[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi

To: "Chen, Jiqian" <Jiqian.Chen@xxxxxxx>
From: Stefano Stabellini <sstabellini@xxxxxxxxxx>
Date: Fri, 26 Jul 2024 13:16:02 -0700 (PDT)
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <gwd@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Anthony PERARD <anthony@xxxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, "Daniel P . Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, "Hildebrand, Stewart" <Stewart.Hildebrand@xxxxxxx>, "Huang, Ray" <Ray.Huang@xxxxxxx>
Delivery-date: Fri, 26 Jul 2024 20:16:16 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, 26 Jul 2024, Chen, Jiqian wrote:
> On 2024/7/23 06:10, Stefano Stabellini wrote:
> > On Mon, 8 Jul 2024, Jiqian Chen wrote:
> >> Some type of domains don't have PIRQs, like PVH, it doesn't do
> >> PHYSDEVOP_map_pirq for each gsi. When passthrough a device
> >> to guest base on PVH dom0, callstack
> >> pci_add_dm_done->XEN_DOMCTL_irq_permission will fail at function
> >> domain_pirq_to_irq, because PVH has no mapping of gsi, pirq and
> >> irq on Xen side.
> >> What's more, current hypercall XEN_DOMCTL_irq_permission requires
> >> passing in pirq to set the access of irq, it is not suitable for
> >> dom0 that doesn't have PIRQs.
> >>
> >> So, add a new hypercall XEN_DOMCTL_gsi_permission to grant/deny
> >> the permission of irq(translate from x86 gsi) to dumU when dom0
> >> has no PIRQs.
> >>
> >> Signed-off-by: Jiqian Chen <Jiqian.Chen@xxxxxxx>
> >> Signed-off-by: Huang Rui <ray.huang@xxxxxxx>
> >> Signed-off-by: Jiqian Chen <Jiqian.Chen@xxxxxxx>
> >> ---
> >> CC: Daniel P . Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
> >> Remaining comment @Daniel P . Smith:
> >> +        ret = -EPERM;
> >> +        if ( !irq_access_permitted(currd, irq) ||
> >> +             xsm_irq_permission(XSM_HOOK, d, irq, access_flag) )
> >> +            goto gsi_permission_out;
> >> Is it okay to issue the XSM check using the translated value, 
> >> not the one that was originally passed into the hypercall?
> >> ---
> >>  xen/arch/x86/domctl.c              | 32 ++++++++++++++++++++++++++++++
> >>  xen/arch/x86/include/asm/io_apic.h |  2 ++
> >>  xen/arch/x86/io_apic.c             | 17 ++++++++++++++++
> >>  xen/arch/x86/mpparse.c             |  5 ++---
> >>  xen/include/public/domctl.h        |  9 +++++++++
> >>  xen/xsm/flask/hooks.c              |  1 +
> >>  6 files changed, 63 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
> >> index 9190e11faaa3..4e9e4c4cfed3 100644
> >> --- a/xen/arch/x86/domctl.c
> >> +++ b/xen/arch/x86/domctl.c
> >> @@ -36,6 +36,7 @@
> >>  #include <asm/xstate.h>
> >>  #include <asm/psr.h>
> >>  #include <asm/cpu-policy.h>
> >> +#include <asm/io_apic.h>
> >>  
> >>  static int update_domain_cpu_policy(struct domain *d,
> >>                                      xen_domctl_cpu_policy_t *xdpc)
> >> @@ -237,6 +238,37 @@ long arch_do_domctl(
> >>          break;
> >>      }
> >>  
> >> +    case XEN_DOMCTL_gsi_permission:
> >> +    {
> >> +        int irq;
> >> +        unsigned int gsi = domctl->u.gsi_permission.gsi;
> >> +        uint8_t access_flag = domctl->u.gsi_permission.access_flag;
> >> +
> >> +        /* Check all bits and pads are zero except lowest bit */
> >> +        ret = -EINVAL;
> >> +        if ( access_flag & ( ~XEN_DOMCTL_GSI_PERMISSION_MASK ) )
> >> +            goto gsi_permission_out;
> >> +        for ( i = 0; i < ARRAY_SIZE(domctl->u.gsi_permission.pad); ++i )
> >> +            if ( domctl->u.gsi_permission.pad[i] )
> >> +                goto gsi_permission_out;
> >> +
> >> +        if ( gsi > highest_gsi() || (irq = gsi_2_irq(gsi)) <= 0 )
> > 
> > gsi is unsigned int but it is passed to gsi_2_irq which takes an int as
> > parameter. If gsi >= INT32_MAX we have a problem. I think we should
> > explicitly check for the possible overflow and return error in that
> > case.
> But here has checked "gsi > highest_gsi()", can highesi_gsi() return a gsi >= 
> INT32_MAX?

In practice it is impossible but in theory it could. But then I looked
at the implementation of highest_gsi() and gsi_end actually a signed
int. So I think this is OK:

Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>

References:
- [XEN PATCH v12 0/7] Support device passthrough when dom0 is PVH on Xen
  - From: Jiqian Chen
- [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi
  - From: Jiqian Chen
- Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi
  - From: Stefano Stabellini
- Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi
  - From: Chen, Jiqian

Prev by Date: [ovmf test] 187018: all pass - PUSHED
Next by Date: [libvirt test] 187013: tolerable all pass - PUSHED
Previous by thread: Re: [XEN PATCH v12 4/7] x86/domctl: Add hypercall to set the access of x86 gsi
Next by thread: [XEN PATCH v12 5/7] tools/libxc: Allow gsi be mapped into a free pirq
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.