When not holding the PoD lock across the entire region covering P2M
update and stats update, the entry count - if to be incorrect at all -
should indicate too large a value in preference to a too small one, to
avoid functions bailing early when they find the count is zero. However,
instead of moving the increment ahead (and adjust back upon failure),
extend the PoD-locked region.
Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v4: Shrink locked region a little again, where possible.
v3: Extend locked region instead. Add Fixes: tag.
v2: Add comments.
--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -1348,12 +1348,19 @@ mark_populate_on_demand(struct domain *d
}
}
+ /*
+ * P2M update and stats increment need to collectively be under PoD lock,
+ * to prevent code elsewhere observing PoD entry count being zero despite
+ * there actually still being PoD entries (created by the p2m_set_entry()
+ * invocation below).
+ */
+ pod_lock(p2m);
+
/* Now, actually do the two-way mapping */
rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order,
p2m_populate_on_demand, p2m->default_access);
if ( rc == 0 )
{
- pod_lock(p2m);
p2m->pod.entry_count += 1UL << order;
p2m->pod.entry_count -= pod_count;
BUG_ON(p2m->pod.entry_count < 0);
@@ -1363,6 +1370,8 @@ mark_populate_on_demand(struct domain *d
}
else if ( order )
{
+ pod_unlock(p2m);
+
/*
* If this failed, we can't tell how much of the range was changed.
* Best to crash the domain.
@@ -1372,6 +1381,8 @@ mark_populate_on_demand(struct domain *d
d, gfn_l, order, rc);
domain_crash(d);
}
+ else
+ pod_unlock(p2m);
out:
gfn_unlock(p2m, gfn, order);
On Wed, Mar 13, 2024 at 2:00 PM Jan Beulich <jbeulich@suse.com> wrote: > > When not holding the PoD lock across the entire region covering P2M > update and stats update, the entry count - if to be incorrect at all - > should indicate too large a value in preference to a too small one, to > avoid functions bailing early when they find the count is zero. However, > instead of moving the increment ahead (and adjust back upon failure), > extend the PoD-locked region. > > Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer") > Signed-off-by: Jan Beulich <jbeulich@suse.com> Would you mind commenting on why you went with multiple unlocks, rather than multiple if statements? e.g., ``` rc = p2m_set_entry(...); /* Do the pod entry adjustment while holding the lock on success */ if ( rc == 0 ) { /* adjust pod entries */ } pod_unlock(p2m); /* Do the rest of the clean-up and error handling */ if (rc == 0 ) { ``` Just right now the multiple unlocks makes me worry that we may forget one at some point. -George
On 13.03.2024 17:31, George Dunlap wrote: > On Wed, Mar 13, 2024 at 2:00 PM Jan Beulich <jbeulich@suse.com> wrote: >> >> When not holding the PoD lock across the entire region covering P2M >> update and stats update, the entry count - if to be incorrect at all - >> should indicate too large a value in preference to a too small one, to >> avoid functions bailing early when they find the count is zero. However, >> instead of moving the increment ahead (and adjust back upon failure), >> extend the PoD-locked region. >> >> Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer") >> Signed-off-by: Jan Beulich <jbeulich@suse.com> > > Would you mind commenting on why you went with multiple unlocks, > rather than multiple if statements? Simply because what I did I view as more logical a code structure than ... > e.g., > > ``` > rc = p2m_set_entry(...); > > /* Do the pod entry adjustment while holding the lock on success */ > if ( rc == 0 ) { > /* adjust pod entries */ > } > > pod_unlock(p2m); > > /* Do the rest of the clean-up and error handling */ > if (rc == 0 ) { ... this, ... > Just right now the multiple unlocks makes me worry that we may forget > one at some point. ... despite this possible concern. But well, if going the other route is what it takes to finally get this in, so be it. Jan
© 2016 - 2024 Red Hat, Inc.