From: Julien Grall <julien.grall@arm.com>
To: Andre Przywara <andre.przywara@arm.com>,
Stefano Stabellini <sstabellini@kernel.org>
Cc: xen-devel@lists.xenproject.org,
Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>,
Vijay Kilari <vijay.kilari@gmail.com>,
Shanker Donthineni <shankerd@codeaurora.org>
Subject: Re: [PATCH v8 15/27] ARM: vITS: handle CLEAR command
Date: Wed, 12 Apr 2017 15:10:25 +0100 [thread overview]
Message-ID: <11d6206d-ab85-b0c6-f75a-676c2fba660e@arm.com> (raw)
In-Reply-To: <1491957874-31600-16-git-send-email-andre.przywara@arm.com>
Hi Andre,
On 12/04/17 01:44, Andre Przywara wrote:
> This introduces the ITS command handler for the CLEAR command, which
> clears the pending state of an LPI.
> This removes a not-yet injected, but already queued IRQ from a VCPU.
> As read_itte() is now eventually used, we add the static keyword.
>
> Signed-off-by: Andre Przywara <andre.przywara@arm.com>
> ---
> xen/arch/arm/vgic-v3-its.c | 52 ++++++++++++++++++++++++++++++++++++++++++++--
> 1 file changed, 50 insertions(+), 2 deletions(-)
>
> diff --git a/xen/arch/arm/vgic-v3-its.c b/xen/arch/arm/vgic-v3-its.c
> index 632ab84..e24ab60 100644
> --- a/xen/arch/arm/vgic-v3-its.c
> +++ b/xen/arch/arm/vgic-v3-its.c
> @@ -227,8 +227,8 @@ static bool read_itte_locked(struct virt_its *its, uint32_t devid,
> * This function takes care of the locking by taking the its_lock itself, so
> * a caller shall not hold this. Before returning, the lock is dropped again.
> */
> -bool read_itte(struct virt_its *its, uint32_t devid, uint32_t evid,
> - struct vcpu **vcpu_ptr, uint32_t *vlpi_ptr)
> +static bool read_itte(struct virt_its *its, uint32_t devid, uint32_t evid,
> + struct vcpu **vcpu_ptr, uint32_t *vlpi_ptr)
> {
> bool ret;
>
> @@ -297,6 +297,51 @@ static uint64_t its_cmd_mask_field(uint64_t *its_cmd, unsigned int word,
> #define its_cmd_get_validbit(cmd) its_cmd_mask_field(cmd, 2, 63, 1)
> #define its_cmd_get_ittaddr(cmd) (its_cmd_mask_field(cmd, 2, 8, 44) << 8)
>
> +/*
> + * CLEAR removes the pending state from an LPI. */
> +static int its_handle_clear(struct virt_its *its, uint64_t *cmdptr)
> +{
> + uint32_t devid = its_cmd_get_deviceid(cmdptr);
> + uint32_t eventid = its_cmd_get_id(cmdptr);
> + struct pending_irq *p;
> + struct vcpu *vcpu;
> + uint32_t vlpi;
> + unsigned long flags;
> +
> + /* Translate the DevID/EvID pair into a vCPU/vLPI pair. */
> + if ( !read_itte(its, devid, eventid, &vcpu, &vlpi) )
So the vCPU ID is retrieved from guest memory, therefore you cannot
trust the value for taking a lock.
Indeed, a malicious guest could rewrite the value with another vCPU ID
and you would take the wrong vCPU vGIC lock.
What is the plan to fix that?
> + return -1;
> +
> + spin_lock_irqsave(&vcpu->arch.vgic.lock, flags);
I don't think this lock will protect correctly the pending_irq because
if you do a MOVI before hand you will use the new vCPU ID and not the
old one (see my explanation on patch #2).
> +
> + p = its->d->arch.vgic.handler->lpi_to_pending(its->d, vlpi);
> + if ( !p )
Please detail what means NULL here.
> + {
> + spin_unlock_irqrestore(&vcpu->arch.vgic.lock, flags);
> + return -1;
> + }
> +
> + /*
> + * If the LPI is already visible on the guest, it is too late to
> + * clear the pending state. However this is a benign race that can
> + * happen on real hardware, too: If the LPI has already been forwarded
> + * to a CPU interface, a CLEAR request reaching the redistributor has
> + * no effect on that LPI anymore. Since LPIs are edge triggered and
> + * have no active state, we don't need to care about this here.
> + */
> + if ( !test_bit(GIC_IRQ_GUEST_VISIBLE, &p->status) )
> + {
> + /* Remove a pending, but not yet injected guest IRQ. */
> + clear_bit(GIC_IRQ_GUEST_QUEUED, &p->status);
> + list_del_init(&p->inflight);
> + list_del_init(&p->lr_queue);
I am not sure to understand why you open-code gic_remove_from_queues
rather than reworking it.
> + }
> +
> + spin_unlock_irqrestore(&vcpu->arch.vgic.lock, flags);
> +
> + return 0;
> +}
> +
> #define ITS_CMD_BUFFER_SIZE(baser) ((((baser) & 0xff) + 1) << 12)
> #define ITS_CMD_OFFSET(reg) ((reg) & GENMASK(19, 5))
>
> @@ -326,6 +371,9 @@ static int vgic_its_handle_cmds(struct domain *d, struct virt_its *its)
>
> switch ( its_cmd_get_command(command) )
> {
> + case GITS_CMD_CLEAR:
> + ret = its_handle_clear(its, command);
> + break;
> case GITS_CMD_SYNC:
> /* We handle ITS commands synchronously, so we ignore SYNC. */
> break;
>
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-04-12 14:10 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-12 0:44 [PATCH v8 00/27] arm64: Dom0 ITS emulation Andre Przywara
2017-04-12 0:44 ` [PATCH v8 01/27] ARM: GICv3: propagate number of host LPIs to GICv3 guest Andre Przywara
2017-04-12 10:06 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 02/27] ARM: VGIC: move irq_to_pending() calls under the VGIC VCPU lock Andre Przywara
2017-04-12 10:13 ` Julien Grall
2017-04-12 11:38 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 03/27] ARM: GIC: Add checks for NULL pointer pending_irq's Andre Przywara
2017-04-12 10:25 ` Julien Grall
2017-04-12 14:51 ` Andre Przywara
2017-04-12 14:52 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 04/27] ARM: GICv3: introduce separate pending_irq structs for LPIs Andre Przywara
2017-04-12 10:35 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 05/27] ARM: GICv3: forward pending LPIs to guests Andre Przywara
2017-04-12 10:44 ` Julien Grall
2017-04-12 17:26 ` Andre Przywara
2017-05-10 10:47 ` Andre Przywara
2017-05-10 11:07 ` Julien Grall
2017-05-10 17:14 ` Andre Przywara
2017-05-10 17:17 ` Julien Grall
2017-05-11 17:55 ` Andre Przywara
2017-04-12 0:44 ` [PATCH v8 06/27] ARM: GICv3: enable ITS and LPIs on the host Andre Przywara
2017-04-12 0:44 ` [PATCH v8 07/27] ARM: vGICv3: handle virtual LPI pending and property tables Andre Przywara
2017-04-12 10:55 ` Julien Grall
2017-04-12 13:12 ` Andre Przywara
2017-04-12 13:13 ` Julien Grall
2017-05-11 17:54 ` Andre Przywara
2017-04-12 0:44 ` [PATCH v8 08/27] ARM: introduce vgic_access_guest_memory() Andre Przywara
2017-04-12 12:29 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 09/27] ARM: vGICv3: re-use vgic_reg64_check_access Andre Przywara
2017-04-12 0:44 ` [PATCH v8 10/27] ARM: GIC: export vgic_init_pending_irq() Andre Przywara
2017-04-12 0:44 ` [PATCH v8 11/27] ARM: VGIC: add vcpu_id to struct pending_irq Andre Przywara
2017-04-12 12:32 ` Julien Grall
2017-04-12 12:37 ` Andre Przywara
2017-04-12 0:44 ` [PATCH v8 12/27] ARM: vGIC: advertise LPI support Andre Przywara
2017-04-12 12:38 ` Julien Grall
2017-04-12 12:48 ` Andre Przywara
2017-04-12 13:04 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 13/27] ARM: vITS: add command handling stub and MMIO emulation Andre Przywara
2017-04-12 12:59 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 14/27] ARM: vITS: introduce translation table walks Andre Przywara
2017-04-12 13:22 ` Julien Grall
2017-04-12 13:36 ` Andre Przywara
2017-04-12 13:37 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 15/27] ARM: vITS: handle CLEAR command Andre Przywara
2017-04-12 14:10 ` Julien Grall [this message]
2017-04-12 14:29 ` Andre Przywara
2017-04-12 14:49 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 16/27] ARM: vITS: handle INT command Andre Przywara
2017-04-12 14:50 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 17/27] ARM: vITS: handle MAPC command Andre Przywara
2017-04-12 14:51 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 18/27] ARM: vITS: handle MAPD command Andre Przywara
2017-04-12 15:21 ` Julien Grall
2017-04-12 17:03 ` Andre Przywara
2017-04-12 17:05 ` Julien Grall
2017-04-12 17:24 ` Andrew Cooper
2017-04-12 18:18 ` Wei Liu
2017-05-10 10:42 ` Andre Przywara
2017-05-10 11:30 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 19/27] ARM: vITS: handle MAPTI command Andre Przywara
2017-04-12 16:18 ` Julien Grall
2017-04-12 16:27 ` Andre Przywara
2017-04-12 17:16 ` Julien Grall
2017-04-12 17:25 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 20/27] ARM: GICv3: handle unmapped LPIs Andre Przywara
2017-04-12 9:46 ` Andre Przywara
2017-04-12 16:49 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 21/27] ARM: vITS: handle MOVI command Andre Przywara
2017-04-12 16:59 ` Julien Grall
2017-05-10 10:34 ` Andre Przywara
2017-04-12 0:44 ` [PATCH v8 22/27] ARM: vITS: handle DISCARD command Andre Przywara
2017-04-12 17:06 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 23/27] ARM: vITS: handle INV command Andre Przywara
2017-04-12 17:20 ` Julien Grall
2017-05-10 15:11 ` Andre Przywara
2017-05-11 10:43 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 24/27] ARM: vITS: handle INVALL command Andre Przywara
2017-04-12 17:26 ` Julien Grall
2017-04-12 0:44 ` [PATCH v8 25/27] ARM: vITS: increase mmio_count for each ITS Andre Przywara
2017-04-12 0:44 ` [PATCH v8 26/27] ARM: vITS: create and initialize virtual ITSes for Dom0 Andre Przywara
2017-04-12 0:44 ` [PATCH v8 27/27] ARM: vITS: create ITS subnodes for Dom0 DT Andre Przywara
2017-04-12 14:13 ` [PATCH v8 00/27] arm64: Dom0 ITS emulation Julien Grall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11d6206d-ab85-b0c6-f75a-676c2fba660e@arm.com \
--to=julien.grall@arm.com \
--cc=Vijaya.Kumar@caviumnetworks.com \
--cc=andre.przywara@arm.com \
--cc=shankerd@codeaurora.org \
--cc=sstabellini@kernel.org \
--cc=vijay.kilari@gmail.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).