[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH][4.17] x86/shadow: drop (replace) bogus assertions
- To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Fri, 14 Oct 2022 10:02:36 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=c7LG7/wLOFe8/Mu52FLx9+uc+gxfDHeQDPJap9EXJEk=; b=hs3rIHDMfoeqJjj70rcsxy6ZPdSbPo6kn536nkndV+iIggaakPK4MGtwalW+p1C4C07XCSbYYqSbFtrZleC9vpGfkodEiWnSrSJ3rA2uG5BEx0Hz3XkhKUpzhVtcPg1I2DzbAL2hAYjAz7W+z/Pk1JSLoiU9pfco74+a/LLhLPqb/k5YE3BITHNZPAi71p76BSfZCA89qtb03k043slo2+/HvBrXdzNf12rB7AH4qaiTJrsK1LxTwlyJNuXef311CZywByrOGa4+rDjkDdAJnZtCY1O8eOhgEltB4hVVqtOLFao1MJQ/pCRcKCLXOnb/t2B7TR7wxx0OfLc566OPbg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PIlLaGHjdMVJQdecwYnBCrr36ibCowFE+jujJ5uTQWYmDJ+SbZQGFimMe1FwLdCFAZnVQoJB0u3SMn3x5Xslz6eGiT/BT9YrL2R2LpYAraF6+FNFCwpJlVHlMxW2K0AWM9joaPw56ArMFmEikuns3Jcp8E0rODPSDoIFzSk9b3rYwQmuTg03UUixjKVFLlQrvjx6KCVbaQrtPcWyl4BhH2Wn0vTCSqKb6+LhHAxdwJW00Vm3NJdaYowSMkLTHdL/2Zxou/OkcnhlLgmQ2R7ctmiLx46FBX0TYyxcza+QWGoFzXa9nRKJ74z0YjtcGU+By3PXSmHJ+G6L3Voe9rw/Iw==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "Tim (Xen.org)" <tim@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>
- Delivery-date: Fri, 14 Oct 2022 10:02:56 +0000
- Ironport-data: A9a23:S7GJCqnFRAtul+fOsAUpKyXo5gxAJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xIXXTiFOqyNNDD0KtElbIXi8UpV656Dn4QyGwY9pC40FiMWpZLJC+rCIxarNUt+DCFhoGFPt JxCN4aafKjYaleG+39B55C49SEUOZmgH+a6UqicUsxIbVcMYD87jh5+kPIOjIdtgNyoayuAo tq3qMDEULOf82cc3lk8tuTS9XuDgNyo4GlC5wRnOagR1LPjvyJ94Kw3dPnZw0TQGuG4LsbiL 87fwbew+H/u/htFIrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRrukoPD9IOaF8/ttm8t4sZJ OOhF3CHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqFvnrSFL/hGVSkL0YMkFulfL0JDp KwlBm4xKRG8lebu7LaKU/M0mZF2RCXrFNt3VnBI6xj8VKxja7aTBqLA6JlfwSs6gd1IEbDGf c0FZDFzbRPGJRpSJlMQD5F4l+Ct7pX9W2QA9BTJ+uxqvi6Kk1EZPLvFabI5fvSjQ8lPk1nej WXB52njWTkRNcCFyCrD+XWp7gPKtXOiCN5JTuHmnhJsqAXC30tJFS8JbH6mkeao1VyRRu1fA WVBr0LCqoB3riRHVOLVXRe1vXqFtR40QMdLHqsx7wTl4rrZ5UOVC3YJShZFacc6r4kmSDoyz FiLktj1Qzt1v9W9Vna15rqS6zSoNkA9MW4HTT8JS00C+daLiKE+iAjeCOlqFqGdh8fwXzr3x li3QDMWgrwSiYsB0fW99FWe2Ta0/MGWE0gy+xndWX+j4kVhfom5aoe06F/dq/FdMIKeSVrHt 38B8ySD0N0z4Vi2vHTlaI0w8HuBvp5p7BW0bYZTIqQc
- Ironport-hdrordr: A9a23:P4jFv611TxmwsPQHa7NwlwqjBetxeYIsimQD101hICG9Lfb0qy n+pp4mPEHP4wr5AEtQ4uxpOMG7MBDhHQYc2/hcAV7QZnidhILOFvAs0WKC+UysJ8SazIJgPM hbAs9D4bHLbGSSyPyKmDVQcOxQjuVvkprY49s2pk0FJW4FV0gj1XYBNu/xKDwVeOAyP+tcKH Pq3Lsjm9PPQxQqR/X+IkNAc/nIptXNmp6jSwUBHQQb5A6Hii7twKLmEjCDty1uEw9n8PMHyy zoggb57qKsv7WQ0RnHzVLe6JxQhZ/I1sZDPsqRkcIYQw+cyTpAJb4RGYFqjgpF5N1H22xa1+ UkZC1Qefib3kmhO11dZyGdgjUIngxes0MKgmXo/EcL6faJOA7STfAxxL6xOyGplXbJ9rtHod 129nPcuJxNARzamiPho9DOShFxj0Kx5WEviOgJkhVkIMMjgRBq3P4iFW5uYeE99RjBmckaOf grCNuZ6OddcFucYXyctm5zwMa0VnB2GhudWEANtsGczjATxRlCvgEl7d1amm1F+IM2SpFC6e iBOqN0lKtWRstTaa5mHu8OTca+F2SISxPRN2CZJ0jhCcg8Sjnwgo+y5K9w6PCheZQOwpd3kJ PdUElAvWp3YE7qAd3m5uw9zvkMehTIYd3A8LAs23EigMyMeFPCC1zydHk+1829vv4YHsrXH/ 6uJZM+OY6XEVfT
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHY36n1ImS1A0wmBkizaWL20LNyZ64NqNcA
- Thread-topic: [PATCH][4.17] x86/shadow: drop (replace) bogus assertions
On 14/10/2022 09:49, Jan Beulich wrote:
> The addition of a call to shadow_blow_tables() from shadow_teardown()
> has resulted in the "no vcpus" related assertion becoming triggerable:
> If domain_create() fails with at least one page successfully allocated
> in the course of shadow_enable(), or if domain_create() succeeds and
> the domain is then killed without ever invoking XEN_DOMCTL_max_vcpus.
It warrants pointing out that are unit tests in the tree which do
exactly this.
> The assertion's comment was bogus anyway: Shadow mode has been getting
> enabled before allocation of vCPU-s for quite some time.
I agree with the principle of what you're saying, but I don't think it's
accurate.
Shadow (vs hap) has always been part of domain create. But we've always
had a problem where we need to wait for a shadow op to allocate some
shadow memory before various domain-centric operations can proceed.
As with the ARM GICv2 issues, we do want to address this and let
domain_create() (or some continuable version of it) allocate the bare
minimum shadow pool size, which simplifies a load of other codepaths.
> Convert the
> assertion to a conditional: As long as there are no vCPU-s, there's
> nothing to blow away.
>
> Fixes: e7aa55c0aab3 ("x86/p2m: free the paging memory pool preemptively")
> Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>
> A similar assertion/comment pair exists in _shadow_prealloc(); the
> comment is similarly bogus, and the assertion could in principle trigger
> e.g. when shadow_alloc_p2m_page() is called early enough. Replace those
> at the same time by a similar early return, here indicating failure to
> the caller (which will generally lead to the domain being crashed in
> shadow_prealloc()).
>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> While in shadow_blow_tables() the option exists to simply remove the
> assertion without adding a new conditional (the two loops simply will
> do nothing), the same isn't true for _shadow_prealloc(): There we
> would then trigger the ASSERT_UNREACHABLE() near the end of the
> function.
IMO, blow_tables() has no business caring about vcpus. It should be
idempotent, and ideally wants to be left in a state where it doesn't
need modifying when the aformentioned create changes happen.
For prealloc(), I'd argue that it shouldn't care, but as this is a
bugfix to an XSA, leaving it in this form for now is the safer course of
action. Whomever cleans up the create path can do the work to ensure
that all prealloc() paths are safe before vcpus are allocated.
~Andrew
|
