: Penny Zheng <Penny.Zheng@xxxxxxx>; xen-
> devel@xxxxxxxxxxxxxxxxxxxx
> >> Cc: Wei Chen <Wei.Chen@xxxxxxx>; Stefano Stabellini
> >> <sstabellini@xxxxxxxxxx>; Bertrand Marquis
> >> <Bertrand.Marquis@xxxxxxx>; Volodymyr Babchuk
> >> <Volodymyr_Babchuk@xxxxxxxx>; Andrew Cooper
> >> <andrew.cooper3@xxxxxxxxxx>; George Dunlap
> >> <george.dunlap@xxxxxxxxxx>; Jan Beulich <jbeulich@xxxxxxxx>; Wei Liu
> >> <wl@xxxxxxx>
> >> Subject: Re: [PATCH v5 2/8] xen/arm: allocate static shared memory to
> >> the default owner dom_io
> >>
> >> Hi Penny,
> >>
> >> On 20/06/2022 06:11, Penny Zheng wrote:
> >>> From: Penny Zheng <penny.zheng@xxxxxxx>
> >>>
> >>> This commit introduces process_shm to cope with static shared memory
> >>> in domain construction.
> >>>
> >>> DOMID_IO will be the default owner of memory pre-shared among
> >> multiple
> >>> domains at boot time, when no explicit owner is specified.
> >>
> >> The document in patch #1 suggest the page will be shared with
> dom_shared.
> >> But here you say "DOMID_IO".
> >>
> >> Which one is correct?
> >>
> >
> > I’ll fix the documentation, DOM_IO is the last call.
> >
> >>>
> >>> This commit only considers allocating static shared memory to dom_io
> >>> when owner domain is not explicitly defined in device tree, all the
> >>> left, including the "borrower" code path, the "explicit owner" code
> >>> path, shall be introduced later in the following patches.
> >>>
> >>> Signed-off-by: Penny Zheng <penny.zheng@xxxxxxx>
> >>> Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
> >>> ---
> >>> v5 change:
> >>> - refine in-code comment
> >>> ---
> >>> v4 change:
> >>> - no changes
> >>> ---
> >>> v3 change:
> >>> - refine in-code comment
> >>> ---
> >>> v2 change:
> >>> - instead of introducing a new system domain, reuse the existing
> >>> dom_io
> >>> - make dom_io a non-auto-translated domain, then no need to create
> >>> P2M for it
> >>> - change dom_io definition and make it wider to support static shm
> >>> here too
> >>> - introduce is_shm_allocated_to_domio to check whether static shm is
> >>> allocated yet, instead of using shm_mask bitmap
> >>> - add in-code comment
> >>> ---
> >>>    xen/arch/arm/domain_build.c | 132
> >> +++++++++++++++++++++++++++++++++++-
> >>>    xen/common/domain.c         |   3 +
> >>>    2 files changed, 134 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/xen/arch/arm/domain_build.c
> >>> b/xen/arch/arm/domain_build.c index 7ddd16c26d..91a5ace851 100644
> >>> --- a/xen/arch/arm/domain_build.c
> >>> +++ b/xen/arch/arm/domain_build.c
> >>> @@ -527,6 +527,10 @@ static bool __init
> >> append_static_memory_to_bank(struct domain *d,
> >>>        return true;
> >>>    }
> >>>
> >>> +/*
> >>> + * If cell is NULL, pbase and psize should hold valid values.
> >>> + * Otherwise, cell will be populated together with pbase and psize.
> >>> + */
> >>>    static mfn_t __init acquire_static_memory_bank(struct domain *d,
> >>>                                                   const __be32 **cell,
> >>>                                                   u32 addr_cells,
> >>> u32 size_cells, @@ -535,7 +539,8 @@ static mfn_t __init
> >> acquire_static_memory_bank(struct domain *d,
> >>>        mfn_t smfn;
> >>>        int res;
> >>>
> >>> -    device_tree_get_reg(cell, addr_cells, size_cells, pbase, psize);
> >>> +    if ( cell )
> >>> +        device_tree_get_reg(cell, addr_cells, size_cells, pbase,
> >>> + psize);
> >>
> >> I think this is a bit of a hack. To me it sounds like this should be
> >> moved out to a separate helper. This will also make the interface of
> >> acquire_shared_memory_bank() less questionable (see below).
> >>
> >
> > Ok,  I'll try to not reuse acquire_static_memory_bank in
> > acquire_shared_memory_bank.
> 
> I am OK with that so long it doesn't involve too much duplication.
> 
> >>>        ASSERT(IS_ALIGNED(*pbase, PAGE_SIZE) && IS_ALIGNED(*psize,
> >>> PAGE_SIZE));
> >>
> >> In the context of your series, who is checking that both psize and
> >> pbase are suitably aligned?
> >>
> >
> > Actually, the whole parsing process is redundant for the static shared
> memory.
> > I've already parsed it and checked it before in process_shm.
> 
> I looked at process_shm() and couldn't find any code that would check pbase
> and psize are suitable aligned (ASSERT() doesn't count).
> 
> >
> >>> +    return true;
> >>> +}
> >>> +
> >>> +static mfn_t __init acquire_shared_memory_bank(struct domain *d,
> >>> +                                               u32 addr_cells, u32 
> >>> size_cells,
> >>> +                                               paddr_t *pbase,
> >>> +paddr_t *psize)
> >>
> >> There is something that doesn't add-up in this interface. The use of
> >> pointer implies that pbase and psize may be modified by the function. So...
> >>
> >
> > Just like you points out before, it's a bit hacky to use
> > acquire_static_memory_bank, and the pointer used here is also due to
> > it. Internal parsing process of acquire_static_memory_bank needs pointer
> to deliver the result.
> >
> > I’ll rewrite acquire_shared_memory, and it will be like:
> > "
> > static mfn_t __init acquire_shared_memory_bank(struct domain *d,
> >                                                 paddr_t pbase, paddr_t
> > psize) {
> >      mfn_t smfn;
> >      unsigned long nr_pfns;
> >      int res;
> >
> >      /*
> >       * Pages of statically shared memory shall be included
> >       * in domain_tot_pages().
> >       */
> >      nr_pfns = PFN_DOWN(psize);
> >      if ( d->max_page + nr_pfns > UINT_MAX )
> 
> On Arm32, this check would always be true a 32-bit unsigned value is always
> below UINT_MAX. On arm64, you might get away because nr_pfns is
> unsigned long (so I think the type promotion works). But this is fragile.
> 
> I would suggest to use the following check:
> 
> (UINT_MAX - d->max_page) < nr_pfns
> 
> >      {
> >          printk(XENLOG_ERR "%pd: Over-allocation for d->max_pages: %lu.\n",
> >                 d, psize);
> >          return INVALID_MFN;
> >      }
> >      d->max_pages += nr_pfns;
> >
> >      smfn = maddr_to_mfn(pbase);
> >      res = acquire_domstatic_pages(d, smfn, nr_pfns, 0);
> >      if ( res )
> >      {
> >          printk(XENLOG_ERR
> >                 "%pd: failed to acquire static memory: %d.\n", d, res);
> >          return INVALID_MFN;
> >      }
> >
> >      return smfn
> > }
> > "
> >
> >>> +{
> >>> +    /*
> >>> +     * Pages of statically shared memory shall be included
> >>> +     * in domain_tot_pages().
> >>> +     */
> >>> +    d->max_pages += PFN_DOWN(*psize);
> >>
> >> ... it sounds a bit strange to use psize here. If psize, can't be
> >> modified than it should probably not be a pointer.
> >>
> >> Also, where do you check that d->max_pages will not overflow?
> >>
> >
> > I'll check the overflow as follows:
> 
> See above about the check.
> 
> > "
> >      nr_pfns = PFN_DOWN(psize);
> >      if ( d->max_page + nr_pfns > UINT_MAX )
> >      {
> >          printk(XENLOG_ERR "%pd: Over-allocation for d->max_pages: %lu.\n",
> >                 d, psize);
> >          return INVALID_MFN;
> >      }
> >      d->max_pages += nr_pfns;
> > "
> >
> >>> +
> >>> +    return acquire_static_memory_bank(d, NULL, addr_cells, size_cells,
> >>> +                                      pbase, psize);
> >>> +
> >>> +}
> >>> +
> >>> +/*
> >>> + * Func allocate_shared_memory is supposed to be only called
> >>
> >> I am a bit concerned with the word "supposed". Are you implying that
> >> it may be called by someone that is not the owner? If not, then it
> >> should be "should".
> >>
> >> Also NIT: Spell out completely "func". I.e "The function".
> >>
> >>> + * from the owner.
> >>
> >> I read from as "current should be the owner". But I guess this is not
> >> what you mean here. Instead it looks like you mean "d" is the owner.
> >> So I would write "d should be the owner of the shared area".
> >>
> >> It would be good to have a check/ASSERT confirm this (assuming this
> >> is easy to write).
> >>
> >
> > The check is already in the calling path, I guess...
> 
> Can you please confirm it?
> 

I mean that allocate_shared_memory is only called under the following 
condition, and
it confirms it is the right owner.
"
        if ( (owner_dom_io && !is_shm_allocated_to_domio(pbase)) ||
             (!owner_dom_io && strcmp(role_str, "owner") == 0) )
        {
            /* Allocate statically shared pages to the owner domain. */
            ret = allocate_shared_memory(owner_dom_io ? dom_io : d,
                                         addr_cells, size_cells,
                                         pbase, psize, gbase);
"

TBH, apart from that, I don't know how to check if the input d is the right 
owner, or am I
misunderstanding some your suggestion here?
 
> [...]
> 
> >>> +        prop = dt_find_property(shm_node, "xen,shared-mem", NULL);
> >>> +        if ( !prop )
> >>> +        {
> >>> +            printk("Shared memory node does not provide
> >>> + \"xen,shared-
> >> mem\" property.\n");
> >>> +            return -ENOENT;
> >>> +        }
> >>> +        cells = (const __be32 *)prop->value;
> >>> +        /* xen,shared-mem = <pbase, psize, gbase>; */
> >>> +        device_tree_get_reg(&cells, addr_cells, size_cells, &pbase, 
> >>> &psize);
> >>> +        ASSERT(IS_ALIGNED(pbase, PAGE_SIZE) && IS_ALIGNED(psize,
> >>> + PAGE_SIZE));
> >>
> >> See above about what ASSERT()s are for.
> >>
> >
> > Do you think address was suitably checked here, is it enough?
> 
> As I wrote before, ASSERT() should not be used to check user inputs.
> They need to happen in both debug and production build.
> 
> > If it is enough, I'll modify above ASSERT() to mfn_valid()
> 
> It is not clear what ASSERT() you are referring to.
> 

For whether page is aligned, I will add the below check:
"
        if ( !IS_ALIGNED(pbase, PAGE_SIZE) || !IS_ALIGNED(psize, PAGE_SIZE) ||
             !IS_ALIGNED(gbase, PAGE_SIZE) )
        {
            printk("%pd: physical address %lu, size %lu or guest address %lu is 
not suitably aligned.\n",
                   d, pbase, psize, gbase);
            return -EINVAL;
        }
"
For whether the whole address range is valid, I will add the below check:
"
        for ( i = 0; i < PFN_DOWN(psize); i++ )
            if ( !mfn_valid(mfn_add(maddr_to_mfn(pbase), i)) )
            {
                printk("%pd: invalid physical address %"PRI_paddr" or size 
%"PRI_paddr"\n",
                       d, pbase, psize);
                return -EINVAL;
            }
"
> Cheers,
> 
> --
> Julien Grall

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.