Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held

From: Julien Grall <julien@xen.org>
To: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Ian Jackson <iwj@xenproject.org>, Wei Liu <wl@xen.org>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Tamas K Lengyel <lengyelt@ainfosec.com>,
	Petre Ovidiu PIRCALABU <ppircalabu@bitdefender.com>,
	Alexandru Isaila <aisaila@bitdefender.com>,
	"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH v3 5/5] evtchn: don't call Xen consumer callback with per-channel lock held
Date: Fri, 4 Dec 2020 11:28:59 +0000	[thread overview]
Message-ID: <1a8250f5-ea49-ac3a-e992-be7ec40deba9@xen.org> (raw)
In-Reply-To: <7a768bcd-80c1-d193-8796-7fb6720fa22a@suse.com>

Hi Jan,

On 03/12/2020 10:09, Jan Beulich wrote:
> On 02.12.2020 22:10, Julien Grall wrote:
>> On 23/11/2020 13:30, Jan Beulich wrote:
>>> While there don't look to be any problems with this right now, the lock
>>> order implications from holding the lock can be very difficult to follow
>>> (and may be easy to violate unknowingly). The present callbacks don't
>>> (and no such callback should) have any need for the lock to be held.
>>>
>>> However, vm_event_disable() frees the structures used by respective
>>> callbacks and isn't otherwise synchronized with invocations of these
>>> callbacks, so maintain a count of in-progress calls, for evtchn_close()
>>> to wait to drop to zero before freeing the port (and dropping the lock).
>>
>> AFAICT, this callback is not the only place where the synchronization is
>> missing in the VM event code.
>>
>> For instance, vm_event_put_request() can also race against
>> vm_event_disable().
>>
>> So shouldn't we handle this issue properly in VM event?
> 
> I suppose that's a question to the VM event folks rather than me?

Yes. From my understanding of Tamas's e-mail, they are relying on the 
monitoring software to do the right thing.

I will refrain to comment on this approach. However, given the race is 
much wider than the event channel, I would recommend to not add more 
code in the event channel to deal with such problem.

Instead, this should be fixed in the VM event code when someone has time 
to harden the subsystem.

> 
>>> ---
>>> Should we make this accounting optional, to be requested through a new
>>> parameter to alloc_unbound_xen_event_channel(), or derived from other
>>> than the default callback being requested?
>>
>> Aside the VM event, do you see any value for the other caller?
> 
> No (albeit I'm not entirely certain about vpl011_notification()'s
> needs), hence the consideration. It's unnecessary overhead in
> those cases.

I had another look and I think there is a small race in VPL011. It 
should be easy to fix (I will try to have a look later today).

> 
>>> @@ -781,9 +786,15 @@ int evtchn_send(struct domain *ld, unsig
>>>            rport = lchn->u.interdomain.remote_port;
>>>            rchn  = evtchn_from_port(rd, rport);
>>>            if ( consumer_is_xen(rchn) )
>>> +        {
>>> +            /* Don't keep holding the lock for the call below. */
>>> +            atomic_inc(&rchn->u.interdomain.active_calls);
>>> +            evtchn_read_unlock(lchn);
>>>                xen_notification_fn(rchn)(rd->vcpu[rchn->notify_vcpu_id], rport);
>>> -        else
>>> -            evtchn_port_set_pending(rd, rchn->notify_vcpu_id, rchn);
>>
>> atomic_dec() doesn't contain any memory barrier, so we will want one
>> between xen_notification_fn() and atomic_dec() to avoid re-ordering.
> 
> Oh, indeed. But smp_mb() is too heavy handed here - x86 doesn't
> really need any barrier, yet would gain a full MFENCE that way.
> Actually - looks like I forgot we gained smp_mb__before_atomic()
> a little over half a year ago.

Ah yes, I forgot that atomics instruction are ordered on x86.

Cheers,

-- 
Julien Grall