Re: [PATCH 1/2] x86: correct is_pv_domain() when !CONFIG_PV

From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
	Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>
Subject: Re: [PATCH 1/2] x86: correct is_pv_domain() when !CONFIG_PV
Date: Mon, 12 Apr 2021 11:34:31 +0200	[thread overview]
Message-ID: <YHQUJw8H2tgNy5iY@Air-de-Roger> (raw)
In-Reply-To: <54013074-1fc4-1047-0d00-2762fcbc9ade@suse.com>

On Fri, Nov 27, 2020 at 05:54:57PM +0100, Jan Beulich wrote:
> On x86, idle and other system domains are implicitly PV. While I
> couldn't spot any cases where this is actively a problem, some cases
> required quite close inspection to be certain there couldn't e.g. be
> some ASSERT_UNREACHABLE() that would trigger in this case. Let's be on
> the safe side and make sure these always have is_pv_domain() returning
> true.
> 
> For the build to still work, this requires a few adjustments elsewhere.
> In particular is_pv_64bit_domain() now gains a CONFIG_PV dependency,
> which means that is_pv_32bit_domain() || is_pv_64bit_domain() is no
> longer guaranteed to be the same as is_pv_domain().
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> --- a/xen/arch/x86/dom0_build.c
> +++ b/xen/arch/x86/dom0_build.c
> @@ -568,7 +568,7 @@ int __init construct_dom0(struct domain
>  
>      if ( is_hvm_domain(d) )
>          rc = dom0_construct_pvh(d, image, image_headroom, initrd, cmdline);
> -    else if ( is_pv_domain(d) )
> +    else if ( is_pv_64bit_domain(d) || is_pv_32bit_domain(d) )

Urg, that's very confusing IMO, as I'm sure I would ask someone to
just use is_pv_domain without realizing. It needs at least a comment,
but even then I'm not sure I like it.

So that I understand it, the point to use those expressions instead of
is_pv_domain is to avoid calling dom0_construct_pv when CONFIG_PV is
not enabled?

Maybe it wold be better to instead use:

if ( IS_ENABLED(CONFIG_PV) && is_pv_domain(d) )

In any case I wonder if we should maybe aim to introduce a new type
for system domains, that's neither PV or HVM, in order to avoid having
system domains qualified as PV even when PV is compiled out.

>          rc = dom0_construct_pv(d, image, image_headroom, initrd, cmdline);
>      else
>          panic("Cannot construct Dom0. No guest interface available\n");
> --- a/xen/arch/x86/domain.c
> +++ b/xen/arch/x86/domain.c
> @@ -1544,6 +1544,7 @@ arch_do_vcpu_op(
>   */
>  static void load_segments(struct vcpu *n)
>  {
> +#ifdef CONFIG_PV
>      struct cpu_user_regs *uregs = &n->arch.user_regs;
>      unsigned long gsb = 0, gss = 0;
>      bool compat = is_pv_32bit_vcpu(n);
> @@ -1709,6 +1710,7 @@ static void load_segments(struct vcpu *n
>          regs->cs            = FLAT_KERNEL_CS;
>          regs->rip           = pv->failsafe_callback_eip;
>      }
> +#endif
>  }
>  
>  /*
> @@ -1723,6 +1725,7 @@ static void load_segments(struct vcpu *n
>   */
>  static void save_segments(struct vcpu *v)
>  {
> +#ifdef CONFIG_PV
>      struct cpu_user_regs *regs = &v->arch.user_regs;
>  
>      read_sregs(regs);
> @@ -1748,6 +1751,7 @@ static void save_segments(struct vcpu *v
>          else
>              v->arch.pv.gs_base_user = gs_base;
>      }
> +#endif
>  }

Could you move {load,save}_segments to pv/domain.c and rename to
pv_{load,save}_segments and provide a dummy handler for !CONFIG_PV in
pv/domain.h?

Sorry it's slightly more work, but I think it's cleaner overall.

>  
>  void paravirt_ctxt_switch_from(struct vcpu *v)
> --- a/xen/arch/x86/domctl.c
> +++ b/xen/arch/x86/domctl.c
> @@ -408,13 +408,13 @@ long arch_do_domctl(
>      case XEN_DOMCTL_set_address_size:
>          if ( is_hvm_domain(d) )
>              ret = -EOPNOTSUPP;
> +        else if ( is_pv_64bit_domain(d) && domctl->u.address_size.size == 32 )
> +            ret = switch_compat(d);
>          else if ( is_pv_domain(d) )
>          {
>              if ( ((domctl->u.address_size.size == 64) && !d->arch.pv.is_32bit) ||
>                   ((domctl->u.address_size.size == 32) &&  d->arch.pv.is_32bit) )
>                  ret = 0;
> -            else if ( domctl->u.address_size.size == 32 )
> -                ret = switch_compat(d);
>              else
>                  ret = -EINVAL;
>          }
> --- a/xen/include/xen/sched.h
> +++ b/xen/include/xen/sched.h
> @@ -985,7 +985,7 @@ static always_inline bool is_control_dom
>  
>  static always_inline bool is_pv_domain(const struct domain *d)
>  {
> -    return IS_ENABLED(CONFIG_PV) &&
> +    return IS_ENABLED(CONFIG_X86) &&
>          evaluate_nospec(!(d->options & XEN_DOMCTL_CDF_hvm));
>  }
>  
> @@ -1011,7 +1011,7 @@ static always_inline bool is_pv_32bit_vc
>  
>  static always_inline bool is_pv_64bit_domain(const struct domain *d)
>  {
> -    if ( !is_pv_domain(d) )
> +    if ( !IS_ENABLED(CONFIG_PV) || !is_pv_domain(d) )
>          return false;

I think overall is confusing to have a domain that returns true for
is_pv_domain but false for both is_pv_{64,32}bit_domain checks.

I know those are only the system domains, but it feels confusing and
could cause mistakes in the future IMO, as then we would have to
carefully think where to use ( is_pv_64bit_domain(d)
|| is_pv_32bit_domain(d) ) vs just using is_pv_domain(d), or
IS_ENABLED(CONFIG_PV) && is_pv_domain(d)

Thanks, Roger.