Re: [Xen-devel] [PATCH 04/17] xen: Convert virt_to_mfn() and mfn_to_virt() to use typesafe MFN

From: Julien Grall <julien@xen.org>
To: Jan Beulich <jbeulich@suse.com>
Cc: "Stefano Stabellini" <sstabellini@kernel.org>,
	"Wei Liu" <wl@xen.org>,
	"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
	"Andrew Cooper" <andrew.cooper3@citrix.com>,
	"Julien Grall" <jgrall@amazon.com>,
	"Ian Jackson" <ian.jackson@eu.citrix.com>,
	"George Dunlap" <george.dunlap@citrix.com>,
	"Ross Lagerwall" <ross.lagerwall@citrix.com>,
	"Lukasz Hawrylko" <lukasz.hawrylko@linux.intel.com>,
	xen-devel@lists.xenproject.org,
	"Volodymyr Babchuk" <Volodymyr_Babchuk@epam.com>,
	"Roger Pau Monné" <roger.pau@citrix.com>
Subject: Re: [Xen-devel] [PATCH 04/17] xen: Convert virt_to_mfn() and mfn_to_virt() to use typesafe MFN
Date: Sat, 28 Mar 2020 10:33:47 +0000	[thread overview]
Message-ID: <5d554850-34eb-5ff7-6904-a304e444f4a6@xen.org> (raw)
In-Reply-To: <d48b93a3-c778-9f66-78ec-eb40d129a565@suse.com>

Hi,

On 26/03/2020 09:09, Jan Beulich wrote:
> On 25.03.2020 19:21, Julien Grall wrote:
>> On 25/03/2020 15:27, Jan Beulich wrote:
>>> On 22.03.2020 17:14, julien@xen.org wrote:
>>>> @@ -785,21 +781,21 @@ bool is_iomem_page(mfn_t mfn)
>>>>        return (page_get_owner(page) == dom_io);
>>>>    }
>>>>    -static int update_xen_mappings(unsigned long mfn, unsigned int cacheattr)
>>>> +static int update_xen_mappings(mfn_t mfn, unsigned int cacheattr)
>>>>    {
>>>>        int err = 0;
>>>> -    bool alias = mfn >= PFN_DOWN(xen_phys_start) &&
>>>> -         mfn < PFN_UP(xen_phys_start + xen_virt_end - XEN_VIRT_START);
>>>> +    bool alias = mfn_x(mfn) >= PFN_DOWN(xen_phys_start) &&
>>>> +         mfn_x(mfn) < PFN_UP(xen_phys_start + xen_virt_end - XEN_VIRT_START);
>>>>        unsigned long xen_va =
>>>> -        XEN_VIRT_START + ((mfn - PFN_DOWN(xen_phys_start)) << PAGE_SHIFT);
>>>> +        XEN_VIRT_START + mfn_to_maddr(mfn_add(mfn, -PFN_DOWN(xen_phys_start)));
>>>
>>> Depending on the types involved (e.g. in PFN_DOWN()) this may
>>> or may not be safe, so I consider such a transformation at
>>> least fragile. I think we either want to gain mfn_sub() or
>>> keep this as a "real" subtraction.
>> I want to avoid mfn_x() as much as possible when everything can
>> be done using typesafe operation. But i am not sure how
>> mfn_sub() would solve the problem. Do you mind providing more
>> information?
> 
> Consider PFN_DOWN() potentially returning "unsigned int". The
> negation of an unsigned int is still an unsigned int, and hence
> e.g. -1U (which might result here) is really 0xFFFFFFFF rather
> than -1L / -1UL as intended. Whereas with mfn_sub() the
> conversion to unsigned long of the (positive) value to subtract
> would occur as part of evaluating function arguments, and the
> resulting subtraction would then be correct.

I will have a look to introduce mfn_sub().

> 
>>>> @@ -584,21 +584,21 @@ static unsigned long init_node_heap(int node, unsigned long mfn,
>>>>            needed = 0;
>>>>        }
>>>>        else if ( *use_tail && nr >= needed &&
>>>> -              arch_mfn_in_directmap(mfn + nr) &&
>>>> +              arch_mfn_in_directmap(mfn_x(mfn_add(mfn, nr))) &&
>>>>                  (!xenheap_bits ||
>>>> -               !((mfn + nr - 1) >> (xenheap_bits - PAGE_SHIFT))) )
>>>> +               !((mfn_x(mfn) + nr - 1) >> (xenheap_bits - PAGE_SHIFT))) )
>>>
>>> May I suggest consistency here: This one uses +, while ...
>>>
>>>>        {
>>>> -        _heap[node] = mfn_to_virt(mfn + nr - needed);
>>>> -        avail[node] = mfn_to_virt(mfn + nr - 1) +
>>>> +        _heap[node] = mfn_to_virt(mfn_add(mfn, nr - needed));
>>>> +        avail[node] = mfn_to_virt(mfn_add(mfn, nr - 1)) +
>>>>                          PAGE_SIZE - sizeof(**avail) * NR_ZONES;
>>>>        }
>>>>        else if ( nr >= needed &&
>>>> -              arch_mfn_in_directmap(mfn + needed) &&
>>>> +              arch_mfn_in_directmap(mfn_x(mfn_add(mfn, needed))) &&
>>>
>>> ... this one uses mfn_add() despite the mfn_x() around it, and ...
>>
>> So the reason I used mfn_x(mfn_add(mfn, needed)) here is I plan
>> to convert arch_mfn_in_directmap() to use typesafe soon. In the
>> two others cases...
>>
>>>>                  (!xenheap_bits ||
>>>> -               !((mfn + needed - 1) >> (xenheap_bits - PAGE_SHIFT))) )
>>>> +               !((mfn_x(mfn) + needed - 1) >> (xenheap_bits - PAGE_SHIFT))) )
>>>
>>> ... here you use + again. My personal preference would be to avoid
>>> constructs like mfn_x(mfn_add()).
>>
>> ... I am still unsure how to avoid mfn_x(). Do you have any ideas?
> 
> I don't see how it can be avoided right now. But I also don't see
> why - for consistency, as said - you couldn't use mfn_x() also in
> the middle case. You could then still convert to mfn_add() with
> that future change of yours.

I could have as I could also have converted arch_mfn_in_directmap() to 
use typesafe MFN. Anything around typesafe is a can of worms and this is 
the fine line I found.

Anyway, I could not be bother to bikeshed... So I going to switch the 
other one to mfn_x(...) + needed.

> 
>>>> --- a/xen/include/asm-x86/mm.h
>>>> +++ b/xen/include/asm-x86/mm.h
>>>> @@ -667,7 +667,7 @@ static inline bool arch_mfn_in_directmap(unsigned long mfn)
>>>>    {
>>>>        unsigned long eva = min(DIRECTMAP_VIRT_END, HYPERVISOR_VIRT_END);
>>>>    -    return mfn <= (virt_to_mfn(eva - 1) + 1);
>>>> +    return mfn <= mfn_x(mfn_add(virt_to_mfn(eva - 1),  1));
>>>
>>> Even if you wanted to stick to using mfn_add() here, there's one
>>> blank too many after the comma.
>>
>> I will remove the extra blank. Regarding the construction, I have
>> been wondering for a couple of years now whether we should
>> introduce mfn_{lt, gt}. What do you think?
> 
> I too have been wondering, and wouldn't mind their introduction
> (plus mfn_le / mfn_ge perhaps). But it'll truly help you here
> anyway only once the function parameter is also mfn_t.

This is a longer term plan. So I am going to leave it like that for now 
until I manage to find time.

Cheers,

-- 
Julien Grall