From: Tamas K Lengyel <tamas@tklengyel.com>
To: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: Petre Pircalabu <ppircalabu@bitdefender.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Julien Grall <julien@xen.org>, Wei Liu <wl@xen.org>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
George Dunlap <george.dunlap@citrix.com>,
Jan Beulich <jbeulich@suse.com>,
Alexandru Isaila <aisaila@bitdefender.com>,
Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH v2 for-4.14 3/3] xen/vm_event: Add safe to disable vm_event
Date: Tue, 2 Jun 2020 07:06:21 -0600 [thread overview]
Message-ID: <CABfawhk0kySfAKTGzXPo1OZWUn4ZoRSwSfBLR5DK_hwCAm=snA@mail.gmail.com> (raw)
In-Reply-To: <20200602125433.GY1195@Air-de-Roger>
On Tue, Jun 2, 2020 at 6:54 AM Roger Pau Monné <roger.pau@citrix.com> wrote:
>
> On Wed, May 20, 2020 at 08:31:54PM -0600, Tamas K Lengyel wrote:
> > Instead of having to repeatedly try to disable vm_events,
>
> Why not use a hypercall continuation instead so that this is all
> hidden from the caller?
>
> I take that the current interface requires the user to repeatedly
> issue hypercalls in order to disable vm_events until one of those
> succeeds?
No, it succeeds right away. And then the guest crashes in unique and
unpredictable ways.
>
> > request a specific
> > vm_event to be sent when the domain is safe to continue with shutting down
> > the vm_event interface.
> >
> > Signed-off-by: Tamas K Lengyel <tamas@tklengyel.com>
> > ---
> > xen/arch/x86/hvm/hvm.c | 38 ++++++++++++++++++++++++++-----
> > xen/arch/x86/hvm/monitor.c | 14 ++++++++++++
> > xen/arch/x86/monitor.c | 13 +++++++++++
> > xen/include/asm-x86/domain.h | 1 +
> > xen/include/asm-x86/hvm/monitor.h | 1 +
> > xen/include/public/domctl.h | 2 ++
> > xen/include/public/vm_event.h | 8 +++++++
> > 7 files changed, 71 insertions(+), 6 deletions(-)
> >
> > diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
> > index e6780c685b..fc7e1e2b22 100644
> > --- a/xen/arch/x86/hvm/hvm.c
> > +++ b/xen/arch/x86/hvm/hvm.c
> > @@ -563,15 +563,41 @@ void hvm_do_resume(struct vcpu *v)
> > v->arch.hvm.inject_event.vector = HVM_EVENT_VECTOR_UNSET;
> > }
> >
> > - if ( unlikely(v->arch.vm_event) && v->arch.monitor.next_interrupt_enabled )
> > + if ( unlikely(v->arch.vm_event) )
> > {
> > - struct x86_event info;
> > + struct domain *d = v->domain;
> > +
> > + if ( v->arch.monitor.next_interrupt_enabled )
> > + {
> > + struct x86_event info;
> > +
> > + if ( hvm_get_pending_event(v, &info) )
> > + {
> > + hvm_monitor_interrupt(info.vector, info.type, info.error_code,
> > + info.cr2);
> > + v->arch.monitor.next_interrupt_enabled = false;
> > + }
> > + }
> >
> > - if ( hvm_get_pending_event(v, &info) )
> > + if ( d->arch.monitor.safe_to_disable )
> > {
> > - hvm_monitor_interrupt(info.vector, info.type, info.error_code,
> > - info.cr2);
> > - v->arch.monitor.next_interrupt_enabled = false;
> > + const struct vcpu *check_vcpu;
> > + bool pending_op = false;
> > +
> > + for_each_vcpu ( d, check_vcpu )
> > + {
> > + if ( vm_event_check_pending_op(check_vcpu) )
>
> Don't you need some kind of lock here, since you are poking at another
> vCPU which could be modifying any of those bits?
>
> > + {
> > + pending_op = true;
> > + break;
> > + }
> > + }
> > +
> > + if ( !pending_op )
> > + {
> > + hvm_monitor_safe_to_disable();
> > + d->arch.monitor.safe_to_disable = false;
> > + }
> > }
> > }
> > }
> > diff --git a/xen/arch/x86/hvm/monitor.c b/xen/arch/x86/hvm/monitor.c
> > index f5d89e71d1..75fd1a4b68 100644
> > --- a/xen/arch/x86/hvm/monitor.c
> > +++ b/xen/arch/x86/hvm/monitor.c
> > @@ -300,6 +300,20 @@ bool hvm_monitor_check_p2m(unsigned long gla, gfn_t gfn, uint32_t pfec,
> > return monitor_traps(curr, true, &req) >= 0;
> > }
> >
> > +void hvm_monitor_safe_to_disable(void)
> > +{
> > + struct vcpu *curr = current;
> > + struct arch_domain *ad = &curr->domain->arch;
>
> const
>
> > + vm_event_request_t req = {};
> > +
> > + if ( !ad->monitor.safe_to_disable )
> > + return;
>
> Should this rather be an ASSERT? I don't think you are supposed to
> call hvm_monitor_safe_to_disable when the bit is not set?
>
> > +
> > + req.reason = VM_EVENT_REASON_SAFE_TO_DISABLE;
>
> I think you cat set the field at definition time.
>
> > +
> > + monitor_traps(curr, 0, &req);
> > +}
> > +
> > /*
> > * Local variables:
> > * mode: C
> > diff --git a/xen/arch/x86/monitor.c b/xen/arch/x86/monitor.c
> > index 1517a97f50..86e0ba2fbc 100644
> > --- a/xen/arch/x86/monitor.c
> > +++ b/xen/arch/x86/monitor.c
> > @@ -339,6 +339,19 @@ int arch_monitor_domctl_event(struct domain *d,
> > break;
> > }
> >
> > + case XEN_DOMCTL_MONITOR_EVENT_SAFE_TO_DISABLE:
> > + {
> > + bool old_status = ad->monitor.safe_to_disable;
> > +
> > + if ( unlikely(old_status == requested_status) )
> > + return -EEXIST;
> > +
> > + domain_pause(d);
> > + ad->monitor.safe_to_disable = requested_status;
>
> Maybe I'm missing something, but I don't see any check that others
> events are disabled before safe_to_disable is set?
>
> In the same way, you should prevent setting any events when
> safe_to_disable is set IMO, likely returning -EBUSY in both cases.
>
> Thanks, Roger.
Thanks for the feedback again. I won't have the bandwidth to address
these so I'm dropping this patch. If Bitdefender is so inclined to
pick-up later they are welcome to do so. This is only needed if their
buggy feature is enabled.
Tamas
next prev parent reply other threads:[~2020-06-02 13:07 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-21 2:31 [PATCH v2 for-4.14 0/3] vm_event: fix race-condition when disabling monitor events Tamas K Lengyel
2020-05-21 2:31 ` [PATCH v2 for-4.14 1/3] xen/monitor: Control register values Tamas K Lengyel
2020-06-02 11:08 ` Roger Pau Monné
2020-06-02 12:40 ` Tamas K Lengyel
2020-06-02 12:47 ` Jan Beulich
2020-06-02 12:51 ` Tamas K Lengyel
2020-06-02 13:00 ` Jan Beulich
2020-06-02 13:10 ` Tamas K Lengyel
2020-06-03 8:04 ` Roger Pau Monné
2020-06-02 13:01 ` Roger Pau Monné
2020-06-02 13:04 ` Jan Beulich
2020-06-02 13:07 ` Tamas K Lengyel
2020-06-02 13:09 ` Tamas K Lengyel
2020-05-21 2:31 ` [PATCH v2 for-4.14 2/3] xen/vm_event: add vm_event_check_pending_op Tamas K Lengyel
2020-06-02 11:47 ` Roger Pau Monné
2020-06-02 11:50 ` Jan Beulich
2020-06-02 12:43 ` Tamas K Lengyel
2020-05-21 2:31 ` [PATCH v2 for-4.14 3/3] xen/vm_event: Add safe to disable vm_event Tamas K Lengyel
2020-06-02 12:54 ` Roger Pau Monné
2020-06-02 13:06 ` Tamas K Lengyel [this message]
2020-06-01 18:58 ` [PATCH v2 for-4.14 0/3] vm_event: fix race-condition when disabling monitor events Tamas K Lengyel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABfawhk0kySfAKTGzXPo1OZWUn4ZoRSwSfBLR5DK_hwCAm=snA@mail.gmail.com' \
--to=tamas@tklengyel.com \
--cc=aisaila@bitdefender.com \
--cc=andrew.cooper3@citrix.com \
--cc=george.dunlap@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=ppircalabu@bitdefender.com \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.