[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/4] xen: Introduce non-broken hypercalls for the p2m pool size

To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Wed, 26 Oct 2022 22:24:50 +0100
Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>, Anthony Perard <anthony.perard@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 26 Oct 2022 21:25:15 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Andrew,

On 26/10/2022 20:22, Andrew Cooper wrote:

--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -345,6 +345,16 @@ unsigned int hap_get_allocation(struct domain *d)
              + ((pg & ((1 << (20 - PAGE_SHIFT)) - 1)) ? 1 : 0));
  }

+int hap_get_allocation_bytes(struct domain *d, uint64_t *size)

+{
+    unsigned long pages = (d->arch.paging.hap.total_pages +
+                           d->arch.paging.hap.p2m_pages);

Unlike for Arm no ACCESS_ONCE() here? Also the addition can in
principle overflow, because being done only in 32 bits.


I'm not actually convinced ARM needs ACCESS_ONCE() to begin with.  I
can't see any legal transformation of that logic which could result in a
torn load.

AFAIU, ACCESS_ONCE() is not only about torn load but also making surethat the compiler will only read the value once.

When LTO is enabled (not yet supported) in Xen, can we guarantee thecompiler will not try to access total_pages twice (obviously it would becaller dependent)?

With that in mind, when LTO is enabled on Linux arm64, theimplementation of READ_ONCE() is not a simple (volatile *) to preventthe compiler to do harmful convertion. Possibly something we will needto consider in Xen in the future if we enable LTO. In this context, theACCESS_ONCE() would make sense because we don't know (or should notassume) how the caller will use it.

Regardless that, I think using ACCESS_ONCE() help to document how thevariable should be used. This will reduce the risk that someone decidesto add a new use total_pages like below:


val = d->arch.paging.total_pages;

if ( val == 0 )
  return ...

/* use val */

AFAIU, a compiler would be allow to read total_pages twice here. Whichis not what we would want. I am ready to bet this will be missed.

So consistency here is IMO much better. An alternative would be todocument why we think the compiler would not be naughty.


Cheers,

--
Julien Grall

Follow-Ups:
- Re: [PATCH 1/4] xen: Introduce non-broken hypercalls for the p2m pool size
  - From: Jan Beulich

References:
- [PATCH for-4.17 0/4] XSA-409 fixes
  - From: Andrew Cooper
- [PATCH 1/4] xen: Introduce non-broken hypercalls for the p2m pool size
  - From: Andrew Cooper
- Re: [PATCH 1/4] xen: Introduce non-broken hypercalls for the p2m pool size
  - From: Jan Beulich
- Re: [PATCH 1/4] xen: Introduce non-broken hypercalls for the p2m pool size
  - From: Andrew Cooper

Prev by Date: [xen-4.13-testing test] 174411: regressions - FAIL
Next by Date: [ovmf test] 174468: all pass - PUSHED
Previous by thread: Re: [PATCH 1/4] xen: Introduce non-broken hypercalls for the p2m pool size
Next by thread: Re: [PATCH 1/4] xen: Introduce non-broken hypercalls for the p2m pool size
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.