2019-04-23 10:56:50

by Jürgen Groß

[permalink] [raw]
Subject: [PATCH 0/3] xen/swiotlb: fix an issue and improve swiotlb-xen

While hunting an issue in swiotlb-xen I stumbled over a wrong test
and found some areas for improvement.

Juergen Gross (3):
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
xen/swiotlb: simplify range_straddles_page_boundary()
xen/swiotlb: remember having called xen_create_contiguous_region()

drivers/xen/swiotlb-xen.c | 37 ++++++++++++-------------------------
1 file changed, 12 insertions(+), 25 deletions(-)

--
2.16.4


2019-04-23 10:56:18

by Jürgen Groß

[permalink] [raw]
Subject: [PATCH 2/3] xen/swiotlb: simplify range_straddles_page_boundary()

range_straddles_page_boundary() is open coding several macros from
include/xen/page.h. Use those instead. Additionally there is no need
to have check_pages_physically_contiguous() as a separate function as
it is used only once, so merge it into range_straddles_page_boundary().

Signed-off-by: Juergen Gross <[email protected]>
---
drivers/xen/swiotlb-xen.c | 28 ++++++----------------------
1 file changed, 6 insertions(+), 22 deletions(-)

diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
index 42a3924e6d91..43b6e65ae256 100644
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -92,34 +92,18 @@ static inline dma_addr_t xen_virt_to_bus(void *address)
return xen_phys_to_bus(virt_to_phys(address));
}

-static int check_pages_physically_contiguous(unsigned long xen_pfn,
- unsigned int offset,
- size_t length)
+static inline int range_straddles_page_boundary(phys_addr_t p, size_t size)
{
- unsigned long next_bfn;
- int i;
- int nr_pages;
+ unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p);
+ unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size);

next_bfn = pfn_to_bfn(xen_pfn);
- nr_pages = (offset + length + XEN_PAGE_SIZE-1) >> XEN_PAGE_SHIFT;

- for (i = 1; i < nr_pages; i++) {
+ for (i = 1; i < nr_pages; i++)
if (pfn_to_bfn(++xen_pfn) != ++next_bfn)
- return 0;
- }
- return 1;
-}
+ return 1;

-static inline int range_straddles_page_boundary(phys_addr_t p, size_t size)
-{
- unsigned long xen_pfn = XEN_PFN_DOWN(p);
- unsigned int offset = p & ~XEN_PAGE_MASK;
-
- if (offset + size <= XEN_PAGE_SIZE)
- return 0;
- if (check_pages_physically_contiguous(xen_pfn, offset, size))
- return 0;
- return 1;
+ return 0;
}

static int is_xen_swiotlb_buffer(dma_addr_t dma_addr)
--
2.16.4

2019-04-23 10:56:25

by Jürgen Groß

[permalink] [raw]
Subject: [PATCH 1/3] xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()

The condition in xen_swiotlb_free_coherent() for deciding whether to
call xen_destroy_contiguous_region() is wrong: in case the region to
be freed is not contiguous calling xen_destroy_contiguous_region() is
the wrong thing to do: it would result in inconsistent mappings of
multiple PFNs to the same MFN. This will lead to various strange
crashes or data corruption.

Instead of calling xen_destroy_contiguous_region() in that case a
warning should be issued as that situation should never occur.

Cc: [email protected]
Signed-off-by: Juergen Gross <[email protected]>
---
drivers/xen/swiotlb-xen.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
index 877baf2a94f4..42a3924e6d91 100644
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -360,8 +360,8 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
/* Convert the size to actually allocated. */
size = 1UL << (order + XEN_PAGE_SHIFT);

- if (((dev_addr + size - 1 <= dma_mask)) ||
- range_straddles_page_boundary(phys, size))
+ if ((dev_addr + size - 1 <= dma_mask) &&
+ !WARN_ON(range_straddles_page_boundary(phys, size)))
xen_destroy_contiguous_region(phys, order);

xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs);
--
2.16.4

2019-04-23 10:57:22

by Jürgen Groß

[permalink] [raw]
Subject: [PATCH 3/3] xen/swiotlb: remember having called xen_create_contiguous_region()

Instead of always calling xen_destroy_contiguous_region() in case the
memory is DMA-able for the used device, do so only in case it has been
made DMA-able via xen_create_contiguous_region() before.

This will avoid a lot of xen_destroy_contiguous_region() calls for
64-bit capable devices.

As the memory in question is owned by swiotlb-xen the PG_owner_priv_1
flag of the first allocated page can be used for remembering.

Signed-off-by: Juergen Gross <[email protected]>
---
drivers/xen/swiotlb-xen.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
index 43b6e65ae256..a72f181d8e20 100644
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -321,6 +321,7 @@ xen_swiotlb_alloc_coherent(struct device *hwdev, size_t size,
xen_free_coherent_pages(hwdev, size, ret, (dma_addr_t)phys, attrs);
return NULL;
}
+ SetPageOwnerPriv1(virt_to_page(ret));
}
memset(ret, 0, size);
return ret;
@@ -344,9 +345,11 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
/* Convert the size to actually allocated. */
size = 1UL << (order + XEN_PAGE_SHIFT);

- if ((dev_addr + size - 1 <= dma_mask) &&
- !WARN_ON(range_straddles_page_boundary(phys, size)))
- xen_destroy_contiguous_region(phys, order);
+ if (PageOwnerPriv1(virt_to_page(vaddr))) {
+ if (!WARN_ON(range_straddles_page_boundary(phys, size)))
+ xen_destroy_contiguous_region(phys, order);
+ ClearPageOwnerPriv1(virt_to_page(vaddr));
+ }

xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs);
}
--
2.16.4

2019-04-23 14:15:34

by Boris Ostrovsky

[permalink] [raw]
Subject: Re: [PATCH 1/3] xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()

On 4/23/19 6:54 AM, Juergen Gross wrote:
> The condition in xen_swiotlb_free_coherent() for deciding whether to
> call xen_destroy_contiguous_region() is wrong: in case the region to
> be freed is not contiguous calling xen_destroy_contiguous_region() is
> the wrong thing to do: it would result in inconsistent mappings of
> multiple PFNs to the same MFN. This will lead to various strange
> crashes or data corruption.
>
> Instead of calling xen_destroy_contiguous_region() in that case a
> warning should be issued as that situation should never occur.
>
> Cc: [email protected]
> Signed-off-by: Juergen Gross <[email protected]>

Reviewed-by: Boris Ostrovsky <[email protected]>


2019-04-23 14:20:09

by Boris Ostrovsky

[permalink] [raw]
Subject: Re: [PATCH 2/3] xen/swiotlb: simplify range_straddles_page_boundary()

On 4/23/19 6:54 AM, Juergen Gross wrote:
> range_straddles_page_boundary() is open coding several macros from
> include/xen/page.h. Use those instead. Additionally there is no need
> to have check_pages_physically_contiguous() as a separate function as
> it is used only once, so merge it into range_straddles_page_boundary().
>
> Signed-off-by: Juergen Gross <[email protected]>

Reviewed-by: Boris Ostrovsky <[email protected]>


2019-04-23 14:27:24

by Boris Ostrovsky

[permalink] [raw]
Subject: Re: [PATCH 3/3] xen/swiotlb: remember having called xen_create_contiguous_region()

On 4/23/19 6:54 AM, Juergen Gross wrote:
> Instead of always calling xen_destroy_contiguous_region() in case the
> memory is DMA-able for the used device, do so only in case it has been
> made DMA-able via xen_create_contiguous_region() before.
>
> This will avoid a lot of xen_destroy_contiguous_region() calls for
> 64-bit capable devices.
>
> As the memory in question is owned by swiotlb-xen the PG_owner_priv_1
> flag of the first allocated page can be used for remembering.

I think a new enum in pageflags would be useful, and be consistent with
other flag uses.

-boris


>
> Signed-off-by: Juergen Gross <[email protected]>
> ---
> drivers/xen/swiotlb-xen.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
> index 43b6e65ae256..a72f181d8e20 100644
> --- a/drivers/xen/swiotlb-xen.c
> +++ b/drivers/xen/swiotlb-xen.c
> @@ -321,6 +321,7 @@ xen_swiotlb_alloc_coherent(struct device *hwdev, size_t size,
> xen_free_coherent_pages(hwdev, size, ret, (dma_addr_t)phys, attrs);
> return NULL;
> }
> + SetPageOwnerPriv1(virt_to_page(ret));
> }
> memset(ret, 0, size);
> return ret;
> @@ -344,9 +345,11 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
> /* Convert the size to actually allocated. */
> size = 1UL << (order + XEN_PAGE_SHIFT);
>
> - if ((dev_addr + size - 1 <= dma_mask) &&
> - !WARN_ON(range_straddles_page_boundary(phys, size)))
> - xen_destroy_contiguous_region(phys, order);
> + if (PageOwnerPriv1(virt_to_page(vaddr))) {
> + if (!WARN_ON(range_straddles_page_boundary(phys, size)))
> + xen_destroy_contiguous_region(phys, order);
> + ClearPageOwnerPriv1(virt_to_page(vaddr));
> + }
>
> xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs);
> }

2019-04-23 17:07:24

by Stefano Stabellini

[permalink] [raw]
Subject: Re: [PATCH 3/3] xen/swiotlb: remember having called xen_create_contiguous_region()

On Tue, 23 Apr 2019, Juergen Gross wrote:
> Instead of always calling xen_destroy_contiguous_region() in case the
> memory is DMA-able for the used device, do so only in case it has been
> made DMA-able via xen_create_contiguous_region() before.
>
> This will avoid a lot of xen_destroy_contiguous_region() calls for
> 64-bit capable devices.
>
> As the memory in question is owned by swiotlb-xen the PG_owner_priv_1
> flag of the first allocated page can be used for remembering.

Although the patch looks OK, this sentence puzzles me. Why do you say
that the memory in question is owned by swiotlb-xen? Because it was
returned by xen_alloc_coherent_pages? Both the x86 and the Arm
implementation return fresh new memory, hence, it should be safe to set
the PageOwnerPriv1 flag?

My concern with this approach is with the semantics of PG_owner_priv_1.
Is a page marked with PG_owner_priv_1 only supposed to be used by the
owner?


> Signed-off-by: Juergen Gross <[email protected]>
> ---
> drivers/xen/swiotlb-xen.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
> index 43b6e65ae256..a72f181d8e20 100644
> --- a/drivers/xen/swiotlb-xen.c
> +++ b/drivers/xen/swiotlb-xen.c
> @@ -321,6 +321,7 @@ xen_swiotlb_alloc_coherent(struct device *hwdev, size_t size,
> xen_free_coherent_pages(hwdev, size, ret, (dma_addr_t)phys, attrs);
> return NULL;
> }
> + SetPageOwnerPriv1(virt_to_page(ret));
> }
> memset(ret, 0, size);
> return ret;
> @@ -344,9 +345,11 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
> /* Convert the size to actually allocated. */
> size = 1UL << (order + XEN_PAGE_SHIFT);
>
> - if ((dev_addr + size - 1 <= dma_mask) &&
> - !WARN_ON(range_straddles_page_boundary(phys, size)))
> - xen_destroy_contiguous_region(phys, order);
> + if (PageOwnerPriv1(virt_to_page(vaddr))) {
> + if (!WARN_ON(range_straddles_page_boundary(phys, size)))
> + xen_destroy_contiguous_region(phys, order);
> + ClearPageOwnerPriv1(virt_to_page(vaddr));
> + }
>
> xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs);
> }

2019-04-23 18:38:31

by Jürgen Groß

[permalink] [raw]
Subject: Re: [PATCH 3/3] xen/swiotlb: remember having called xen_create_contiguous_region()

On 23/04/2019 19:05, Stefano Stabellini wrote:
> On Tue, 23 Apr 2019, Juergen Gross wrote:
>> Instead of always calling xen_destroy_contiguous_region() in case the
>> memory is DMA-able for the used device, do so only in case it has been
>> made DMA-able via xen_create_contiguous_region() before.
>>
>> This will avoid a lot of xen_destroy_contiguous_region() calls for
>> 64-bit capable devices.
>>
>> As the memory in question is owned by swiotlb-xen the PG_owner_priv_1
>> flag of the first allocated page can be used for remembering.
>
> Although the patch looks OK, this sentence puzzles me. Why do you say
> that the memory in question is owned by swiotlb-xen? Because it was
> returned by xen_alloc_coherent_pages? Both the x86 and the Arm
> implementation return fresh new memory, hence, it should be safe to set
> the PageOwnerPriv1 flag?
>
> My concern with this approach is with the semantics of PG_owner_priv_1.
> Is a page marked with PG_owner_priv_1 only supposed to be used by the
> owner?

The owner of the page is free to use the flag.

Like Grant pages are marked by the grant driver using this flag. And
Xen page tables are using it in PV-guests for indicating a "Pinned"
page table.


Juergen

2019-04-25 09:07:15

by Jan Beulich

[permalink] [raw]
Subject: Re: [Xen-devel] [PATCH 1/3] xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()

>>> On 23.04.19 at 12:54, <[email protected]> wrote:
> --- a/drivers/xen/swiotlb-xen.c
> +++ b/drivers/xen/swiotlb-xen.c
> @@ -360,8 +360,8 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
> /* Convert the size to actually allocated. */
> size = 1UL << (order + XEN_PAGE_SHIFT);
>
> - if (((dev_addr + size - 1 <= dma_mask)) ||
> - range_straddles_page_boundary(phys, size))
> + if ((dev_addr + size - 1 <= dma_mask) &&
> + !WARN_ON(range_straddles_page_boundary(phys, size)))
> xen_destroy_contiguous_region(phys, order);

On the allocation side we have

if (((dev_addr + size - 1 <= dma_mask)) &&
!range_straddles_page_boundary(phys, size))
*dma_handle = dev_addr;
else {
if (xen_create_contiguous_region(phys, order,
fls64(dma_mask), dma_handle) != 0) {
xen_free_coherent_pages(hwdev, size, ret, (dma_addr_t)phys, attrs);
return NULL;
}
}

which is (as far as the function call is concerned)

if ((dev_addr + size - 1 > dma_mask) ||
range_straddles_page_boundary(phys, size))
xen_create_contiguous_region(...);

So I don't think your transformation is correct. Even worse, both
parts of the condition in xen_swiotlb_free_coherent() act on an
address that is the _result_ of the prior
xen_create_contiguous_region(), i.e. the address should always
match _both_ criteria anyway. Whereas what you really want is
undo the xen_create_contiguous_region() only when it actually
was called. Otherwise you also shatter contiguous allocations
that were contiguous already for other reasons (perhaps just
luck).

Jan


2019-04-25 12:45:44

by Jan Beulich

[permalink] [raw]
Subject: Re: [Xen-devel] [PATCH 3/3] xen/swiotlb: remember having called xen_create_contiguous_region()

>>> On 23.04.19 at 20:36, <[email protected]> wrote:
> On 23/04/2019 19:05, Stefano Stabellini wrote:
>> On Tue, 23 Apr 2019, Juergen Gross wrote:
>>> Instead of always calling xen_destroy_contiguous_region() in case the
>>> memory is DMA-able for the used device, do so only in case it has been
>>> made DMA-able via xen_create_contiguous_region() before.
>>>
>>> This will avoid a lot of xen_destroy_contiguous_region() calls for
>>> 64-bit capable devices.
>>>
>>> As the memory in question is owned by swiotlb-xen the PG_owner_priv_1
>>> flag of the first allocated page can be used for remembering.
>>
>> Although the patch looks OK, this sentence puzzles me. Why do you say
>> that the memory in question is owned by swiotlb-xen? Because it was
>> returned by xen_alloc_coherent_pages? Both the x86 and the Arm
>> implementation return fresh new memory, hence, it should be safe to set
>> the PageOwnerPriv1 flag?
>>
>> My concern with this approach is with the semantics of PG_owner_priv_1.
>> Is a page marked with PG_owner_priv_1 only supposed to be used by the
>> owner?
>
> The owner of the page is free to use the flag.
>
> Like Grant pages are marked by the grant driver using this flag. And
> Xen page tables are using it in PV-guests for indicating a "Pinned"
> page table.

Considering the background of the series, isn't such multi-purpose use
of the flag a possible problem? You're already suspecting a wrong call
into here. The function finding the flag set (but for another reason)
might add to the confusion. But I realize there are only so many page
flags available.

Perhaps the freeing function should, first thing, check the handed
space actually matches the criteria (within dma_mask and contiguous)?

Jan