From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>,
xen-devel <xen-devel@lists.xenproject.org>
Cc: Keir Fraser <keir@xen.org>
Subject: Re: [PATCH 0/4] x86/MSI-X: XSA-120 follow-up
Date: Fri, 13 Mar 2015 20:16:30 +0000 [thread overview]
Message-ID: <5503459E.4000309@citrix.com> (raw)
In-Reply-To: <54FF26F002000078000682F7@mail.emea.novell.com>
On 10/03/15 16:16, Jan Beulich wrote:
> The problem requiring the first patch here is actually what lead to
> XSA-120.
>
> 1: be more careful during teardown
> 2: access MSI-X table only after having enabled MSI-X
> 3: reduce fiddling with control register during restore
> 4: cleanup
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
Having taken another look through I am still hesitant, but don't have a
concrete issue to object to.
This code is used extensively in the idt vector migration codepath, and
in irq->ack() functions. I still fear that the additional config space
accesses will come with a non-neglegable overhead.
One issue, orthogonal to these changes, which XenServer has hit before
(a fairly long time ago) is having a device failure and having it fall
completely off the PCI bus (the firmware helpfully ate the error). At
that point, config cycles started returning ~0's, and I seem to recall
that Xen suffered a cascade failure as it started walking backwards
along the msi entry array. The underlying problem here is Xen's
reliance to read everything from config space, given the lack of
exclusion against dom0 having access.
Given these extra config accesses, I am seriously wondering whether it
would be more efficient overall to trap&emulate dom0 completely and
allow Xen to cache things like the current control register state,
locations of capability structures, etc. I genuinely don't know the
answer, but I suspect the comparative expense of config accesses means
that we don't need to replace many of the lookups for a net benefit.
(Of course, it doesn't protect against backdoor access, but all bets are
already off at that point.)
~Andrew
next prev parent reply other threads:[~2015-03-13 20:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-10 16:16 [PATCH 0/4] x86/MSI-X: XSA-120 follow-up Jan Beulich
2015-03-10 16:27 ` [PATCH 1/4] x86/MSI-X: be more careful during teardown Jan Beulich
2015-03-10 21:05 ` Andrew Cooper
2015-03-11 8:22 ` Jan Beulich
2015-03-13 18:10 ` Andrew Cooper
2015-03-16 11:03 ` Jan Beulich
2015-03-10 16:28 ` [PATCH 2/4] x86/MSI-X: access MSI‑X table only after having enabled MSI‑X Jan Beulich
2015-03-13 19:18 ` Andrew Cooper
2015-03-16 11:13 ` Jan Beulich
2015-03-10 16:29 ` [PATCH 3/4] x86/MSI-X: reduce fiddling with control register during restore Jan Beulich
2015-03-13 19:38 ` Andrew Cooper
2015-03-10 16:29 ` [PATCH 4/4] x86/MSI-X: cleanup Jan Beulich
2015-03-13 19:56 ` Andrew Cooper
2015-03-13 20:16 ` Andrew Cooper [this message]
2015-03-16 15:38 ` [PATCH 0/4] x86/MSI-X: XSA-120 follow-up Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5503459E.4000309@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.