From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8591DC433DF for ; Fri, 12 Jun 2020 09:54:10 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 585F92081A for ; Fri, 12 Jun 2020 09:54:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=xen.org header.i=@xen.org header.b="zCkbxHUV" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 585F92081A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=xen.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1jjgNX-0007aF-Ml; Fri, 12 Jun 2020 09:53:39 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1jjgNW-0007aA-Jj for xen-devel@lists.xenproject.org; Fri, 12 Jun 2020 09:53:38 +0000 X-Inumbo-ID: 958c32da-ac92-11ea-b5b0-12813bfff9fa Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 958c32da-ac92-11ea-b5b0-12813bfff9fa; Fri, 12 Jun 2020 09:53:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=SEIVc/Yz1hxdlqGX/ofEjIrjNOz6KZqGqNDqbSOUunk=; b=zCkbxHUVaW1J8DmMpSO/EdA5VZ NYwEoAys5Mc/pXFhBOFJB4m5NWnCtWyNa/3XX8RJXGw0Fm76oKHhqdSEIAIcSo1ib1/+I4goIBrHj aKCOy8ZcYQYmiK79HFBHgaqDiA/tNHx/TjcSpKZbPDaccez/APoQo26pSCcYWVu5IB9U=; Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1jjgNQ-0006CL-9P; Fri, 12 Jun 2020 09:53:32 +0000 Received: from [54.239.6.185] (helo=a483e7b01a66.ant.amazon.com) by xenbits.xenproject.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1jjgNQ-0005HV-2F; Fri, 12 Jun 2020 09:53:32 +0000 Subject: Re: [PATCH 1/2] xen/arm: Convert runstate address during hypcall To: Stefano Stabellini References: <8b450dddb2c855225c97741dce66453a80b9add2.1591806713.git.bertrand.marquis@arm.com> <74475748-e884-1e6e-633d-bf67d5ed32fe@xen.org> From: Julien Grall Message-ID: Date: Fri, 12 Jun 2020 10:53:29 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= , Wei Liu , Andrew Cooper , Ian Jackson , George Dunlap , Bertrand Marquis , Jan Beulich , xen-devel , nd , Volodymyr Babchuk , Julien Grall Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" On 12/06/2020 02:09, Stefano Stabellini wrote: > On Thu, 11 Jun 2020, Julien Grall wrote: >> Hi Stefano, >> >> On 11/06/2020 19:50, Stefano Stabellini wrote: >>> On Thu, 11 Jun 2020, Julien Grall wrote: >>>>>> + return -EINVAL; >>>>>> } >>>>>> >>>>>> - __copy_to_guest(runstate_guest(v), &runstate, 1); >>>>>> + v->arch.runstate_guest.page = page; >>>>>> + v->arch.runstate_guest.offset = offset; >>>>>> + >>>>>> + spin_unlock(&v->arch.runstate_guest.lock); >>>>>> + >>>>>> + return 0; >>>>>> +} >>>>>> + >>>>>> + >>>>>> +/* Update per-VCPU guest runstate shared memory area (if registered). >>>>>> */ >>>>>> +static void update_runstate_area(struct vcpu *v) >>>>>> +{ >>>>>> + struct vcpu_runstate_info *guest_runstate; >>>>>> + void *p; >>>>>> + >>>>>> + spin_lock(&v->arch.runstate_guest.lock); >>>>>> >>>>>> - if ( guest_handle ) >>>>>> + if ( v->arch.runstate_guest.page ) >>>>>> { >>>>>> - runstate.state_entry_time &= ~XEN_RUNSTATE_UPDATE; >>>>>> + p = __map_domain_page(v->arch.runstate_guest.page); >>>>>> + guest_runstate = p + v->arch.runstate_guest.offset; >>>>>> + >>>>>> + if ( VM_ASSIST(v->domain, runstate_update_flag) ) >>>>>> + { >>>>>> + v->runstate.state_entry_time |= XEN_RUNSTATE_UPDATE; >>>>>> + guest_runstate->state_entry_time |= XEN_RUNSTATE_UPDATE; >>>>> >>>>> I think that this write to guest_runstate should use write_atomic or >>>>> another atomic write operation. >>>> >>>> I thought about suggesting the same, but guest_copy_* helpers may not >>>> do a single memory write to state_entry_time. >>>> What are you trying to prevent with the write_atomic()? >>> >>> I am thinking that without using an atomic write, it would be (at least >>> theoretically) possible for a guest to see a partial write to >>> state_entry_time, which is not good. >> >> It is already the case with existing implementation as Xen may write byte by >> byte. So are you suggesting the existing code is also buggy? It looks like I may have misread the code as we only copy one byte. But I still think this is fragile. For this context, I agree that a write_atomic() should do the job. However, I still want to answer to your comments below. > > Writing byte by byte is a different case. That is OK. In that case, the > guest could see the state after 3 bytes written and it would be fine and > consistent. Why? What does actually prevent a guest to see an in-between value? To give a concrete example, if the original value is 0xabc and you want to write 0xdef. Why would the guest never see 0xabf or 0xaec? > If this hadn't been the case, then yes, the existing code > would also be buggy. > > So if we did the write with a memcpy, it would be fine, no need for > atomics: > > memcpy(&guest_runstate->state_entry_time, > &v->runstate.state_entry_time, > XXX); > > > The |= case is different: GCC could implement it in any way it likes, > including going through a zero-write to any of the bytes in the word, or > doing an addition then a subtraction. GCC doesn't make any guarantees. > If we want guarantees we need to use atomics. Yes GCC can generate assembly for |= in any way it likes. But so does for memcpy(). So I still don't understand why one would be fine for you and not the other... Cheers, -- Julien Grall