From: Vijay Kilari <vijay.kilari@gmail.com>
To: Julien Grall <julien.grall@citrix.com>
Cc: Ian Campbell <Ian.Campbell@citrix.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Prasun Kapoor <Prasun.Kapoor@caviumnetworks.com>,
manish.jaggi@caviumnetworks.com, Tim Deegan <tim@xen.org>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Stefano Stabellini <stefano.stabellini@citrix.com>,
Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>
Subject: Re: [PATCH v5 12/22] xen/arm: ITS: Add GICR register emulation
Date: Mon, 3 Aug 2015 15:06:54 +0530 [thread overview]
Message-ID: <CALicx6t-qMk0pCbd63R5aYjiah+PZjZ+9oxXyWrSzbGF0XCxLg@mail.gmail.com> (raw)
In-Reply-To: <55BCEB05.5010002@citrix.com>
On Sat, Aug 1, 2015 at 9:21 PM, Julien Grall <julien.grall@citrix.com> wrote:
> Hi Vijay,
>
> On 01/08/2015 11:25, Vijay Kilari wrote:
>>>
>>> I guess you mean vgic_enable_irqs? And no what you've implemented is
>>> definitely not the same as vgic_enable_irqs.
>>>
>>> vgic_enable_irqs is locking the pending_irq structure using the vgic
>>> lock of the targeting VCPU (see v_target = ... ->get_target_cpu(...)).
>>>
>>> Here, you are locking with the current vCPU, i.e the vCPU which wrote
>>> into the LPI property table.
>>>
>>> All the vGIC code is doing the same, so using the wrong locking won't
>>> protect this structure.
>>
>>
>> With just vlpi, we cannot get target vcpu without devid. Now
>> question is there a
>> need to call gic_raise_guest_irq() for inflight LPIs?
>
>
> Yes it's necessary. Physical LPIs can come up at any time before the guest
> enables the virtual LPI. This is because we enable the physical LPIs and
> route to the guest as soon as the device is assigned to it. You may be
> interesting by the reading of [1].
>
> You will have to find a way to get the correct vCPU because this may occur
> more often than you think.
>
One possible way that I can think of is
In MAPVI command is sent by guest, we know vlpi. Store col_id in the
pending_irq structure
for the vLPI and use this collection id to retrieve correct vCPU on
which we can take vgic lock.
>>>>>
>>>>>> + id_bits = ((vits->propbase & GICR_PROPBASER_IDBITS_MASK) + 1);
>>>>>> +
>>>>>> + if ( id_bits > d->arch.vgic.id_bits )
>>>>>> + id_bits = d->arch.vgic.id_bits;
>>>>>
>>>>>
>>>>> As said on v4, you are allowing the possibility to have a smaller
>>>>> property table than the effective number of LPIs.
>>>>>
>>>>> An ASSERT in vits_get_priority (patch #16) doesn't ensure the validity
>>>>> of the size of the property table provided by the guest. This will
>>>>> surely crash Xen in debug mode, and who knows what will happen in
>>>>> production mode.
>>>>
>>>>
>>>> lpi_size is calculated based on id_bits. If it is smaller, the
>>>> lpi_size will be
>>>> smaller where only size of lpi_size is considered.
>>>
>>>
>>> Where id_bits is based on what the guest provides in GICR_PROPBASER.
>>> Although the guest, malicious or not, can decide to setup this id_bits
>>> smaller than the number of vLPIs effectively supported by the gic-v3.
>>>
>>> In this case, if a vLPI higher than this number is injected you will hit
>>> the ASSERT(vlpi < vits->prop_size) in vits_get_priority. A guest
>>> *should* not be able to crash Xen because it decides to send valid input.
>>>
>>
>> From 8.11.19, if id_bits is < 8192 (as below statement), GIC treats
>> LPIs as out of range.
>
>
> When you quote the spec, please give both the section and which spec. I have
> about 5 different docs for the GICv3, and I had to guess which one you were
> using.
>
>>
>> "If the value of this field is less than 0b1101, indicating that the
>> largest interrupt ID is less than 8192
>> (the smallest LPI interrupt ID), the GIC will behave as if all
>> physical LPIs are out of range."
>
>
> Thank you for the quoting. I helps me to not a latent bug in your LPI
> property table emulation. I should have read more carefully the spec.
>
> The field IDBits gives you the number of interrupt ID bits supported. The
> LPI property table size is only describing the LPI, i.e the offset 0 of the
> table is the IntID 8192.
>
> So when you compute the size of the table, you have to substract 8192.
> Otherwise you will remove 2 4KB pages from the guest which could be used by
> it. You will also, possible Xen unsafe as we may read out of the pending IRQ
> array (we are trusting the handler to be registered on valid input).
>
>> Based on this, we should make a check on this GICR_PROPBASER.id_bits
>> before injecting LPI to domain when LPI is received.
>
>
> And doing what? The paragraph you quote doesn't say anything on what happen
> when the LPI interrupt ID is higher than the number of bits. It only explain
> what happen the this number if higher and smaller than a bound.
My intention was to convey that any LPI interrupt ID outside of number
of ID bits
set in GICR_PROPBASER.id_bits is treated by GIC as out of range.
Also the GICR_PROPBASER.id_bits should be more than 13.
So three cases are
1) If GICR_PROPBASER.id_bits is greater vgic.id_bits
then we can limit LPI property table size to vgic.id_bits
2) If GICR_PROPBASER.id_bits is greater than 13 and less than vgic.id_bits
then we can limit vgic.id_bits to GICR_PROPBASER.id_bits and LPI property table
size to GICR_PROPBASER.id_bits
3) If GIC_PROPBASER.id_bits is less than 13
then we can limit vgic.id_bits to GIC_PROPBASER.id_bits and disable LPI support
for the guest by setting.
OR do not allow any guest that is setting GICR_PROPBASER.id_bits less than
vgic.id_bits
>
> What would happen if the LPI is injected before the GICR_PROPBASER is
> enabled? See for more details on the problem here [1]
Check is required before accessing LPI property table if property
table is available
or not?.
>
> I think, you just have to make sure that the function reading the priority
> (i.e vits_get_priority) is not trying to read out of the array and return a
> dummy value (??).
>
>>>> I added it because, after updating my Linux kernel driver, I see that it
>>>> is making 32-bit access to TYPER register
>>>
>>>
>>> This change should go in a separate patch then. It's not related to this
>>> patch.
>>
>>
>> Why separate patch?. This change could be part of GICR* reg emulation
>> done for LPI
>
>
> Because this change is not part of the re-distributor emulation done for
> LPI. You don't even mention it in your commit message. I discovered it by
> comparing on what you did with the previous version.
>
> Furthermore, as said earlier, if you handle 32-bit access for GICR_TYPER you
> have to do it for every others registers.
>
> Anyway, I will send a patch myself to handle 32-bit access on 64-bit
> registers.
>
> Regards,
>
> [1]
> http://lists.xenproject.org/archives/html/xen-devel/2015-06/msg02591.html
>
> --
> Julien Grall
next prev parent reply other threads:[~2015-08-03 9:36 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-27 11:11 [PATCH v5 00/22] Add ITS support vijay.kilari
2015-07-27 11:11 ` [PATCH v5 01/22] xen/arm: Return success if dt node does not have irq mapping vijay.kilari
2015-07-28 13:13 ` Julien Grall
2015-07-28 13:23 ` Ian Campbell
2015-07-28 13:27 ` Julien Grall
2015-09-02 15:25 ` Ian Campbell
2015-07-27 11:11 ` [PATCH v5 02/22] xen/arm: Add bitmap_find_next_zero_area helper function vijay.kilari
2015-08-11 13:53 ` Jan Beulich
2015-07-27 11:11 ` [PATCH v5 03/22] xen: Add log2 functionality vijay.kilari
2015-07-27 11:11 ` [PATCH v5 04/22] xen/arm: Set nr_cpu_ids to available number of cpus vijay.kilari
2015-07-28 13:21 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 05/22] xen/arm: ITS: Port ITS driver to Xen vijay.kilari
2015-07-28 16:46 ` Julien Grall
2015-07-29 15:22 ` Vijay Kilari
2015-07-29 16:06 ` Ian Campbell
2015-07-29 16:18 ` Vijay Kilari
2015-07-31 10:28 ` Vijay Kilari
2015-07-31 11:10 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 06/22] xen/arm: ITS: Add helper functions to manage its_devices vijay.kilari
2015-07-27 11:11 ` [PATCH v5 07/22] xen/arm: ITS: Add virtual ITS driver vijay.kilari
2015-07-28 17:13 ` Julien Grall
2015-07-31 6:49 ` Vijay Kilari
2015-07-31 10:14 ` Julien Grall
2015-07-31 10:32 ` Ian Campbell
2015-07-27 11:11 ` [PATCH v5 08/22] xen/arm: ITS: Add virtual ITS commands support vijay.kilari
2015-07-28 18:04 ` Julien Grall
2015-07-31 6:57 ` Vijay Kilari
2015-07-31 10:16 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 09/22] xen/arm: ITS: Export ITS info to Virtual ITS vijay.kilari
2015-07-28 18:14 ` Julien Grall
2015-07-31 7:01 ` Vijay Kilari
2015-08-03 15:58 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 10/22] xen/arm: ITS: Add GITS registers emulation vijay.kilari
2015-07-28 19:01 ` Julien Grall
2015-07-31 7:25 ` Vijay Kilari
2015-07-31 10:28 ` Julien Grall
2015-08-01 8:50 ` Vijay Kilari
2015-08-03 11:19 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 11/22] xen/arm: ITS: Enable physical and virtual ITS driver compilation vijay.kilari
2015-07-27 11:11 ` [PATCH v5 12/22] xen/arm: ITS: Add GICR register emulation vijay.kilari
2015-07-30 17:04 ` Julien Grall
2015-07-31 9:08 ` Vijay Kilari
2015-07-31 11:05 ` Julien Grall
2015-08-01 10:25 ` Vijay Kilari
2015-08-01 15:51 ` Julien Grall
2015-08-03 9:36 ` Vijay Kilari [this message]
2015-08-03 13:01 ` Julien Grall
2015-08-03 13:51 ` Vijay Kilari
2015-08-03 13:58 ` Julien Grall
2015-08-04 6:55 ` Vijay Kilari
2015-08-04 8:44 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 13/22] xen/arm: ITS: Implement gic_is_lpi helper function vijay.kilari
2015-07-30 17:14 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 14/22] xen/arm: ITS: Allocate irq descriptors for LPIs vijay.kilari
2015-08-04 13:21 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 15/22] xen/arm: ITS: implement hw_irq_controller " vijay.kilari
2015-08-04 13:45 ` Julien Grall
2015-08-06 8:15 ` Vijay Kilari
2015-08-06 10:05 ` Julien Grall
2015-08-06 10:11 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 16/22] xen/arm: ITS: Route LPIs vijay.kilari
2015-08-04 14:54 ` Julien Grall
2015-07-27 11:11 ` [PATCH v5 17/22] xen/arm: ITS: Initialize physical ITS vijay.kilari
2015-08-17 19:00 ` Julien Grall
2015-07-27 11:12 ` [PATCH v5 18/22] xen/arm: ITS: Add domain specific ITS initialization vijay.kilari
2015-08-17 18:57 ` Julien Grall
2015-07-27 11:12 ` [PATCH v5 19/22] xen/arm: ITS: Add APIs to add and assign device vijay.kilari
2015-08-17 19:17 ` Julien Grall
2015-07-27 11:12 ` [PATCH v5 20/22] xen/arm: ITS: Map ITS translation space vijay.kilari
2015-08-17 19:20 ` Julien Grall
2015-08-18 19:14 ` Julien Grall
2015-08-18 22:37 ` Marc Zyngier
2015-09-02 15:45 ` Ian Campbell
2015-09-02 15:59 ` Marc Zyngier
2015-07-27 11:12 ` [PATCH v5 21/22] xen/arm: ITS: Generate ITS node for Dom0 vijay.kilari
2015-08-17 19:41 ` Julien Grall
2015-08-21 23:02 ` Vijay Kilari
2015-08-21 23:48 ` Julien Grall
2015-08-26 12:40 ` Vijay Kilari
2015-08-27 0:02 ` Julien Grall
2015-07-27 11:12 ` [PATCH v5 22/22] xen/arm: ITS: Add pci devices in ThunderX vijay.kilari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALicx6t-qMk0pCbd63R5aYjiah+PZjZ+9oxXyWrSzbGF0XCxLg@mail.gmail.com \
--to=vijay.kilari@gmail.com \
--cc=Ian.Campbell@citrix.com \
--cc=Prasun.Kapoor@caviumnetworks.com \
--cc=Vijaya.Kumar@caviumnetworks.com \
--cc=julien.grall@citrix.com \
--cc=manish.jaggi@caviumnetworks.com \
--cc=stefano.stabellini@citrix.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).