Xen project Mailing List

Re: [PATCH 2/8] x86/shadow: properly handle get_page() failing

To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Thu, 28 Jul 2022 08:12:55 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GEtgO99dbcglkKouCHuwMDT3wwTwuScGtyOxb3zIuPU=; b=aHnheZj71Z6lsuJRaJhM0dRZs6CWCFZo9Ra6QvcTggd6gMm36IizmpnWjdp7Bavto1le49vhBUx/BWJgD/bI2RgasA2wNqBedfL05Wl5Zk6wtjJ8X4nQxsZ05wna0WzqY4T16GG2uzZT5vXBMV0ALLWDNgbe3xvdx7ha+hGU3zcGYhhCEj/tPsVbB/B4/bSFM8T6c4jlyYYtEVb1NeN6NZ5jrJ+9Y88+mm7PZjgF1L/qkiyga90AN1avHh3FD1H9vmYQSAkst2O+hMWVAoreI5wqY95y6QdFQUHViHOS7+K0usgU9/3i+2Mskf3J5yiAtyuSj2usMFh3pUpd/IQyww==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l/QgJEYr8EsTlhLze2ApEbO0ZMevwFBZoYV6rCnM2G8Al+j0gAayo/UCHTG9XtElurSuh1oQCsPXX5uEvIlhsforlynGlbEHrWsOA/fsSq8g51u9AUIKtsj+toyTQR7SRrdKKQ7yxFWacTyMjadGaz5DQQp/8gi4ZTAABxsL0hLvPTzQUJpXYEBt8gVcgESVrwxveAJPSbxhwk1kOIV6WaqNlTsiuJ81BoHFmtQlncXUJ0H8hmRhF40zZ/9qU2ZBj45tvYQJeAjMyAWjau1k3h0LhjoosT0Awa7BnKfHEpxOHGOjGSmemVOr6wDRoz2yq8+7cQonsECOFChvADMXJQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, "Tim (Xen.org)" <tim@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 28 Jul 2022 06:13:07 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 27.07.2022 21:06, Andrew Cooper wrote: > On 27/07/2022 13:53, Jan Beulich wrote: >> On 27.07.2022 14:46, Andrew Cooper wrote: >>> On 26/07/2022 17:04, Jan Beulich wrote: >>>> --- a/xen/arch/x86/mm/shadow/multi.c >>>> +++ b/xen/arch/x86/mm/shadow/multi.c >>>> @@ -132,7 +132,8 @@ delete_fl1_shadow_status(struct domain * >>>> SHADOW_PRINTK("gfn=%"SH_PRI_gfn", type=%08x, smfn=%"PRI_mfn"\n", >>>> gfn_x(gfn), SH_type_fl1_shadow, mfn_x(smfn)); >>>> ASSERT(mfn_to_page(smfn)->u.sh.head); >>>> - shadow_hash_delete(d, gfn_x(gfn), SH_type_fl1_shadow, smfn); >>>> + if ( !shadow_hash_delete(d, gfn_x(gfn), SH_type_fl1_shadow, smfn) ) >>>> + ASSERT_UNREACHABLE(); >>> I'd recommend crashing the domain here too. I know the we've already >>> got the return value we want, but this represents corruption in the >>> shadow pagetable metadata, and I highly doubt it is safe to let the >>> guest continue to execute in such circumstances. >> I'm happy to add or convert, but please clarify: DYM in addition to >> the assertion or in place of it? > > Erm pass. > > We still don't have a sensible construct for ASSERT_OR_DOMAIN_CRASH(), > or a well-thought-through piece of guidance. > > Probably keep the ASSERT() ? Almost all state checking in the shadow > code is via asserts. Meanwhile I was actually leaning towards dropping the assertion. The goal is to catch attention when things go wrong. A suddenly dying domain surely ought to be as noticable as an assertion triggering. > Mostly what I'm concerned by is it feeling weird to have one path which > only domain crashes, and one path which only asserts. I'm afraid I've not been successful in determining which other path it is you're referring to. If I knew, I might be up for converting that as well (not in this same patch, perhaps). I don't think you mean set_shadow_status(), since there we can't validly ASSERT(), as the condition is (in principle) guest controllable. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.