All of lore.kernel.org
 help / color / mirror / Atom feed
From: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
To: Julien Grall <julien.grall@arm.com>
Cc: "tee-dev@lists.linaro.org" <tee-dev@lists.linaro.org>,
	"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
Subject: Re: [Xen-devel] [PATCH v2 4/6] xen/arm: optee: handle shared buffer translation error
Date: Tue, 24 Sep 2019 13:30:51 +0000	[thread overview]
Message-ID: <87blv9akj8.fsf@epam.com> (raw)
In-Reply-To: <de2f8861-8705-bd99-268b-2312dd50d84c@arm.com>


Julien Grall writes:

> On 24/09/2019 12:37, Volodymyr Babchuk wrote:
>>
>> Hi Julien,
>>
>> Julien Grall writes:
>>
>>> Hi,
>>>
>>> On 18/09/2019 19:51, Volodymyr Babchuk wrote:
>>>> +/* Handles return from Xen-issued RPC */
>>>> +static void handle_xen_rpc_return(struct optee_domain *ctx,
>>>> +                                  struct cpu_user_regs *regs,
>>>> +                                  struct optee_std_call *call,
>>>> +                                  struct shm_rpc *shm_rpc)
>>>> +{
>>>> +    call->state = OPTEE_CALL_NORMAL;
>>>> +
>>>> +    /*
>>>> +     * Right now we have only one reason to be there - we asked guest
>>>> +     * to free shared buffer and it did it. Now we can tell OP-TEE
>>>> +     * that buffer allocation failed. We are not storing exact command
>>>> +     * type, only type of RPC return. So, this is the only check we
>>>> +     * can perform there.
>>>> +     */
>>>> +    ASSERT(call->rpc_op == OPTEE_SMC_RPC_FUNC_CMD);
>>>
>>> As I pointed out in v1, ASSERT() is probably the less desirable
>>> solution here as this is an error path.
>> Looks like I misunderstood you :(
>>
>>> Can you explain why you chose that over the 3 solutions I suggested?
>> I think I need some clarification there. ASSERT() is adopted way to tell
>> about invariant. Clearly, this is programming error if ASSERT() fails.
>
> That's correct.
>
>>
>> But I understand, that ASSERT() is available only in debug build. So, in
>> release it will never fire. As this is very unlikely error path, bug
>> there can live forever. Okay, so ASSERT() is the least desirable way.
>
> This is my concern, ASSERT() are fine in path that can be exercised
> quite well. By experience, error path as not so well tested, so any
> verbosity in non-debug build is always helpful.
Yep, I see.

>>
>> Warning is not enough, as we are already in incorrect state.
> Incorrect state for who? The guest?
Yes, for the current call of the current guest. State of other calls and
other guests should not be affected. But it is possible that our view of
OP-TEE state for that guest is not correct also.

>>
>> So, best way is to crash guest, it this correct? I'll do this in the
>> next version then.
>
> A rule of thumb is
>   - BUG_ON can be replaced by domain_crash() as this is a fatal error
> you can't recover (the scope depends on the function call).
This seems correct.

>
>   - ASSERT() can be replaced by WARN_ON() as the former will be a NOP
> in non-debug build. In both case, the error is not fatal and continue
> will not result So it means the error is not fatal.
I can't agree with this in general. But maybe this makes sense for Xen.
As I said, generally ASSERT() is used to, well, assert that condition is
true for any correct state of a program. So it cant' be replaced with
WARN_ON(). If we detected invalid state we should either try to correct
it (if know how) or to immediately stop the program.

But I can see, why this behavior is not desired for
hypervisor. Especially in production use.

> You used ASSERT() in your code, so it feels to me that WARN_ON() would
> be a suitable replacement.
Well, honestly I believe that it is better to crash guest to prevent
any additional harm. Look, we already detected that something is wrong
with mediator state for certain guest. We can pretend that all is fine
and try to continue the call. But who knows which consequences it will have?

> However, if the state inconsistency is for Xen, then domain_crash() is
> the best. If this is for the guest, then this is not really our
> business and it may be best to let him continue as it could provide
> more debug (domain_crash() will only dump the stack and registers).
I'm looking at this from different point: we promised to provide some
service for a guest and screwed up. It is not guest's fault. Now we know
that we can't provide reliable service for a guest anymore. From
safety point of view we should shut down the service. (But this is job
for another patch) For now, we at least should crash the
guest. This is the safest way. What do you think?

--
Volodymyr Babchuk at EPAM
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2019-09-24 13:31 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-18 18:50 [Xen-devel] [PATCH v2 0/6] arch/arm: optee: fix TODOs and change status to "Tech Preview" Volodymyr Babchuk
2019-09-18 18:50 ` [Xen-devel] [PATCH v2 1/6] xen/arm: optee: impose limit on shared buffer size Volodymyr Babchuk
2019-09-23  9:29   ` Julien Grall
2019-09-18 18:50 ` [Xen-devel] [PATCH v2 2/6] xen/arm: optee: check for preemption while freeing shared buffers Volodymyr Babchuk
2019-09-23  9:30   ` Julien Grall
2019-09-18 18:50 ` [Xen-devel] [PATCH v2 3/6] xen/arm: optee: limit number of " Volodymyr Babchuk
2019-09-23  9:31   ` Julien Grall
2019-09-18 18:51 ` [Xen-devel] [PATCH v2 4/6] xen/arm: optee: handle shared buffer translation error Volodymyr Babchuk
2019-09-23  9:42   ` Julien Grall
2019-09-24 11:37     ` Volodymyr Babchuk
2019-09-24 12:06       ` Julien Grall
2019-09-24 13:30         ` Volodymyr Babchuk [this message]
2019-09-24 14:08           ` Julien Grall
2019-09-18 18:51 ` [Xen-devel] [PATCH v2 5/6] SUPPORT.md: Describe OP-TEE mediator Volodymyr Babchuk
2019-09-23  9:48   ` Julien Grall
2019-09-18 18:51 ` [Xen-devel] [PATCH v2 6/6] xen/arm: optee: update description in Kconfig Volodymyr Babchuk
2019-09-23  9:46   ` Julien Grall
2019-09-23 10:24 ` [Xen-devel] [PATCH v2 0/6] arch/arm: optee: fix TODOs and change status to "Tech Preview" Julien Grall

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87blv9akj8.fsf@epam.com \
    --to=volodymyr_babchuk@epam.com \
    --cc=julien.grall@arm.com \
    --cc=sstabellini@kernel.org \
    --cc=tee-dev@lists.linaro.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.