Stefano Stabellini
2013-Apr-19 17:24 UTC
[PATCH v3] xen/arm: do not use is_running to decide whether we can write directly to the LR registers
During context switch is_running is set for the next vcpu before the
gic state is actually saved.
This leads to possible nasty races when interrupts need to be injected
after is_running is set to the next vcpu but before the currently
running gic state has been saved from the previous vcpu.
Use current instead of is_running to check which one is the currently
running vcpu: set_current is called right before __context_switch and
schedule_tail with interrupt disabled.
Re-enabled interrupts after ctxt_switch_from, so that all the context
switch saving functions don''t have to worry about receiving interrupts
while saving state.
Changes in v3:
- Add a comment in the code to explain why gic_save_state doesn''t need
a
spinlock;
- add an assert in gic_save_state to make sure that interrupts are
disabled.
Changes in v2:
- rework the patch to run ctxt_switch_from with interrupt disabled,
rather than introducing a gic_running internal variable.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---
xen/arch/arm/domain.c | 5 ++---
xen/arch/arm/gic.c | 9 ++++++---
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index e308813..eae42af 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -213,11 +213,10 @@ static void ctxt_switch_to(struct vcpu *n)
static void schedule_tail(struct vcpu *prev)
{
- /* Re-enable interrupts before restoring state which may fault. */
- local_irq_enable();
-
ctxt_switch_from(prev);
+ local_irq_enable();
+
/* TODO
update_runstate_area(current);
*/
diff --git a/xen/arch/arm/gic.c b/xen/arch/arm/gic.c
index 5e83c50..2c1f58f 100644
--- a/xen/arch/arm/gic.c
+++ b/xen/arch/arm/gic.c
@@ -64,12 +64,15 @@ irq_desc_t *__irq_to_desc(int irq)
void gic_save_state(struct vcpu *v)
{
int i;
+ ASSERT(!local_irq_is_enabled());
- spin_lock_irq(&gic.lock);
+ /* No need for spinlocks here because interrupts are disabled around
+ * this call and it only accesses struct vcpu fields that cannot be
+ * accessed simultaneously by another pCPU.
+ */
for ( i=0; i<nr_lrs; i++)
v->arch.gic_lr[i] = GICH[GICH_LR + i];
v->arch.lr_mask = this_cpu(lr_mask);
- spin_unlock_irq(&gic.lock);
v->arch.gic_apr = GICH[GICH_APR];
/* Disable until next VCPU scheduled */
GICH[GICH_HCR] = 0;
@@ -524,7 +527,7 @@ void gic_set_guest_irq(struct vcpu *v, unsigned int
virtual_irq,
spin_lock_irqsave(&gic.lock, flags);
- if ( v->is_running &&
list_empty(&v->arch.vgic.lr_pending) )
+ if ( v == current && list_empty(&v->arch.vgic.lr_pending) )
{
i = find_first_zero_bit(&this_cpu(lr_mask), nr_lrs);
if (i < nr_lrs) {
--
1.7.2.5
Ian Campbell
2013-Apr-22 11:59 UTC
Re: [PATCH v3] xen/arm: do not use is_running to decide whether we can write directly to the LR registers
On Fri, 2013-04-19 at 18:24 +0100, Stefano Stabellini wrote:> During context switch is_running is set for the next vcpu before the > gic state is actually saved. > This leads to possible nasty races when interrupts need to be injected > after is_running is set to the next vcpu but before the currently > running gic state has been saved from the previous vcpu. > > Use current instead of is_running to check which one is the currently > running vcpu: set_current is called right before __context_switch and > schedule_tail with interrupt disabled. > > Re-enabled interrupts after ctxt_switch_from, so that all the context > switch saving functions don''t have to worry about receiving interrupts > while saving state. > > Changes in v3: > - Add a comment in the code to explain why gic_save_state doesn''t need a > spinlock; > - add an assert in gic_save_state to make sure that interrupts are > disabled. > > Changes in v2: > - rework the patch to run ctxt_switch_from with interrupt disabled, > rather than introducing a gic_running internal variable. > > Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>Acked + applied, thanks.