[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.17?] x86/paging: return -EINVAL for paging domctls for dying domains

  • To: Roger Pau Monne <roger.pau@xxxxxxxxxx>
  • From: Edwin Torok <edvin.torok@xxxxxxxxxx>
  • Date: Tue, 8 Nov 2022 17:30:51 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zxAQ4QUhzyfeN2nctawIFuF2BRi3JbLtPJDQWxUPQzA=; b=ZcI3WL0aotarJ1/07M0FEiFdrv2XR2P5AWnOMnbqnobUUgkm3Q3GU6NFBsrEgmdJwg5J9CNuSQ4AQ0ou/BY6jwIQH0HhNktvUs1PusaMybf7YJ/iONOrQQwBa+JcDLMvWiPdRahmwZsCUVmQIwE8PAtPUeb9VtZzJa6UVZu1qmW+Z375SIhxicD3yGnOzfEpJ02sjAUMjGlaq1kvIiKOAKz6aSix6xP8ALCKAWytXB1bPMRXnsyJnc+1rf0WvDnOaL6yZWyzYg49bejttoHQZb8Eqnw04fBM8YsYbOEiY8x8EanXCDOoOfrU2iRlQCpP+Keiz6/A+C9F6HhQAAC/8w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g06cO74C9k9XEkrKkepfHlG0m8nq/pZ0p64hb4qooSiHF9j+XfyjTuAPOz3kaJhS+6mY/vrOdfEr0Hw/Lb3N0WYos3KSbmNTobqJmeojJ61xErTnLUFCrV6/hKGOXONU77fhIIpWjhbd23fcmQJPNQKtYiFJbAJQOZ9qHUC8PPo29SzX7y/fXtu9MQH0tgcdnmLAydI6phvr4UPanM14COkqeOG7h+I0TpF+VzVVONyr9XOp/kYkUmNh0ZrdwEnlpUjbD9qsKd44yI0vM/XcPO/9yJ934jiC9HGvGQWTGbRcupKkWyujkcrEm8EVeqnHPM+e8ToSdRNyrfRBkWZz6Q==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Jan Beulich <jbeulich@xxxxxxxx>, "Henry.Wang@xxxxxxx" <Henry.Wang@xxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 08 Nov 2022 17:31:14 +0000
  • Ironport-data: A9a23:Bxmvxao8yGqhvALwbLGucWL4tYVeBmIqZBIvgKrLsJaIsI4StFCzt garIBnUOKrbZjOgfNEiYd+0p0kB65ODyIUyHgFv+yw2EHkW95uZCYyVIHmrMnLJJKUvbq7FA +Y2MYCccZ9uHhcwgj/3b9ANeFEljfngqoLUUbKCYWYpAFc+E0/NsDo788YhmIlknNOlNA2Ev NL2sqX3NUSsnjV5KQr40YrawP9UlKm06W1wUmAWP6gR5gaHzylNVvrzGInqR5fGatgMdgKFb 76rIIGRpgvx4xorA9W5pbf3GmVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0MC+7vw6hjdFpo OihgLTrIesf0g8gr8xGO/VQO3kW0aSrY9YrK1Dn2SCY5xWun3cBX5yCpaz5VGEV0r8fPI1Ay RAXABALRRGdpPu6/LemZrlyvfQ5LeLWNpxK7xmMzRmBZRonabbqZvyQoPpnhnI3jM0IGuvCb c0EbzYpdA7HfxBEJlYQDtQ5gfusgX78NTZfrTp5p4JuuzSVkFM3juarbIe9lt+iHK25mm6Vq nzH+SLlBQsdN/SUyCaf82LqjejK9c/+cNJOROHgrq8x6LGV7ksaGhgZcxyEmKm8sW6kQ+hzD W4M4TV7+MDe82TuFLERRSaQonSJoxodUNp4CPAh5UeGza+8yyaUAHIVCAFIbtMOvdUzAzct0 zehgNfBFTFp9rqPRhq15rqS6D+/JyURBWsDfjMfCxsI5cH5p4M+hQ6JScxseJNZlfXwEDD0h jWV9i43guxJidZRj/nmu1fanziru57FCBYv4RnaVX6k6QU/Y5O5Y4uv6h7Q6vMowJulc2Rtd UMsw6C2hN3ix7nW/MBRaI3hxI2U2ss=
  • Ironport-hdrordr: A9a23:C2VOj6m7pw3tJu6LZhHSvrZNN3TpDfOPimdD5ihNYBxZY6Wkfp +V8cjzhCWftN9OYhodcIi7SdK9qXO1z+8X3WGIVY3SETUOy1HYVr2KirGSjwEIeheOvNK1sJ 0NT0EQMqyWMbEXt6fHCUyDYq4dKbq8ge+VbIXlvhFQpGhRAskOgTuRSDzra3GeLzM2Z6bRYa Dsgvav0ADQHEj/AP7aOlA1G8z44/HbnpPvZhALQzQ97hOVsD+u4LnmVzCFwxY3SVp0sPYf2F mAtza8yrSosvm9xBOZ/XTU9Y5qlNzozcYGLNCQi/ISNi7nhm+TFcRcsvy5zXMISdOUmRMXee r30lMd1gNImjTsl1SO0FnQMs/boXATAjHZuAalaDDY0LHErXoBerZ8bMRiA1XkAgMbza9B+b MO0GSDu5VNCxTc2Cz7+tjTThlv0lG5uHw4jIco/jViuRt3Us4vkWUzxjIjLH47JlON1Kk3VO 11SM3M7vdfdl2XK3jfo2l02dSpGnA+BA2PTEQOstGcl2E+pgEz82IIgMgE2nsQ/pM0TJdJo+ zCL6RzjblLCssbd7h0CusNSda+TmbNXRXPOmSPJkmPLtBOB1vd75rspLkl7uCjf5IFiJM0hZ TaSVtd8XU/fkr/YPf+qKGjMiq9NVlVcQ6duf22vaIJy4EUbICbQRGrWRQpj9aqpekZD4nSR+ uzUagmccPeEQ==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHY82a4odYEEDJCoUOUarTvbCvSoq41M5sAgAAIFoCAAA0ngA==
  • Thread-topic: [PATCH for-4.17?] x86/paging: return -EINVAL for paging domctls for dying domains

> On 8 Nov 2022, at 16:43, Roger Pau Monne <roger.pau@xxxxxxxxxx> wrote:
> 
> On Tue, Nov 08, 2022 at 05:14:40PM +0100, Jan Beulich wrote:
>> On 08.11.2022 12:38, Roger Pau Monne wrote:
>>> Like on the Arm side, return -EINVAL when attempting to do a p2m
>>> operation on dying domains.
>>> 
>>> The current logic returns 0 and leaves the domctl parameter
>>> uninitialized for any parameter fetching operations (like the
>>> GET_ALLOCATION operation), which is not helpful from a toolstack point
>>> of view, because there's no indication that the data hasn't been
>>> fetched.
>> 
>> While I can see how the present behavior is problematic when it comes
>> to consuming supposedly returned data, ...
>> 
>>> --- a/xen/arch/x86/mm/paging.c
>>> +++ b/xen/arch/x86/mm/paging.c
>>> @@ -694,9 +694,10 @@ int paging_domctl(struct domain *d, struct 
>>> xen_domctl_shadow_op *sc,
>>> 
>>>     if ( unlikely(d->is_dying) )
>>>     {
>>> -        gdprintk(XENLOG_INFO, "Ignoring paging op on dying domain %u\n",
>>> +        gdprintk(XENLOG_INFO,
>>> +                 "Tried to do a paging domctl op on dying domain %u\n",
>>>                  d->domain_id);
>>> -        return 0;
>>> +        return -EINVAL;
>>>     }
>> 
>> ... going from "success" to "failure" here has a meaningful risk of
>> regressing callers. It is my understanding that it was deliberate to
>> mimic success in this case (without meaning to assign "good" or "bad"
>> to that decision).
> 
> I would assume that was the original intention, yes, albeit the commit
> message doesn't go into details about why mimicking success is
> required, it's very well possible the code relying on this was xend.
> 
>> Can you instead fill the data to be returned in
>> some simple enough way? I assume a mere memset() isn't going to be
>> good enough, though (albeit public/domctl.h doesn't explicitly name
>> any input-only fields, so it may not be necessary to preserve
>> anything). Maybe zeroing ->mb and ->stats would do?
> 
> Hm, it still feels kind of wrong.

Without the fix in the bindings (and any fixup in other toolstacks as needed, I 
haven't checked): 
https://lore.kernel.org/xen-devel/94f93ee61a4d0bd2fac3f5a753cb935962be20bb.1667920496.git.edvin.torok@xxxxxxxxxx/T/#u
a value of 0 here might still cause things to go subtly wrong, i.e. cause the 
HVM shadow multiplier of a VM to decrease, although I think there are 
safeguards against it going below 1.0.
However a ->mb value of all zeroes is much easier to debug (and detect!) than a 
completely uninitialised value.

I'd prefer if the return value of domctls could be trusted to mean that 0 = all 
values are initialized on output, and to be potentially uninitialised only on 
failure.
There are a lot of other calls with similar pattern (particularly around vcpu, 
which will go down a different path) in the xenctrl bindings, and I haven't 
checked them all yet, but it'd be a good rule of thumb if the behaviour was 
consistent with other hypercalls/domctls.


>  We do return errors elsewhere for
> operations attempted against dying domains, and that seems all fine,
> not sure why paging operations need to be different in this regard.
> Arm does also return -EINVAL in that case.

How about we return EINVAL *and* in DEBUG builds fill the struct with an easily 
recognizable poison value?

> 
> So what about postponing this change to 4.18 in order to avoid
> surprises, but then taking it in its current form at the start of the
> development window, as to have time to detect any issues?
> 
>> As a minor remark: _If_ you're changing the printk(), then please
>> also switch to using %pd.
> 
> I've considered this, but then printing: "Tried to do a paging domctl
> op on dying domain dX" felt kind of repetitive to me because of the
> usage of domain and dX in the same sentence.  Anyway, will adjust.
> 
> Thanks, Roger.

Thanks,
--Edwin

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.