From: Cornelia Huck <cohuck@redhat.com>
To: Halil Pasic <pasic@linux.ibm.com>
Cc: Pierre Morel <pmorel@linux.ibm.com>,
linux-s390@vger.kernel.org,
virtualization@lists.linux-foundation.org, kvm@vger.kernel.org
Subject: Re: [PATCH] virtio/s390: implement virtio-ccw revision 2 correctly
Date: Tue, 16 Feb 2021 11:39:07 +0100 [thread overview]
Message-ID: <20210216113907.4e6943a9.cohuck@redhat.com> (raw)
In-Reply-To: <20210215195144.7b96b41f.pasic@linux.ibm.com>
On Mon, 15 Feb 2021 19:51:44 +0100
Halil Pasic <pasic@linux.ibm.com> wrote:
> On Mon, 15 Feb 2021 12:47:02 +0100
> Cornelia Huck <cohuck@redhat.com> wrote:
>
> > On Fri, 12 Feb 2021 18:04:11 +0100
> > Cornelia Huck <cohuck@redhat.com> wrote:
> >
> > > CCW_CMD_READ_STATUS was introduced with revision 2 of virtio-ccw,
> > > and drivers should only rely on it being implemented when they
> > > negotiated at least that revision with the device.
> > >
> > > However, virtio_ccw_get_status() issued READ_STATUS for any
> > > device operating at least at revision 1. If the device accepts
> > > READ_STATUS regardless of the negotiated revision (which it is
> > > free to do),
> >
> > So, looking at the standard again, the device is actually required to
> > reject the READ_STATUS if only rev 1 had been negotiated... regardless
> > of that, I don't think we should change QEMU's behaviour, as it would
> > affect existing guests (they would lose access to the status bits as
> > observed by the device, including DEVICE_NEEDS_RESET.)
>
> Not only that, without READ_STATUS, we can't do device reset which
> is a prerequisite for a proper cleanup, as required by the spec.
>
> You certainly remember, the driver has may not assume the reset
> was performed (and thus virtqueues are not live) until it reads
> back status 0. But without READ_STATUS virtio_ccw_get_status() will
> keep returning the status the driver last set via
> virtio_ccw_set_status(). And CCW_CMD_VDEV_RESET is of course
> revision 1 material. This looks ugly!
Yes, that problem kind of cascades down.
>
> >
> > > everything works as intended; a device rejecting the
> > > command should also be handled gracefully. For correctness, we
> > > should really limit the command to revision 2 or higher, though.
> > >
> > > We also negotiated the revision to at most 1, as we never bumped
> > > the maximum revision; let's do that now.
> > >
> > > Fixes: 7d3ce5ab9430 ("virtio/s390: support READ_STATUS command for virtio-ccw")
> > > Signed-off-by: Cornelia Huck <cohuck@redhat.com>
> > > ---
> > >
> > > QEMU does not fence off READ_STATUS for revisions < 2, which is probably
> > > why we never noticed this. I'm not aware of other hypervisors that do
> > > fence it off, nor any that cannot deal properly with an unknown command.
> > >
> > > Not sure whether this is stable worthy?
> >
> > Maybe it is, given the MUST reject clause in the standard?
> >
>
> Yes, IMHO this must be backported. A device that ain't violating the
> spec would currently reject READ_STATUS. Which would break RESET_VDEV
> like I described above.
>
> Can we change that MUST to should? There are now good reasons for not
> doing like the spec says in case of READ_STATUS.
Yes. I'm not so sure forcing the device to reject the command was such
a good idea anyway, and relaxing the requirement keeps existing
implementations in compliance.
I've opened https://github.com/oasis-tcs/virtio-spec/issues/96 and will
send a patch for the spec later.
>
> > >
> > > ---
> > > drivers/s390/virtio/virtio_ccw.c | 4 ++--
> > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c
> > > index 5730572b52cd..54e686dca6de 100644
> > > --- a/drivers/s390/virtio/virtio_ccw.c
> > > +++ b/drivers/s390/virtio/virtio_ccw.c
> > > @@ -117,7 +117,7 @@ struct virtio_rev_info {
> > > };
> > >
> > > /* the highest virtio-ccw revision we support */
> > > -#define VIRTIO_CCW_REV_MAX 1
> > > +#define VIRTIO_CCW_REV_MAX 2
> > >
> > > struct virtio_ccw_vq_info {
> > > struct virtqueue *vq;
> > > @@ -952,7 +952,7 @@ static u8 virtio_ccw_get_status(struct virtio_device *vdev)
> > > u8 old_status = vcdev->dma_area->status;
> > > struct ccw1 *ccw;
> > >
> > > - if (vcdev->revision < 1)
> > > + if (vcdev->revision < 2)
> > > return vcdev->dma_area->status;
>
> I don't think our faking of the status read (i.e. returning the old one)
> is contributing to spec compliance. Especially not if the inability to
> READ is not transient.
>
> Also return old_status; would tell the story better, but on the
> other hand, that would be an unrelated cosmetic change. Maybe
> a separate patch?
We would also need to actively check for success or failure of the
channel program in that case.
I'm currently looking at the virtio-ccw code anyway, so I can put that
on my list as well.
>
> Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Thanks!
I'll do a v2 with a tweaked commit message and cc:stable.
>
> Regards,
> Halil
>
> > >
> > > ccw = ccw_device_dma_zalloc(vcdev->cdev, sizeof(*ccw));
> >
>
WARNING: multiple messages have this Message-ID (diff)
From: Cornelia Huck <cohuck@redhat.com>
To: Halil Pasic <pasic@linux.ibm.com>
Cc: linux-s390@vger.kernel.org, kvm@vger.kernel.org,
Pierre Morel <pmorel@linux.ibm.com>,
virtualization@lists.linux-foundation.org
Subject: Re: [PATCH] virtio/s390: implement virtio-ccw revision 2 correctly
Date: Tue, 16 Feb 2021 11:39:07 +0100 [thread overview]
Message-ID: <20210216113907.4e6943a9.cohuck@redhat.com> (raw)
In-Reply-To: <20210215195144.7b96b41f.pasic@linux.ibm.com>
On Mon, 15 Feb 2021 19:51:44 +0100
Halil Pasic <pasic@linux.ibm.com> wrote:
> On Mon, 15 Feb 2021 12:47:02 +0100
> Cornelia Huck <cohuck@redhat.com> wrote:
>
> > On Fri, 12 Feb 2021 18:04:11 +0100
> > Cornelia Huck <cohuck@redhat.com> wrote:
> >
> > > CCW_CMD_READ_STATUS was introduced with revision 2 of virtio-ccw,
> > > and drivers should only rely on it being implemented when they
> > > negotiated at least that revision with the device.
> > >
> > > However, virtio_ccw_get_status() issued READ_STATUS for any
> > > device operating at least at revision 1. If the device accepts
> > > READ_STATUS regardless of the negotiated revision (which it is
> > > free to do),
> >
> > So, looking at the standard again, the device is actually required to
> > reject the READ_STATUS if only rev 1 had been negotiated... regardless
> > of that, I don't think we should change QEMU's behaviour, as it would
> > affect existing guests (they would lose access to the status bits as
> > observed by the device, including DEVICE_NEEDS_RESET.)
>
> Not only that, without READ_STATUS, we can't do device reset which
> is a prerequisite for a proper cleanup, as required by the spec.
>
> You certainly remember, the driver has may not assume the reset
> was performed (and thus virtqueues are not live) until it reads
> back status 0. But without READ_STATUS virtio_ccw_get_status() will
> keep returning the status the driver last set via
> virtio_ccw_set_status(). And CCW_CMD_VDEV_RESET is of course
> revision 1 material. This looks ugly!
Yes, that problem kind of cascades down.
>
> >
> > > everything works as intended; a device rejecting the
> > > command should also be handled gracefully. For correctness, we
> > > should really limit the command to revision 2 or higher, though.
> > >
> > > We also negotiated the revision to at most 1, as we never bumped
> > > the maximum revision; let's do that now.
> > >
> > > Fixes: 7d3ce5ab9430 ("virtio/s390: support READ_STATUS command for virtio-ccw")
> > > Signed-off-by: Cornelia Huck <cohuck@redhat.com>
> > > ---
> > >
> > > QEMU does not fence off READ_STATUS for revisions < 2, which is probably
> > > why we never noticed this. I'm not aware of other hypervisors that do
> > > fence it off, nor any that cannot deal properly with an unknown command.
> > >
> > > Not sure whether this is stable worthy?
> >
> > Maybe it is, given the MUST reject clause in the standard?
> >
>
> Yes, IMHO this must be backported. A device that ain't violating the
> spec would currently reject READ_STATUS. Which would break RESET_VDEV
> like I described above.
>
> Can we change that MUST to should? There are now good reasons for not
> doing like the spec says in case of READ_STATUS.
Yes. I'm not so sure forcing the device to reject the command was such
a good idea anyway, and relaxing the requirement keeps existing
implementations in compliance.
I've opened https://github.com/oasis-tcs/virtio-spec/issues/96 and will
send a patch for the spec later.
>
> > >
> > > ---
> > > drivers/s390/virtio/virtio_ccw.c | 4 ++--
> > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c
> > > index 5730572b52cd..54e686dca6de 100644
> > > --- a/drivers/s390/virtio/virtio_ccw.c
> > > +++ b/drivers/s390/virtio/virtio_ccw.c
> > > @@ -117,7 +117,7 @@ struct virtio_rev_info {
> > > };
> > >
> > > /* the highest virtio-ccw revision we support */
> > > -#define VIRTIO_CCW_REV_MAX 1
> > > +#define VIRTIO_CCW_REV_MAX 2
> > >
> > > struct virtio_ccw_vq_info {
> > > struct virtqueue *vq;
> > > @@ -952,7 +952,7 @@ static u8 virtio_ccw_get_status(struct virtio_device *vdev)
> > > u8 old_status = vcdev->dma_area->status;
> > > struct ccw1 *ccw;
> > >
> > > - if (vcdev->revision < 1)
> > > + if (vcdev->revision < 2)
> > > return vcdev->dma_area->status;
>
> I don't think our faking of the status read (i.e. returning the old one)
> is contributing to spec compliance. Especially not if the inability to
> READ is not transient.
>
> Also return old_status; would tell the story better, but on the
> other hand, that would be an unrelated cosmetic change. Maybe
> a separate patch?
We would also need to actively check for success or failure of the
channel program in that case.
I'm currently looking at the virtio-ccw code anyway, so I can put that
on my list as well.
>
> Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Thanks!
I'll do a v2 with a tweaked commit message and cc:stable.
>
> Regards,
> Halil
>
> > >
> > > ccw = ccw_device_dma_zalloc(vcdev->cdev, sizeof(*ccw));
> >
>
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-02-16 10:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-12 17:04 [PATCH] virtio/s390: implement virtio-ccw revision 2 correctly Cornelia Huck
2021-02-12 17:04 ` Cornelia Huck
2021-02-15 11:47 ` Cornelia Huck
2021-02-15 11:47 ` Cornelia Huck
2021-02-15 18:51 ` Halil Pasic
2021-02-15 18:51 ` Halil Pasic
2021-02-16 10:39 ` Cornelia Huck [this message]
2021-02-16 10:39 ` Cornelia Huck
2021-02-16 10:42 ` Halil Pasic
2021-02-16 10:42 ` Halil Pasic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210216113907.4e6943a9.cohuck@redhat.com \
--to=cohuck@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=pasic@linux.ibm.com \
--cc=pmorel@linux.ibm.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.