From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55053)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jgross@suse.com>) id 1ayXq9-00029M-As
	for qemu-devel@nongnu.org; Fri, 06 May 2016 00:58:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jgross@suse.com>) id 1ayXpx-0003ve-I4
	for qemu-devel@nongnu.org; Fri, 06 May 2016 00:58:07 -0400
Received: from mx2.suse.de ([195.135.220.15]:52861)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jgross@suse.com>) id 1ayXpx-0003ro-C3
	for qemu-devel@nongnu.org; Fri, 06 May 2016 00:58:01 -0400
References: <1457623170-30896-1-git-send-email-jgross@suse.com>
	<1457623170-30896-3-git-send-email-jgross@suse.com>
	<20160503150614.GG1885@perard.uk.xensource.com>
	<5729B1DF.1070108@suse.com>
	<20160505101355.GJ1885@perard.uk.xensource.com>
From: Juergen Gross <jgross@suse.com>
Message-ID: <572C2448.7010806@suse.com>
Date: Fri, 6 May 2016 06:57:44 +0200
MIME-Version: 1.0
In-Reply-To: <20160505101355.GJ1885@perard.uk.xensource.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH v2 2/2] xen: add pvUSB backend
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony PERARD <anthony.perard@citrix.com>
Cc: qemu-devel@nongnu.org, xen-devel@lists.xensource.com, konrad.wilk@oracle.com, kraxel@redhat.com, stefano.stabellini@eu.citrix.com

On 05/05/16 12:13, Anthony PERARD wrote:
> On Wed, May 04, 2016 at 10:25:03AM +0200, Juergen Gross wrote:
>> On 03/05/16 17:06, Anthony PERARD wrote:
>>> On Thu, Mar 10, 2016 at 04:19:30PM +0100, Juergen Gross wrote:
>>>> +static void usbback_bh(void *opaque)
>>>> +{
>>>> +    struct usbback_info *usbif;
>>>> +    struct usbif_urb_back_ring *urb_ring;
>>>> +    struct usbback_req *usbback_req;
>>>> +    RING_IDX rc, rp;
>>>> +    unsigned int more_to_do;
>>>> +
>>>> +    usbif = opaque;
>>>> +    if (usbif->ring_error) {
>>>> +        return;
>>>> +    }
>>>> +
>>>> +    urb_ring = &usbif->urb_ring;
>>>> +    rc = urb_ring->req_cons;
>>>> +    rp = urb_ring->sring->req_prod;
>>>
>>> Maybe use atomic_read() here to avoid req_prod been read more than once.
>>
>> Hmm. This isn't done in the other backends.
>>
>> TBH: what would happen if req_prod would be read multiple times? In the
>> worst case we would see a new request from the guest which we would have
>> missed without the atomic_read().
> 
> If the guest is misbehaving, it maybe could provoke QEMU to handle more
> request. I'm not sure.

I don't think this would add any risk to dom0. A misbehaving guest
writing arbitrary values to ->req_prod could influence qemu activity
in just the same way regardless whether atomic_read() is used on qemu
side or not. The only difference would be that with atomic_read() the
additional qemu activity would be delayed until the next invocation
of the function.

> For this use of atomic_read, I'm mostly refering to XSA-155[1] and a
> conversation[2].

The main problem with XSA-155 was modification of the request's contents
by the guest after verification by the backend happened. This is not
related to reading the producer's ring index.

I should use RING_COPY_REQUEST(), however.


Juergen