From nobody Mon Feb 9 02:28:10 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1561109875; cv=none; d=zoho.com; s=zohoarc; b=ebpEVi6sbmGlpgmdlrAPXo6TUVAuZcuouktDvpnf0NCg+RsGgDGTD2eOzqbvnTSq/LtZui3TBM3zJtb8Q1BBeH7xHln1omrJ7Ci6OxqG+epRBYfrzNcUYWL1yjiVEF68tsASiYbUqh6P1YnZ/MxoQR/B8V22Z0Sq/Y0zeekPD1Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1561109875; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=p2lgN5wvPHbflOJbCkyOhI2JjWNrQqcQ0UR59Ns6Dso=; b=FrXJ1gE+XSMViRM63JppEGZEAKqqVwS+H1r9TFOB4b0VPES0UwGE8lo3hS8NTvxD8DNKpDx4ppqQBhZgAzJLLjuztsTUYJ1faQR3P+lqmB4eyhuLCqD0yjrS0/ns5KDL6hYfMJVTDWPjgWrPMyKHkmIEWLheyOfsKJozoC7BcaQ= ARC-Authentication-Results: i=1; mx.zoho.com; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1561109875563920.3371461777314; Fri, 21 Jun 2019 02:37:55 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1heFyR-0007aN-1j; Fri, 21 Jun 2019 09:36:47 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1heFyP-0007a8-QH for xen-devel@lists.xenproject.org; Fri, 21 Jun 2019 09:36:45 +0000 Received: from esa1.hc3370-68.iphmx.com (unknown [216.71.145.142]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id 14bfd50c-9408-11e9-8980-bc764e045a96; Fri, 21 Jun 2019 09:36:44 +0000 (UTC) X-Inumbo-ID: 14bfd50c-9408-11e9-8980-bc764e045a96 Authentication-Results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa1.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa1.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa1.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: 7163l8iTHCmy0+N2/twP80czhKbNZzTecOXN7Uy7gbWgp7Ta/bop3HWbqYlnpJtu+rqSkAT1l2 MqJZbV5/IIAzDgtzync9wotBThkpWtQEkWl4G/xd22N6seHBiJ08LLZZ6ekiO7dBoHwPkb5oHo 6922zbEYnrHmy0SW6P9wbyK0XcNlW7NR2DqRKStZjvDK5s79uvOkHdNdN8n0GV1+RUHcktAIf5 5sAbU9zihGgparQTSt4UA9xZCCIG+JRQVcF1GCcfS0ww+AW8y1olBXrdv5yvg37TRw7zZF3Muh EkQ= X-SBRS: 2.7 X-MesageID: 2060658 X-Ironport-Server: esa1.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.63,399,1557201600"; d="scan'208";a="2060658" From: Andrew Cooper To: Xen-devel Date: Fri, 21 Jun 2019 10:36:34 +0100 Message-ID: <1561109798-8744-2-git-send-email-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1561109798-8744-1-git-send-email-andrew.cooper3@citrix.com> References: <1561109798-8744-1-git-send-email-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH 1/5] xen/gnttab: Reduce complexity when reading grant_entry_header_t X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Stefano Stabellini , Wei Liu , George Dunlap , Andrew Cooper , Julien Grall , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" _set_status_v{1,2}() and gnttab_prepare_for_transfer() read the shared head= er by always casting to u32. Despite grant_entry_header_t only having an alignment of 2, this is actually safe because of the grant table ABI itself. Switch to using an explicit uint32_t *, which removes all subsequent castin= g. Furthermore, switch to using ACCESS_ONCE() for the read. There is nothing = in the _set_status_v1() and gnttab_prepare_for_transfer() which prevents the compiler from issuing multiple memory reads and creating a TOCTOU race arou= nd the sanity checks, although the worst that can happen is Xen stamping a sta= tus flag over a bad grant entry if the guest is misbehaving. _set_status_v2() does use barrier() to try avoid multiple reads, but this is overkill. All that matters is that the shared header gets read in one go, = and this allows the compiler more room to optimise. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Stefano Stabellini CC: Julien Grall CC: George Dunlap Dropping the barrier() in _set_status_v2() allows the optimiser to notice t= hat initialiser for flags/id are redundant memory reads. This is fixed in the following patch. --- xen/common/grant_table.c | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 2bbde5c..e5d585f 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -679,6 +679,7 @@ static int _set_status_v1(const grant_entry_header_t *s= hah, domid_t ldomid) { int rc =3D GNTST_okay; + uint32_t *raw_shah =3D (uint32_t *)shah; union grant_combo scombo, prev_scombo, new_scombo; uint16_t mask =3D GTF_type_mask; =20 @@ -697,7 +698,7 @@ static int _set_status_v1(const grant_entry_header_t *s= hah, if ( mapflag ) mask |=3D GTF_sub_page; =20 - scombo.word =3D *(u32 *)shah; + scombo.word =3D ACCESS_ONCE(*raw_shah); =20 /* * This loop attempts to set the access (reading/writing) flags @@ -728,7 +729,7 @@ static int _set_status_v1(const grant_entry_header_t *s= hah, "Attempt to write-pin a r/o grant entry\n"); } =20 - prev_scombo.word =3D guest_cmpxchg(rd, (u32 *)shah, + prev_scombo.word =3D guest_cmpxchg(rd, raw_shah, scombo.word, new_scombo.word); if ( likely(prev_scombo.word =3D=3D scombo.word) ) break; @@ -753,17 +754,13 @@ static int _set_status_v2(const grant_entry_header_t = *shah, domid_t ldomid) { int rc =3D GNTST_okay; + uint32_t *raw_shah =3D (uint32_t *)shah; union grant_combo scombo; uint16_t flags =3D shah->flags; domid_t id =3D shah->domid; uint16_t mask =3D GTF_type_mask; =20 - /* we read flags and domid in a single memory access. - this avoids the need for another memory barrier to - ensure access to these fields are not reordered */ - scombo.word =3D *(u32 *)shah; - barrier(); /* but we still need to stop the compiler from turning - it back into two reads */ + scombo.word =3D ACCESS_ONCE(*raw_shah); flags =3D scombo.shorts.flags; id =3D scombo.shorts.domid; =20 @@ -797,8 +794,7 @@ static int _set_status_v2(const grant_entry_header_t *s= hah, still valid */ smp_mb(); =20 - scombo.word =3D *(u32 *)shah; - barrier(); + scombo.word =3D ACCESS_ONCE(*raw_shah); flags =3D scombo.shorts.flags; id =3D scombo.shorts.domid; =20 @@ -2041,7 +2037,7 @@ gnttab_prepare_for_transfer( struct domain *rd, struct domain *ld, grant_ref_t ref) { struct grant_table *rgt =3D rd->grant_table; - grant_entry_header_t *sha; + uint32_t *raw_shah; union grant_combo scombo, prev_scombo, new_scombo; int retries =3D 0; =20 @@ -2055,9 +2051,8 @@ gnttab_prepare_for_transfer( goto fail; } =20 - sha =3D shared_entry_header(rgt, ref); - - scombo.word =3D *(u32 *)&sha->flags; + raw_shah =3D (uint32_t *)shared_entry_header(rgt, ref); + scombo.word =3D ACCESS_ONCE(*raw_shah); =20 for ( ; ; ) { @@ -2074,7 +2069,7 @@ gnttab_prepare_for_transfer( new_scombo =3D scombo; new_scombo.shorts.flags |=3D GTF_transfer_committed; =20 - prev_scombo.word =3D guest_cmpxchg(rd, (u32 *)&sha->flags, + prev_scombo.word =3D guest_cmpxchg(rd, raw_shah, scombo.word, new_scombo.word); if ( likely(prev_scombo.word =3D=3D scombo.word) ) break; --=20 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel