[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] vpci/msix: handle accesses adjacent to the MSI-X table

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Thu, 23 Mar 2023 11:06:51 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LAKYC68n1DiZSxSGHewFC0uhZ+ZAscd6UiVzbODC32E=; b=mRkbfp0QKrNHIuBJkWRi6Q4lQAX/C29DNveDpixR0XdtiULF8exOP0BjbZfb3jqxOFmGTY4a+jZFOyo5tpCEse07hMzlc8K5pJa2t33LboerGXJYU8f1usHdZvDeQKExGwsuSJDU/qBNH0UO8WAOd/hy95NhFNU2ApjFsKhHPy/M6b69BEcjJ/1SfM1yAc6S6G22ACYl2IIHf89SiRNZiO4UuLFvtw/B3NzRYb8xPd76P320I1xXgwwxAjDMejiwUfIzOPDVArx3gtaXHzzeHPTEw8h8+AdKb3OkFywkXyGQhBLsBx1Guq0DCkqASv0dX7Hs5DdC75QmGKel09l6Jg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=k/2qvdtjq405hSmw8xX10y+XYB/pRBrgUZW6cwak7HrxcpdKlVxUvZkOFQhEPhW0mO/HyMAvelKWX3/6wloicIJRNGID7cyJYuvnZFbj9ozVOkO+uFzHfua8AeU8HmUqpnYYu3eVqd/gEm9gteJjLcYPGtS+HYvOd/BMf0ndzeY4jIzjDi0jSqR7HAoDP7erCbhUI/1jw+LDDTycqmFKtlCvWidtnaV068C+1KHzZMfEw3cm9grJnK3IijLcTMzgwZiFiIu7tODKEkCz+sRkx8Y1s7T0LHoDN76baVvBlOtaKOz0Nz2Pg0jbWBgI4cLmRGRcfLvgWEElsoiUZHeqNg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 23 Mar 2023 10:07:44 +0000
  • Ironport-data: A9a23:MhaqeqMfR1r/x1fvrR23lsFynXyQoLVcMsEvi/4bfWQNrUohhTJRy GYXD2CEP/+MazD9KYtyYIu3oRlU7Z7QnIdkSwto+SlhQUwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CU6jufQAOKnUoYoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE/ Nj/uKUzAnf8s9JPGj9SuvLrRC9H5qyo42tD5AdmPJingXeF/5UrJMNHTU2OByOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0TJvsEAXq7vh3S9zxHJ HehgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/ZqAJGpfh66wGMa04AWEX0t1eKlhis voSFGxXKQqZu9qv5LzjZtA506zPLOGzVG8ekldJ6GmDSNwAGNXESaiM4sJE1jAtgMwIBezZe 8cSdTtoalLHfgFLPVAUTpk5mY9EhFGmK2Ee9A3T+PNxvzC7IA9ZidABNPLPfdOHX4NNl1uwr WPa5WXpRBodMbRzzBLcqijw37eRwn2TtIQ6L+Oy1OVzhgCvwUssCj5HU2m6oPS+hRvrMz5YA wlOksY0loAw/kG2Stj2XzWjvWWJ+BUbXrJ4A+A8rQ2A1KfQywKYHXQfCC5MbsQ8s807TiBs0 UWG9+4FHhRqubyRDHibr7GdqGvoPTBPdTNaIygZUQEC/t/v5pkpiQ7CRcpiF6jzicDpHTb3w HaBqy1Wa6gvsPPnHp6TpTjv6w9AbLCQEGbZOi2/srqZ0z5E
  • Ironport-hdrordr: A9a23:zqnwmq6uE9R3KIXYlQPXwPfXdLJyesId70hD6qm+c20tTiX4rb HXoB1/73XJYVkqKRQdcLy7Scu9qDbnhP1ICOoqXItKPjOW3FdARbsKheDfKn/bexEWndQtsp uIHZIObuEYzmIXsS852mSF+hobr+VvOZrHudvj
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Mar 23, 2023 at 09:02:31AM +0100, Jan Beulich wrote:
> On 22.03.2023 18:08, Roger Pau Monné wrote:
> > On Wed, Mar 22, 2023 at 06:05:55PM +0100, Roger Pau Monné wrote:
> >> On Wed, Mar 22, 2023 at 04:14:54PM +0100, Jan Beulich wrote:
> >>> On 22.03.2023 15:30, Roger Pau Monne wrote:
> >>>> Changes since v2:
> >>>>  - Slightly adjust VMSIX_ADDR_SAME_PAGE().
> >>>>  - Use IS_ALIGNED and unlikely for the non-aligned access checking.
> >>>>  - Move the check for the page mapped before the aligned one.
> >>>>  - Remove cast of data to uint8_t and instead use a mask in order to
> >>>>    avoid undefined behaviour when shifting.
> >>>>  - Remove Xen maps of the MSIX related regions when memory decoding
> >>>>    for the device is enabled by dom0, in order to purge stale maps.
> >>>
> >>> I'm glad you thought of this. The new code has issues, though:
> >>>
> >>>> @@ -182,93 +187,201 @@ static struct vpci_msix_entry *get_entry(struct 
> >>>> vpci_msix *msix,
> >>>>      return &msix->entries[(addr - start) / PCI_MSIX_ENTRY_SIZE];
> >>>>  }
> >>>>  
> >>>> -static void __iomem *get_pba(struct vpci *vpci)
> >>>> +static void __iomem *get_table(struct vpci *vpci, unsigned int slot)
> >>>>  {
> >>>>      struct vpci_msix *msix = vpci->msix;
> >>>>      /*
> >>>> -     * PBA will only be unmapped when the device is deassigned, so 
> >>>> access it
> >>>> -     * without holding the vpci lock.
> >>>> +     * Regions will only be unmapped when the device is deassigned, so 
> >>>> access
> >>>> +     * them without holding the vpci lock.
> >>>
> >>> The first part of the sentence is now stale, and the second part is in
> >>> conflict ...
> >>>
> >>>> @@ -482,6 +641,26 @@ int vpci_make_msix_hole(const struct pci_dev *pdev)
> >>>>          }
> >>>>      }
> >>>>  
> >>>> +    if ( is_hardware_domain(d) )
> >>>> +    {
> >>>> +        unsigned int i;
> >>>> +
> >>>> +        /*
> >>>> +         * For the hardware domain only remove any hypervisor mappings 
> >>>> of the
> >>>> +         * MSIX or PBA related areas, as dom0 is capable of moving the 
> >>>> position
> >>>> +         * of the BARs in the host address space.
> >>>> +         *
> >>>> +         * We rely on being called with the vPCI lock held in order to 
> >>>> not race
> >>>> +         * with get_table().
> >>>
> >>> ... with what you say (and utilize) here. Furthermore this comment also 
> >>> wants
> >>> clarifying that apply_map() -> modify_decoding() not (afaics) holding the 
> >>> lock
> >>> when calling here is not a problem, as no mapping can exist yet that may 
> >>> need
> >>> tearing down. (I first wondered whether you wouldn't want to assert that 
> >>> the
> >>> lock is being held. You actually could, but only after finding a non-NULL
> >>> table entry.)
> >>
> >> Oh, yes, sorry, I should update those comments.  vpci_make_msix_hole()
> >> gets called before bars[].enabled gets set, so there should be no
> >> users of the mappings at that time because we don't handle accesses
> >> when the BAR is not mapped.
> >>
> >> Not sure whether we should consider an access from when the BAR was
> >> actually enabled by a different thread could still continue while on
> >> another thread the BAR has been disabled and enabled again (and thus
> >> the mapping removed).  It's a theoretical race, so I guess I will look
> >> into making sure we cannot hit it.
> > 
> > Hm, maybe it doesn't matter much because such kind of trace could only
> > be triggered by the hardware domain anyway, and it has plenty of other
> > ways to mess with Xen.
> 
> Preferably we should get things to use proper locking. If that turns out
> too hard, properly justified such an exception for Dom0 might be
> acceptable.

Right, one idea I have would be to use map_pages_to_xen() in
vpci_make_msix_hole() to remap any existing virtual addresses to point
to the new physical addresses, so that there's no unmap.  I think this
would be fine because map_pages_to_xen() does an atomic write of the
PTE, but not sure if it's abusing the interface.  Such remap would
avoid taking the vpci lock for the whole duration of the access.

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.