From: Julien Grall <julien@xen.org>
To: Penny Zheng <Penny.Zheng@arm.com>, xen-devel@lists.xenproject.org
Cc: nd@arm.com, Stefano Stabellini <sstabellini@kernel.org>,
Bertrand Marquis <bertrand.marquis@arm.com>,
Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
Subject: Re: [PATCH v1 13/13] xen/arm: unmap foreign memory mapping when destroyed domain is owner domain
Date: Sat, 9 Apr 2022 10:44:36 +0100 [thread overview]
Message-ID: <8808802f-feca-bd21-8bbe-ba4f1b9ce5f1@xen.org> (raw)
In-Reply-To: <20220311061123.1883189-14-Penny.Zheng@arm.com>
Hi,
On 11/03/2022 06:11, Penny Zheng wrote:
> From: Penny Zheng <penny.zheng@arm.com>
>
> When destroyed domain is an owner domain of a static shared memory
> region, then we need to ensure that all according borrower domains
> shall not have the access to this static shared memory region too.
As Stefano wrote, I don't think this is necessary. The page reference
accounting will keep the page alive until everyone have released the page.
So can you explain why you want to do that?
>
> This commit covers above scenario through unmapping all borrowers'
> according foreign memory mapping when destroyed domain is a owner
> domain of a static shared memory region.
>
> NOTE: It will best for users to destroy all borrowers before the owner
> domain in case encountering data abort when accidentally accessing
> the static shared memory region.
>
> Signed-off-by: Penny Zheng <penny.zheng@arm.com>
> ---
> xen/arch/arm/domain.c | 88 ++++++++++++++++++++++++++++++++++---------
> 1 file changed, 71 insertions(+), 17 deletions(-)
>
> diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
> index 73ffbfb918..8f4a8dcbfc 100644
> --- a/xen/arch/arm/domain.c
> +++ b/xen/arch/arm/domain.c
> @@ -998,10 +998,39 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list)
> }
>
> #ifdef CONFIG_STATIC_SHM
> +static int destroy_shm(struct domain *d, gfn_t gfn, unsigned long nr_gfns)
If you still plan to go ahead with this approach, then I would prefer if
this function is created in patch #8. This will help to reduce the churn
in this patch.
[...]
> - for ( j = 0; j < nr_gfns; j++ )
> + if ( test_bit(shm_id, shm_list_mask) )
> {
> - mfn_t mfn;
> -
> - mfn = gfn_to_mfn(d, gfn_add(gfn, j));
> - if ( !mfn_valid(mfn) )
> + domid_t od = shm_list[shm_id].owner_dom;
> + unsigned long j;
> + /*
> + * If it is a owner domain, then after it gets destroyed,
> + * static shared memory region shall be unaccessible to all
> + * borrower domains too.
> + */
> + if ( d->domain_id == od )
> {
> - dprintk(XENLOG_ERR,
> - "Domain %pd page number %lx invalid.\n",
> - d, gfn_x(gfn) + i);
> - return -EINVAL;
> + struct domain *bd;
> +
> + for ( j = 0; j < shm_list[shm_id].nr_borrower; j++ )
> + {
> + bd = get_domain_by_id(shm_list[shm_id].borrower_dom[j]);
> + /*
> + * borrower domain could be dead already, in such case
> + * no need to do the unmapping.
The domain ID could have been re-used. So it is not enough to lookup for
the ID.
> + */
> + if ( bd != NULL )
> + {
> + gfn_t b_gfn = gaddr_to_gfn(
> + shm_list[shm_id].borrower_gbase[j]);
> + ret = destroy_shm(bd, b_gfn, nr_gfns);
> + if ( ret )
> + dprintk(XENLOG_ERR,
> + "Domain %pd: failed to destroy static shared memory.\n",
> + bd);
In the commit message, you wrote you want to remove the pages from the
borrower. But here, you will ignore a failure and continue to destroy
the owner like nothing happened.
If you are concerned that the borrower can still use the pages. Then we
should make sure that they are removed in every cases.
However, I think the code is going to quite complex. So I think we
should consider to do nothing here and let the borrower use the pages
until they die.
Potentially, we could notify the borrowers that the owner died so they
can decide to remove/shutdown themself. Of course, it would mean we are
relying on the borrowers to be nice. An alternative would be to destroy
them.
Cheers,
--
Julien Grall
prev parent reply other threads:[~2022-04-09 9:45 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-11 6:11 [PATCH v1 00/13] Static shared memory on dom0less system Penny Zheng
2022-03-11 6:11 ` [PATCH v1 01/13] xen/arm: introduce static shared memory Penny Zheng
2022-03-18 1:59 ` Stefano Stabellini
2022-03-11 6:11 ` [PATCH v1 02/13] xen/arm: introduce a special domain DOMID_SHARED Penny Zheng
2022-03-18 1:59 ` Stefano Stabellini
2022-03-18 6:43 ` Penny Zheng
2022-03-18 22:02 ` Stefano Stabellini
2022-03-18 8:53 ` Jan Beulich
2022-03-18 21:50 ` Stefano Stabellini
2022-03-21 8:48 ` Jan Beulich
2022-03-21 20:03 ` Stefano Stabellini
2022-04-09 9:11 ` Julien Grall
2022-04-15 8:08 ` Penny Zheng
2022-04-15 22:18 ` Stefano Stabellini
2022-04-15 23:45 ` Julien Grall
2022-03-18 22:20 ` Stefano Stabellini
2022-04-15 9:52 ` Penny Zheng
2022-04-15 23:34 ` Julien Grall
2022-04-19 8:10 ` Jan Beulich
2022-03-11 6:11 ` [PATCH v1 03/13] xen/arm: allocate static shared memory to dom_shared Penny Zheng
2022-03-18 1:59 ` Stefano Stabellini
2022-03-18 8:35 ` Penny Zheng
2022-03-18 22:27 ` Stefano Stabellini
2022-03-11 6:11 ` [PATCH v1 04/13] xen/arm: add P2M type parameter in guest_physmap_add_pages Penny Zheng
2022-03-11 6:11 ` [PATCH v1 05/13] xen/arm: introduce get_pages_from_gfn Penny Zheng
2022-03-11 6:11 ` [PATCH v1 06/13] xen/arm: set up shared memory foreign mapping for borrower domain Penny Zheng
2022-03-18 2:00 ` Stefano Stabellini
2022-03-29 3:44 ` Penny Zheng
2022-04-08 22:18 ` Stefano Stabellini
2022-04-08 22:50 ` Julien Grall
2022-04-08 23:18 ` Stefano Stabellini
2022-04-08 22:59 ` Julien Grall
2022-04-09 9:30 ` Julien Grall
2022-04-20 8:53 ` Penny Zheng
2022-04-20 8:51 ` Penny Zheng
2022-03-11 6:11 ` [PATCH v1 07/13] xen/arm: create shared memory nodes in guest device tree Penny Zheng
2022-03-18 2:00 ` Stefano Stabellini
2022-03-11 6:11 ` [PATCH v1 08/13] xen/arm: destroy static shared memory when de-construct domain Penny Zheng
2022-04-09 9:25 ` Julien Grall
2022-04-21 7:00 ` Penny Zheng
2022-03-11 6:11 ` [PATCH v1 09/13] xen/arm: enable statically shared memory on Dom0 Penny Zheng
2022-03-11 6:11 ` [PATCH v1 10/13] xen/arm: allocate static shared memory to a specific owner domain Penny Zheng
2022-03-18 2:00 ` Stefano Stabellini
2022-03-11 6:11 ` [PATCH v1 11/13] xen/arm: store shm-info for deferred foreign memory map Penny Zheng
2022-03-18 2:01 ` Stefano Stabellini
2022-03-29 8:37 ` Penny Zheng
2022-04-08 22:46 ` Stefano Stabellini
2022-04-09 9:14 ` Julien Grall
2022-03-11 6:11 ` [PATCH v1 12/13] xen/arm: defer foreign memory map in shm_init_late Penny Zheng
2022-03-11 6:11 ` [PATCH v1 13/13] xen/arm: unmap foreign memory mapping when destroyed domain is owner domain Penny Zheng
2022-04-09 9:44 ` Julien Grall [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8808802f-feca-bd21-8bbe-ba4f1b9ce5f1@xen.org \
--to=julien@xen.org \
--cc=Penny.Zheng@arm.com \
--cc=Volodymyr_Babchuk@epam.com \
--cc=bertrand.marquis@arm.com \
--cc=nd@arm.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.