Xen project Mailing List

Re: [PATCH v9 02/16] vpci: use per-domain PCI lock to protect vpci structure

To: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 21 Sep 2023 11:41:37 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=58EkMiYuvw2X/nDSz9T5cQ4eBqI1y2kpolAtQxlah6A=; b=e3zKRXoJ7DWlwStzb9xfMEKrxgKlN5XJV7WekIZQqQaIlvTt+/NUVUnDp29H+nd/8mNQn99PxPyinZJ/HmbCJPCg48GAVpQcZq/hlA9UGc3FQgO4G7qGR1uLERUFregNynxraKyLpMaK8QCSCZcrZgCLBUK+xoviU6REpd7v81CMiUWh0JwWACJ3wvCJY12YNr9wvMIce2O2X2UJoEMtZwZ+TQMOmjflM8hML4hbeoklWLwsXxMLTNE2oIktJ3GumaO0pdzh0VJr3SOTKRIhSJFRCcSHk6YKqnEQnFRktFdEAMWhUU3XwqSwH7MUZLD1pwBff0iNEN+fUEEukojoJA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ezLrA1TD3HfmDS5IcNvwj7l5RhupPquAmFu8ZRxwjM/mzAOdOXTcOplrK96BZtZxLcqMxjcx5ZF3+yGJ3t5yzgG7MRELmQQMBXIcyEfC98cZKZvhj0NJ30fY6rg5Sri+u0vO9P9H8J19e/O+YOOqqbab3KYkpHDw/cT4fVBufOB75wiR5LJZ5/VOmhEXph18a8EyvFmCtZMRPzHbEPDJnmfPaa7a/ouoXTS5QNz/Ffnz1J/ov5a59qoiMOaNiOYgIqmYnfXckoGwIwGu3a3qA6goKuEqIY4G5yH4/fGTtAavSU89rEpBpB/pqJCwc+9hG4784kVbVv8/wCe/OR85mQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Paul Durrant <paul@xxxxxxx>

Delivery-date: Thu, 21 Sep 2023 09:42:11 +0000

Ironport-data: A9a23:MiLvH6ArJyLDiRVW/5Xiw5YqxClBgxIJ4kV8jS/XYbTApD1w0j0Ay WZNDWCDP/iCYDemf9tyOo/npEsAsJeAy9JgQQY4rX1jcSlH+JHPbTi7wuUcHAvJd5GeExg3h yk6QoOdRCzhZiaE/n9BCpC48D8kk/nOH+KgYAL9EngZbRd+Tys8gg5Ulec8g4p56fC0GArIs t7pyyHlEAbNNwVcbCRMsMpvlDs15K6p4GJC5wRkDRx2lAS2e0c9Xcp3yZ6ZdxMUcqEMdsamS uDKyq2O/2+x13/B3fv8z94X2mVTKlLjFVDmZkh+AsBOsTAbzsAG6Y4pNeJ0VKtio27hc+ada jl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CA6IoKvn3bEmp1T4E8K0YIw9+Z2XDwe/ vUhOXMkSAzaqaHt+56wY7w57igjBJGD0II3nFhFlGucJ9B2BJfJTuPN+MNS2yo2ioZWB/HCa sEFaD1pKhPdfxlIPVRRA5U79AuqriCnL3sE9xTI+OxuvTi7IA9ZidABNPLPfdOHX4NNl1uwr WPa5WXpRBodMbRzzBLcqCnz2bGXw3yTtIQ6N+bm885SrECqxX0rAkAVTQrmkeLksxvrMz5YA wlOksY0loAp6EG0R8PhGR25pHKJtAQVXdZ4Gug2rgqKz8L83QGdAWQVSy9bX/YvvsQ2WD8C2 0eAmpXiAjkHmK2YTzeR+6mZqRu2ODMJNikSaCkcVwwH7tL/5oYpgXrnadJuE7W8iNHvLhj2z yqXtyg1h7gVjskj2r2y+BbMhDfEjprDQxMx5w7Xdnm49Q4/b4mgD6S37XDL4PAGK5yWJnGDo X5CncGd5eIPCJillSqRTeFLF7asj96GPSPdhxhzHpAn3zWr53OnO4tX5VlWPE50Nu4UdDmvZ 1Xc0T69/7dWNXquKKVxM4S4Dp1wybC6TIq1EPfJctBJf559Mhed+z1jblKR2Garl1UwlaY4O tGQdsPE4WsmNJmLBQGeH481uYLHDAhkrY8PbfgXFyia7Ic=

Ironport-hdrordr: A9a23:h5rYlq06aykMFnALMr1jpgqjBEQkLtp133Aq2lEZdPU0SKGlfg 6V/MjztCWE7gr5PUtLpTnuAsa9qB/nm6KdpLNhX4tKPzOW31dATrsSjrcKqgeIc0HDH6xmpM JdmsBFY+EYZmIK6foSjjPYLz4hquP3j5xBh43lvglQpdcBUdAQ0+97YDzrYnGfXGN9dOME/A L33Ls7m9KnE05nFviTNz0+cMXogcbEr57iaQ5uPW9a1OHf5QnYk4ITCnKjr20jbw8=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Sep 20, 2023 at 03:16:00PM -0400, Stewart Hildebrand wrote: > On 9/19/23 11:39, Roger Pau Monné wrote: > > On Tue, Aug 29, 2023 at 11:19:42PM +0000, Volodymyr Babchuk wrote: > >> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c > >> index 1edc7f1e91..545a27796e 100644 > >> --- a/xen/arch/x86/hvm/vmx/vmx.c > >> +++ b/xen/arch/x86/hvm/vmx/vmx.c > >> @@ -413,8 +413,6 @@ static int cf_check vmx_pi_update_irte(const struct > >> vcpu *v, > >> > >> spin_unlock_irq(&desc->lock); > >> > >> - ASSERT(pcidevs_locked()); > >> - > > > > Hm, this removal seems dubious, same with some of the removal below. > > And I don't see any comment in the log message as to why removing the > > asserts here and in __pci_enable_msi{,x}(), pci_prepare_msix() is > > safe. > > > > I suspect we may want: > > ASSERT(pcidevs_locked() || rw_is_locked(&d->pci_lock)); > > However, we don't have d. Using v->domain here is tricky because v may be > NULL. How about passing struct domain *d as an arg to > {hvm,vmx}_pi_update_irte()? Or ensuring that all callers pass a valid v? I guess there was a reason to expect a path with v == NULL, but would need to go trough the call paths that lead here. Another option might be use use: ASSERT(pcidevs_locked() || (v && rw_is_locked(&v->domain->pci_lock))); But we would need some understanding of the call site of vmx_pi_update_irte(). > > >> return iommu_update_ire_from_msi(msi_desc, &msi_desc->msg); > >> > >> unlock_out: > >> diff --git a/xen/arch/x86/msi.c b/xen/arch/x86/msi.c > >> index d0bf63df1d..ba2963b7d2 100644 > >> --- a/xen/arch/x86/msi.c > >> +++ b/xen/arch/x86/msi.c > >> @@ -613,7 +613,7 @@ static int msi_capability_init(struct pci_dev *dev, > >> u8 slot = PCI_SLOT(dev->devfn); > >> u8 func = PCI_FUNC(dev->devfn); > >> > >> - ASSERT(pcidevs_locked()); > >> + ASSERT(pcidevs_locked() || rw_is_locked(&dev->domain->pci_lock)); > >> pos = pci_find_cap_offset(seg, bus, slot, func, PCI_CAP_ID_MSI); > >> if ( !pos ) > >> return -ENODEV; > >> @@ -783,7 +783,7 @@ static int msix_capability_init(struct pci_dev *dev, > >> if ( !pos ) > >> return -ENODEV; > >> > >> - ASSERT(pcidevs_locked()); > >> + ASSERT(pcidevs_locked() || rw_is_locked(&dev->domain->pci_lock)); > >> > >> control = pci_conf_read16(dev->sbdf, msix_control_reg(pos)); > >> /* > >> @@ -1000,7 +1000,6 @@ static int __pci_enable_msi(struct msi_info *msi, > >> struct msi_desc **desc) > >> struct pci_dev *pdev; > >> struct msi_desc *old_desc; > >> > >> - ASSERT(pcidevs_locked()); > >> pdev = pci_get_pdev(NULL, msi->sbdf); > >> if ( !pdev ) > >> return -ENODEV; > > I think we can move the ASSERT here, after we obtain the pdev. Then we can > add the pdev->domain->pci_lock check into the mix: > > ASSERT(pcidevs_locked() || rw_is_locked(&pdev->domain->pci_lock)); Hm, it would be better to perform the ASSERT before possibly accessing the pdev list without holding any locks, but it's just an assert so that might be the best option. > > >> @@ -1055,7 +1054,6 @@ static int __pci_enable_msix(struct msi_info *msi, > >> struct msi_desc **desc) > >> struct pci_dev *pdev; > >> struct msi_desc *old_desc; > >> > >> - ASSERT(pcidevs_locked()); > >> pdev = pci_get_pdev(NULL, msi->sbdf); > >> if ( !pdev || !pdev->msix ) > >> return -ENODEV; > > Same here > > >> @@ -1170,8 +1168,6 @@ int pci_prepare_msix(u16 seg, u8 bus, u8 devfn, bool > >> off) > >> */ > >> int pci_enable_msi(struct msi_info *msi, struct msi_desc **desc) > >> { > >> - ASSERT(pcidevs_locked()); > >> - > > This removal inside pci_enable_msi() may be okay if both __pci_enable_msi() > and __pci_enable_msix() have an appropriate ASSERT. Hm, yes, that's likely fine, but would want a small mention in the commit message. > >> if ( !use_msi ) > >> return -EPERM; > >> > > Related: in xen/drivers/passthrough/pci.c:pci_get_pdev() I run into an ASSERT > with a PVH dom0: > > (XEN) Assertion 'd || pcidevs_locked()' failed at > drivers/passthrough/pci.c:534 > (XEN) ----[ Xen-4.18-unstable x86_64 debug=y Tainted: C ]---- > ... > (XEN) Xen call trace: > (XEN) [<ffff82d040285a3b>] R pci_get_pdev+0x4c/0xab > (XEN) [<ffff82d04034742e>] F arch/x86/msi.c#__pci_enable_msi+0x1d/0xb4 > (XEN) [<ffff82d0403477b5>] F pci_enable_msi+0x20/0x28 > (XEN) [<ffff82d04034cfa4>] F map_domain_pirq+0x2b0/0x718 > (XEN) [<ffff82d04034e37c>] F allocate_and_map_msi_pirq+0xff/0x26b > (XEN) [<ffff82d0402e088b>] F arch/x86/hvm/vmsi.c#vpci_msi_enable+0x53/0x9d > (XEN) [<ffff82d0402e19d5>] F vpci_msi_arch_enable+0x36/0x6c > (XEN) [<ffff82d04026f49d>] F drivers/vpci/msi.c#control_write+0x71/0x114 > (XEN) [<ffff82d04026d050>] F > drivers/vpci/vpci.c#vpci_write_helper+0x6f/0x7c > (XEN) [<ffff82d04026de39>] F vpci_write+0x249/0x2f9 > ... > > With the patch applied, it's valid to call pci_get_pdev() with only > d->pci_lock held, so the ASSERT in pci_get_pdev() needs to be reworked too. > Inside pci_get_pdev(), d may be null, so we can't easily add || > rw_is_locked(&d->pci_lock) into the ASSERT. Instead I propose something like > the following, which resolves the observed assertion failure: > > diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c > index 572643abe412..2b4ad804510c 100644 > --- a/xen/drivers/passthrough/pci.c > +++ b/xen/drivers/passthrough/pci.c > @@ -531,8 +531,6 @@ struct pci_dev *pci_get_pdev(const struct domain *d, > pci_sbdf_t sbdf) > { > struct pci_dev *pdev; > > - ASSERT(d || pcidevs_locked()); > - > /* > * The hardware domain owns the majority of the devices in the system. > * When there are multiple segments, traversing the per-segment list is > @@ -549,12 +547,18 @@ struct pci_dev *pci_get_pdev(const struct domain *d, > pci_sbdf_t sbdf) > list_for_each_entry ( pdev, &pseg->alldevs_list, alldevs_list ) > if ( pdev->sbdf.bdf == sbdf.bdf && > (!d || pdev->domain == d) ) > + { > + ASSERT(d || pcidevs_locked() || > rw_is_locked(&pdev->domain->pci_lock)); Hm, strictly speaking iterating over the pseg list while just holding the d->pci_lock is not safe, we should instead iterate over d->pdev_list. We might have to slightly modify pci_enable_msi() to take a pdev so that the search can be done by the caller (holding the right lock). Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.