All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jan Beulich <jbeulich@suse.com>
To: Julien Grall <julien@xen.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Ian Jackson <iwj@xenproject.org>, Wei Liu <wl@xen.org>,
	Stefano Stabellini <sstabellini@kernel.org>,
	"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH v4 01/10] evtchn: use per-channel lock where possible
Date: Mon, 11 Jan 2021 11:14:10 +0100	[thread overview]
Message-ID: <69e94f3e-5fca-e77e-0b85-56057e7fce19@suse.com> (raw)
In-Reply-To: <3c393170-09f9-6d31-c227-b599f8769e35@xen.org>

On 08.01.2021 21:32, Julien Grall wrote:
> Hi Jan,
> 
> On 05/01/2021 13:09, Jan Beulich wrote:
>> Neither evtchn_status() nor domain_dump_evtchn_info() nor
>> flask_get_peer_sid() need to hold the per-domain lock - they all only
>> read a single channel's state (at a time, in the dump case).
>>
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>> ---
>> v4: New.
>>
>> --- a/xen/common/event_channel.c
>> +++ b/xen/common/event_channel.c
>> @@ -968,15 +968,16 @@ int evtchn_status(evtchn_status_t *statu
>>       if ( d == NULL )
>>           return -ESRCH;
>>   
>> -    spin_lock(&d->event_lock);
>> -
>>       if ( !port_is_valid(d, port) )
> 
> There is one issue that is now becoming more apparent. To be clear, the 
> problem is not in this patch, but I think it is the best place to 
> discuss it as d->event_lock may be part of the solution.
> 
> After XSA-344, evtchn_destroy() will end up to decrement d->valid_evtchns.
> 
> Given that evtchn_status() can work on the non-current domain, it would 
> be possible to run it concurrently with evtchn_destroy(). As a 
> consequence, port_is_valid() will be unstable as a valid event channel 
> may turn invalid.
> 
> AFAICT, we are getting away so far, as the memory is not freed until the 
> domain is fully destroyed. However, we re-introduced XSA-338 in a 
> different way.
> 
> To be clear this is not the fault of this patch. But I don't think this 
> is sane to re-introduce a behavior that lead us to an XSA.

I'm getting confused, I'm afraid, from the varying statements above:
Are you suggesting this patch does re-introduce bad behavior or not?

Yes, the decrementing of ->valid_evtchns has a similar effect, but
I'm not convinced it gets us into XSA territory again. The problem
wasn't the reducing of ->max_evtchns as such, but the derived
assumptions elsewhere in the code. If there were any such again, I
suppose we'd have reason to issue another XSA.

Furthermore there are other paths already using port_is_valid()
without holding the domain's event lock; I've not been able to spot
a problem with this though, so far.

> I can see two solutions:
>    1) Use d->event_lock to protect port_is_valid() when d != 
> current->domain. This would require evtchn_destroy() to grab the lock 
> when updating d->valid_evtchns.
>    2) Never decrement d->valid_evtchns and use a different field for 
> closing ports
> 
> I am not a big fan of 1) because this is muddying the already complex 
> locking situation in the event channel code. But I suggested it because 
> I wasn't sure whether you would be happy with 2).

I agree 1) wouldn't be very nice, and you're right in assuming I
wouldn't like 2) very much. For the moment I'm not (yet) convinced
we need to do anything at all - as you say yourself, while the
result of port_is_valid() is potentially unstable when a domain is
in the process of being cleaned up, the state guarded by such
checks remains usable in (I think) a race free manner.

Jan


  reply	other threads:[~2021-01-11 10:14 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-05 13:07 [PATCH v4 00/10] evtchn: (not so) recent XSAs follow-on Jan Beulich
2021-01-05 13:09 ` [PATCH v4 01/10] evtchn: use per-channel lock where possible Jan Beulich
2021-01-08 20:32   ` Julien Grall
2021-01-11 10:14     ` Jan Beulich [this message]
2021-01-11 11:06       ` Julien Grall
2021-01-27  7:39         ` Jan Beulich
2021-01-05 13:09 ` [PATCH v4 02/10] evtchn: bind-interdomain doesn't need to hold both domains' event locks Jan Beulich
2021-01-09 15:41   ` Julien Grall
2021-01-09 16:14     ` Julien Grall
2021-01-25 13:47       ` Jan Beulich
2021-01-05 13:10 ` [PATCH v4 03/10] evtchn: convert domain event lock to an r/w one Jan Beulich
2021-01-05 13:10 ` [PATCH v4 04/10] evtchn: don't call Xen consumer callback with per-channel lock held Jan Beulich
2021-01-09 15:41   ` Julien Grall
2021-01-05 13:10 ` [PATCH v4 05/10] evtchn: closing of vIRQ-s doesn't require looping over all vCPU-s Jan Beulich
2021-01-09 16:17   ` Julien Grall
2021-01-05 13:11 ` [PATCH v4 06/10] evtchn: slightly defer lock acquire where possible Jan Beulich
2021-01-09 16:25   ` Julien Grall
2021-01-05 13:12 ` [PATCH v4 07/10] evtchn: add helper for port_is_valid() + evtchn_from_port() Jan Beulich
2021-01-09 16:31   ` Julien Grall
2021-01-05 13:12 ` [PATCH v4 08/10] evtchn: closing of ports doesn't need to hold both domains' event locks Jan Beulich
2021-01-05 13:13 ` [PATCH v4 09/10] evtchn: type adjustments Jan Beulich
2021-01-05 13:13 ` [PATCH v4 10/10] evtchn: drop acquiring of per-channel lock from send_guest_{global,vcpu}_virq() Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69e94f3e-5fca-e77e-0b85-56057e7fce19@suse.com \
    --to=jbeulich@suse.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=iwj@xenproject.org \
    --cc=julien@xen.org \
    --cc=sstabellini@kernel.org \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.