From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: Re: [PATCH v3 12/24] xen/arm: Release IRQ routed to a
 domain when it's destroying
Date: Mon, 23 Feb 2015 15:25:23 +0000
Message-ID: <1424705123.27930.159.camel@citrix.com>
References: <1421159133-31526-1-git-send-email-julien.grall@linaro.org>
	<1421159133-31526-13-git-send-email-julien.grall@linaro.org>
	<1424449912.30924.346.camel@citrix.com> <54E771C7.4000003@linaro.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <Ian.Campbell@citrix.com>) id 1YPuul-000298-Df
	for xen-devel@lists.xenproject.org; Mon, 23 Feb 2015 15:27:19 +0000
In-Reply-To: <54E771C7.4000003@linaro.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Julien Grall <julien.grall@linaro.org>
Cc: xen-devel@lists.xenproject.org, tim@xen.org, stefano.stabellini@citrix.com
List-Id: xen-devel@lists.xenproject.org

On Fri, 2015-02-20 at 17:41 +0000, Julien Grall wrote:

> >> +    /* TODO: Handle eviction from LRs. For now, deny remove if the IRQ
> >> +     * is inflight and not disabled.
> > 
> > If we are ungracefully killing a guest doesn't this risk ending up with
> > an undestroyable domain? i.e. if the guest is paused with an inflight
> > IRQ and then destroyed, how does the inflight IRQ ever become
> > not-inflight again? A similar argument could apply if the guest has e.g.
> > crashed, paniced or is otherwise not processing any more interrupts or
> > generating EOIs for existing ones.
> 
> No, this will fall on the "is_dying" part. During domain destruction,
> the hypervisor will release all the IRQ still assigned to the guest one
> by one.
> 
> > We need to be able to kill a guest in such a state somehow.
> 
> The TODO is here for running domain where we try to deassign an inflight
> IRQ.

I see. I think either expand the comment to say "for a running domain"
or, probably better, put this bit of code (and the comment) in an else
of the is_dying and get rid of the goto in the is_dying==true case.

> >> +    for ( i = 0; i < (d->arch.vgic.nr_spis); i++ )
> >> +    {
> >> +        struct pending_irq *p = &d->arch.vgic.pending_irqs[i];
> > 
> > Is there not a helper for this lookup? If so it should be used.
> 
> The irq_pending code is adding extra-check. But I guess we don't care
> for domain destruction?

I don't think so.

Ian.