Jan Beulich
2010-Jan-22 13:07 UTC
[Xen-devel] netback data access synchronization question
With netbk_gop_frag() (called in the context of net_rx_action()) consuming data (pending_tx_info[]) invalidated in net_tx_action_dealloc() (called from net_tx_action()), how is it guaranteed that the grant ref used will remain valid until the hypervisor gets to validate the arguments to GNTTABOP_copy? Thanks, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Jan Beulich
2010-Feb-02 10:46 UTC
Ping: [Xen-devel] netback data access synchronization question
Keir, in the absence of anyone else responding, I would have hoped to at least get your opinion, as it was apparently your patch that added the consumer side of the code in question. Thanks, Jan>>> "Jan Beulich" <JBeulich@novell.com> 22.01.10 14:07 >>>With netbk_gop_frag() (called in the context of net_rx_action()) consuming data (pending_tx_info[]) invalidated in net_tx_action_dealloc() (called from net_tx_action()), how is it guaranteed that the grant ref used will remain valid until the hypervisor gets to validate the arguments to GNTTABOP_copy? Thanks, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Feb-02 13:28 UTC
Re: Ping: [Xen-devel] netback data access synchronization question
It''s a long time since I was in that code! K. On 02/02/2010 10:46, "Jan Beulich" <JBeulich@novell.com> wrote:> Keir, > > in the absence of anyone else responding, I would have hoped to at > least get your opinion, as it was apparently your patch that added the > consumer side of the code in question. > > Thanks, Jan > >>>> "Jan Beulich" <JBeulich@novell.com> 22.01.10 14:07 >>> > With netbk_gop_frag() (called in the context of net_rx_action()) > consuming data (pending_tx_info[]) invalidated in net_tx_action_dealloc() > (called from net_tx_action()), how is it guaranteed that the grant ref > used will remain valid until the hypervisor gets to validate the arguments > to GNTTABOP_copy? > > Thanks, Jan >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Feb-02 13:38 UTC
Re: Ping: [Xen-devel] netback data access synchronization question
Which means, if you want a more useful answer, you''ll have to explain the potential bug more long-windedly with illustration. K. On 02/02/2010 13:28, "Keir Fraser" <keir.fraser@eu.citrix.com> wrote:> It''s a long time since I was in that code! > > K. > > On 02/02/2010 10:46, "Jan Beulich" <JBeulich@novell.com> wrote: > >> Keir, >> >> in the absence of anyone else responding, I would have hoped to at >> least get your opinion, as it was apparently your patch that added the >> consumer side of the code in question. >> >> Thanks, Jan >> >>>>> "Jan Beulich" <JBeulich@novell.com> 22.01.10 14:07 >>> >> With netbk_gop_frag() (called in the context of net_rx_action()) >> consuming data (pending_tx_info[]) invalidated in net_tx_action_dealloc() >> (called from net_tx_action()), how is it guaranteed that the grant ref >> used will remain valid until the hypervisor gets to validate the arguments >> to GNTTABOP_copy? >> >> Thanks, Jan >> > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Jan Beulich
2010-Feb-02 15:45 UTC
Re: Ping: [Xen-devel] netback data access synchronization question
>>> Keir Fraser <keir.fraser@eu.citrix.com> 02.02.10 14:38 >>> >Which means, if you want a more useful answer, you''ll have to explain the >potential bug more long-windedly with illustration.I''ll try to: The two tasklets (rx and tx) can run in parallel. If the sequence of operations is - netbk_gop_frag() (in the context of the rx tasklet) reads (for a guest-to-guest transfer) pending_tx_info[] and stores the respective grant reference as source of the transfer in a "local" variable - net_tx_action_dealloc() (in the context of the tx tasklet) grabs the same grant reference and passes it to GNTTABOP_unmap_grant_ref, and that hypercall completes - the guest the grant ref belongs to invalidates the grant - net_rx_action() passes the now stale grant reference (obtained in netbk_gop_frag()) to GNTTABOP_copy Since it is the source domain (of the two guests involved) potentially revoking the grant before the transfer can complete, it would seem to me that it can that way cause errors on the receiving side. Or can all that really only happen when the source guest misbehaves, in which case receive errors in the other domain are a valid expression of that fact (with just the ugly side effect of various warning messages appearing in the hypervisor log)? Thanks, Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Feb-03 10:15 UTC
Re: Ping: [Xen-devel] netback data access synchronization question
On 02/02/2010 15:45, "Jan Beulich" <JBeulich@novell.com> wrote:> - netbk_gop_frag() (in the context of the rx tasklet) reads > (for a guest-to-guest transfer) pending_tx_info[] and stores the > respective grant reference as source of the transfer in a "local" > variable > - net_tx_action_dealloc() (in the context of the tx tasklet) grabs the > same grant reference and passes it to GNTTABOP_unmap_grant_ref, > and that hypercall completesOnly happens if it is on the dealloc_ring[] which should only happen when that frag page''s reference count falls to zero. That shouldn''t happen until after the ''rx path'' has copied the bits to the destination, and then drops the skb.> - the guest the grant ref belongs to invalidates the grant > - net_rx_action() passes the now stale grant reference (obtained > in netbk_gop_frag()) to GNTTABOP_copy > > Since it is the source domain (of the two guests involved) potentially > revoking the grant before the transfer can complete, it would seem > to me that it can that way cause errors on the receiving side. > > Or can all that really only happen when the source guest misbehaves, > in which case receive errors in the other domain are a valid expression > of that fact (with just the ugly side effect of various warning > messages appearing in the hypervisor log)?We mustn''t send the transmitting guest a response until we are done with the grant ref. That would be a bug. If the transmitting guest reuses the grant before we send a response, that is a bug in the transmitting guest (and it is reasonable for the backend to complain about it, although maybe care is needed regarding this being an avenue for a DoS attack on dom0 logs). -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel