From: Juergen Gross <jgross@suse.com>
To: Julien Grall <julien@xen.org>, Jan Beulich <jbeulich@suse.com>
Cc: xen-devel@lists.xenproject.org,
"Volodymyr Babchuk" <Volodymyr_Babchuk@epam.com>,
"Bertrand Marquis" <bertrand.marquis@arm.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"George Dunlap" <george.dunlap@citrix.com>,
"Wei Liu" <wl@xen.org>, "Roger Pau Monné" <roger.pau@citrix.com>,
"Christopher Clark" <christopher.w.clark@gmail.com>,
"Stefano Stabellini" <sstabellini@kernel.org>
Subject: Re: [PATCH v3 02/13] xen: harmonize return types of hypercall handlers
Date: Fri, 17 Dec 2021 12:12:29 +0100 [thread overview]
Message-ID: <a91217dc-8f97-2882-ce08-2a408654295e@suse.com> (raw)
In-Reply-To: <e41d26aa-9ef5-459a-c143-caf28e43c47c@xen.org>
[-- Attachment #1.1.1: Type: text/plain, Size: 5473 bytes --]
On 17.12.21 11:41, Julien Grall wrote:
> Hi Juergen,
>
> On 17/12/2021 08:50, Juergen Gross wrote:
>> On 17.12.21 08:45, Jan Beulich wrote:
>>> On 17.12.2021 06:34, Juergen Gross wrote:
>>>> On 16.12.21 22:15, Stefano Stabellini wrote:
>>>>> On Thu, 16 Dec 2021, Stefano Stabellini wrote:
>>>>>> On Thu, 16 Dec 2021, Juergen Gross wrote:
>>>>>>> On 16.12.21 03:10, Stefano Stabellini wrote:
>>>>>>>> The case of XENMEM_maximum_ram_page is interesting but it is not a
>>>>>>>> problem in reality because the max physical address size is only
>>>>>>>> 40-bit
>>>>>>>> for aarch32 guests, so 32-bit are always enough to return the
>>>>>>>> highest
>>>>>>>> page in memory for 32-bit guests.
>>>>>>>
>>>>>>> You are aware that this isn't the guest's max page, but the host's?
>>>>>
>>>>> I can see now that you meant to say that, no matter what is the max
>>>>> pseudo-physical address supported by the VM,
>>>>> XENMEM_maximum_ram_page is
>>>>> supposed to return the max memory page, which could go above the
>>>>> addressibility limit of the VM.
>>>>>
>>>>> So XENMEM_maximum_ram_page should potentially be able to return
>>>>> (1<<44)
>>>>> even when called by an aarch32 VM, with max IPA 40-bit.
>>>>>
>>>>> I would imagine it could be useful if dom0 is 32-bit but domUs are
>>>>> 64-bit on a 64-bit hypervisor (which I think it would be a very rare
>>>>> configuration on ARM.)
>>>>>
>>>>> Then it looks like XENMEM_maximum_ram_page needs to be able to
>>>>> return a
>>>>> value > 32-bit when called by a 32-bit guest.
>>>>>
>>>>> The hypercall ABI follows the ARM C calling convention, so a 64-bit
>>>>> value should be returned using r0 and r1. But looking at
>>>>> xen/arch/arm/traps.c:do_trap_hypercall, it doesn't seem it ever
>>>>> sets r1
>>>>> today. Only r0 is set, so effectively we only support 32-bit return
>>>>> values on aarch32 and for aarch32 guests.
>>>>>
>>>>> In other words, today all hypercalls on ARM return 64-bit to 64-bit
>>>>> guests and 32-bit to 32-bit guests. Which in the case of memory_op is
>>>>> "technically" the correct thing to do because it matches the C
>>>>> declaration in xen/include/xen/hypercall.h:
>>>>>
>>>>> extern long
>>>>> do_memory_op(
>>>>> unsigned long cmd,
>>>>> XEN_GUEST_HANDLE_PARAM(void) arg);
>>>>>
>>>>> So... I guess the conclusion is that on ARM do_memory_op should
>>>>> return
>>>>> "long" although it is not actually enough for a correct implementation
>>>>> of XENMEM_maximum_ram_page for aarch32 guests ?
>>>>>
>>>>
>>>> Hence my suggestion to check the return value of _all_ hypercalls to be
>>>> proper sign extended int values for 32-bit guests. This would fix all
>>>> potential issues without silently returning truncated values.
>>>
>>> Are we absolutely certain we have no other paths left where a possibly
>>> large unsigned values might be returned? In fact while
>>> compat_memory_op() does the necessary saturation, I've never been fully
>>> convinced of this being the best way of dealing with things. The range
>>> of error indicators is much smaller than [-INT_MIN,-1], so almost
>>> double the range of effectively unsigned values could be passed back
>>> fine. (Obviously we can't change existing interfaces, so this mem-op
>>> will need to remain as is.)
>>
>> In fact libxenctrl tries do deal with this fact by wrapping a memory_op
>> for a 32-bit environment into a multicall. This will work fine for a
>> 32-bit Arm guest, as xen_ulong_t is a uint64 there.
>>
>> So do_memory_op should return long on Arm, yes. OTOH doing so will
>> continue to be a problem in case a 32-bit guest doesn't use the
>> multicall technique for handling possible 64-bit return values.
>>
>> So I continue to argue that on Arm the return value of a hypercall
>> should be tested to fit into 32 bits.
>
> It would make sense. But what would you return if the value doesn't fit?
I guess some errno value would be appropriate, like -EDOM, -ERANGE or
-E2BIG.
>
>> The only really clean alternative
>> would be to have separate hypercall function classes for Arm 32- and
>> 64-bit guests (which still could share most of the functions by letting
>> those return "int"). This would allow to use the 64-bit variant even for
>> 32-bit guests in multicall (fine as the return field is 64-bit wide),
>> and a probably saturating compat version for the 32-bit guest direct
>> hypercall.
>
> I am not entirely sure to understand this proposal. Can you clarify it?
1. In patch 5 modify the hypercall table by adding another column, so
instead of:
+table: pv32 pv64 hvm32 hvm64 arm
use:
+table: pv32 pv64 hvm32 hvm64 arm32 arm64
2. Let most of the hypercalls just return int instead of long:
+rettype: do int
3. Have an explicit 64-bit variant of memory_op (the 32-bit one is the
compat variant existing already):
+rettype: do64 long
+prefix: do64 PREFIX_hvm
+memory_op(unsigned long cmd, void *arg)
4. Use the appropriate calls in each column:
+memory_op compat do64 hvm hvm compat do64
5. In the Arm hypercall trap handler do:
if ( is_32bit_domain(current->domain) )
call_handlers_arm32(...);
else
call_handlers_arm64(...);
6. In the multicall handler always do:
call_handlers_arm64(...);
Juergen
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3135 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
next prev parent reply other threads:[~2021-12-17 11:13 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-08 15:55 [PATCH v3 00/13] xen: drop hypercall function tables Juergen Gross
2021-12-08 15:55 ` [PATCH v3 01/13] xen: move do_vcpu_op() to arch specific code Juergen Gross
2021-12-14 17:21 ` Julien Grall
2021-12-15 7:12 ` Juergen Gross
2021-12-15 9:40 ` Julien Grall
2021-12-08 15:55 ` [PATCH v3 02/13] xen: harmonize return types of hypercall handlers Juergen Gross
2021-12-14 17:36 ` Julien Grall
2021-12-15 7:03 ` Juergen Gross
2021-12-16 2:10 ` Stefano Stabellini
2021-12-16 5:13 ` Juergen Gross
2021-12-16 20:43 ` Stefano Stabellini
2021-12-16 21:15 ` Stefano Stabellini
2021-12-17 5:34 ` Juergen Gross
2021-12-17 7:45 ` Jan Beulich
2021-12-17 8:50 ` Juergen Gross
2021-12-17 10:41 ` Julien Grall
2021-12-17 11:12 ` Juergen Gross [this message]
2021-12-17 23:00 ` Stefano Stabellini
2021-12-20 17:14 ` Julien Grall
2021-12-21 0:08 ` Stefano Stabellini
2021-12-21 7:45 ` Juergen Gross
2021-12-21 9:16 ` Julien Grall
2021-12-17 7:39 ` Jan Beulich
2021-12-17 10:38 ` Julien Grall
2021-12-17 23:05 ` Stefano Stabellini
2021-12-17 10:04 ` Julien Grall
2021-12-08 15:55 ` [PATCH v3 03/13] xen: don't include asm/hypercall.h from C sources Juergen Gross
2021-12-08 15:55 ` [PATCH v3 04/13] xen: include compat/platform.h from hypercall.h Juergen Gross
2021-12-09 9:01 ` Jan Beulich
2021-12-08 15:55 ` [PATCH v3 05/13] xen: generate hypercall interface related code Juergen Gross
2021-12-14 8:56 ` Jan Beulich
2021-12-08 15:55 ` [PATCH v3 06/13] xen: use generated prototypes for hypercall handlers Juergen Gross
2021-12-08 15:56 ` [PATCH v3 07/13] x86/pv-shim: don't modify hypercall table Juergen Gross
2021-12-08 15:56 ` [PATCH v3 08/13] xen/x86: don't use hypercall table for calling compat hypercalls Juergen Gross
2021-12-08 15:56 ` [PATCH v3 09/13] xen/x86: call hypercall handlers via generated macro Juergen Gross
2021-12-08 15:56 ` [PATCH v3 10/13] xen/arm: " Juergen Gross
2021-12-08 15:56 ` [PATCH v3 11/13] xen/x86: add hypercall performance counters for hvm, correct pv Juergen Gross
2021-12-08 15:56 ` [PATCH v3 12/13] xen: drop calls_to_multicall performance counter Juergen Gross
2021-12-08 15:56 ` [PATCH v3 13/13] tools/xenperf: update hypercall names Juergen Gross
2021-12-09 9:05 ` [PATCH v3 00/13] xen: drop hypercall function tables Jan Beulich
2021-12-09 9:10 ` Juergen Gross
2021-12-13 10:35 ` Jan Beulich
2021-12-13 10:48 ` Juergen Gross
2022-03-08 8:34 ` Jan Beulich
2022-03-08 8:39 ` Juergen Gross
2022-03-08 8:50 ` Jan Beulich
2022-03-08 8:53 ` Juergen Gross
2022-03-08 12:50 ` Jan Beulich
2022-03-08 12:56 ` Juergen Gross
2022-03-08 13:42 ` Jan Beulich
2022-03-08 13:44 ` Juergen Gross
2022-03-08 13:52 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a91217dc-8f97-2882-ce08-2a408654295e@suse.com \
--to=jgross@suse.com \
--cc=Volodymyr_Babchuk@epam.com \
--cc=andrew.cooper3@citrix.com \
--cc=bertrand.marquis@arm.com \
--cc=christopher.w.clark@gmail.com \
--cc=george.dunlap@citrix.com \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.