Received: by 10.192.165.148 with SMTP id m20csp418945imm; Wed, 25 Apr 2018 01:29:10 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/ZVht82gPVQhDS5KTDaY+SQ8WoUI1ab/mkOSj+coipZQ4JApTQh5V6QOLuenhIj6jptdni X-Received: by 2002:a17:902:30a3:: with SMTP id v32-v6mr28530147plb.123.1524644950289; Wed, 25 Apr 2018 01:29:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524644950; cv=none; d=google.com; s=arc-20160816; b=v451z4VSnbGalRfVELh41N63w+cZ6bViZeMMO1Bh4elTFCRMy5tmnVrxRKn0b49XTT +EWjGKgqfhDexr9i/KoyfU+3TMg9imQTOPe7Zb2afDpWBBNtnzto6tMMAnK9yoY0k2RR VO/Vf+9nylaaxSsrmOw/wUYyMf9LLd7BLTyZIchQ5ny/08qF/9ASN/BktDeDUdrCNyJ8 jbsz8Z28X7JARVKVsCk8aH2Vcj65/q1z6qtMpEuJgCS6PiRRh2YvORP6oeDnoNJU7ZG2 dxwgq81Qh6bzNRooCxaWqv0eM9/REKQ+4jL2WlL4FPQAKBnpzZ9mQZTF98vqxht2jDzw Kqhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:from:subject:dkim-signature :arc-authentication-results; bh=wdZxxKmuq/QLL7FV/x4W6vIL2xaDV2/INNDMBH/aU8w=; b=YEFO85ddiCGNqXD3k2izc5uKzDIzPm7UBsgto6BJM7fClnlqBQZQeWmvJwEh2yg03A QVnHejtwdy+emCVaMzHAY1acLSEcx9c+UhcV+xGfnCcdGEkhp1cbyA+JZH6XOohCpAGQ YB9EjAkZs/GbmtRS8YTJQlrlGi+azBgMvWqY65/q96Y9BPCpC1fIJC/xdPucxU53Y46g d414nrIy75LmSyitmV5+QWFZ7GW2fP7+Mo1fgE5w2iyhkvfMx0CQfz4NwaebIVMcOVU4 221FE93Jtndn71sjVkTRO6KE1SFcC1eUTdX0k2xh6H/6NYia65S/Indhf5qMmb3MaOxf GG2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=lWrxxs1z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l27si10068795pgu.353.2018.04.25.01.28.55; Wed, 25 Apr 2018 01:29:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=lWrxxs1z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751475AbeDYI0o (ORCPT + 99 others); Wed, 25 Apr 2018 04:26:44 -0400 Received: from mail-lf0-f47.google.com ([209.85.215.47]:43729 "EHLO mail-lf0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750941AbeDYI0i (ORCPT ); Wed, 25 Apr 2018 04:26:38 -0400 Received: by mail-lf0-f47.google.com with SMTP id g12-v6so8115467lfb.10 for ; Wed, 25 Apr 2018 01:26:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=wdZxxKmuq/QLL7FV/x4W6vIL2xaDV2/INNDMBH/aU8w=; b=lWrxxs1z4GsYAw5ZrlBIX0/ttVI0ZYmlYvBBn6BTQa5dtKBsNUdz+4BH4rWH3DGYo1 0pBBCd9d61kOOWCTQ3PZlK3x+UEPpU5hq+yvCOP3IJHUwW25bFtJmJFVaHSVFIGK1wJc qAzbODo7psS3/h6hXCmEfak85UVZs6TWHWrTqxcD88NozOdOQQeax7k52wnCHSf7pdnA tu0vqaN36s1PexVb3ACZHG6xg/0Z1g70Hv8oJzeTpwYyVDFkgSEgRYUQhD+sJ22c89dQ ThYOOpeO+BE+/n8n4LzkqDjr6RtS+MWHLtSvI6LyWKfecy2cnOfiq0exS5oM1KMWghlY +A0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=wdZxxKmuq/QLL7FV/x4W6vIL2xaDV2/INNDMBH/aU8w=; b=rwzEV/lVl5MIVFoAi8lTwBdKr4PxXdDH57PrzAXgEs5qYijOzCeTAJPo0lmDhylQSe oSDcqX1kbErnc0VC9bCqFFbrGKuNGapjKdheA8Fjf4gwrINhYOTuIFhA63c/ddSOtwJ0 XchYAPwIXwyT+C14W/Tp5DkBRr5xvCdyPUPIDdxDPmFMVUkxU+J+tm1sf7QENT3Rgem4 SlhOGtXiQKNZOU+kc3hBjgDWiCaIqUxHHIKQfvaLwyBPnOFfsnVGpRUPlI2yHclCkkrG qCJoYTQrxXcv6xYp/G/B2slsaX5+T6jZNEg4cgHKig5A4wpe53zv4Xxuw9jTnenrgsao 6piw== X-Gm-Message-State: ALQs6tCi5TSbZdain2jR17IemfyOrT+Ljxz4pmV8wouOiQi5L32dF3Cb FW3vrSdwIjpQkfioH7smWxkpE/kpv2g= X-Received: by 2002:a19:1895:: with SMTP id 21-v6mr13069916lfy.39.1524644796169; Wed, 25 Apr 2018 01:26:36 -0700 (PDT) Received: from [10.17.182.9] (ll-52.209.223.85.sovam.net.ua. [85.223.209.52]) by smtp.gmail.com with ESMTPSA id v64sm3175115lje.56.2018.04.25.01.26.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Apr 2018 01:26:35 -0700 (PDT) Subject: Re: [PATCH v2 3/5] ALSA: xen-front: Implement Xen event channel handling From: Oleksandr Andrushchenko To: Takashi Iwai Cc: alsa-devel@alsa-project.org, xen-devel@lists.xenproject.org, boris.ostrovsky@oracle.com, konrad.wilk@oracle.com, perex@perex.cz, Juergen Gross , linux-kernel@vger.kernel.org, Oleksandr Andrushchenko References: <20180416062453.24743-1-andr2000@gmail.com> <20180416062453.24743-4-andr2000@gmail.com> Message-ID: <04e313e5-4fdb-9f7b-43e3-f1551f582db2@gmail.com> Date: Wed, 25 Apr 2018 11:26:34 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/24/2018 07:23 PM, Oleksandr Andrushchenko wrote: > On 04/24/2018 06:02 PM, Takashi Iwai wrote: >> On Tue, 24 Apr 2018 16:58:43 +0200, >> Oleksandr Andrushchenko wrote: >>> On 04/24/2018 05:35 PM, Takashi Iwai wrote: >>>> On Tue, 24 Apr 2018 16:29:15 +0200, >>>> Oleksandr Andrushchenko wrote: >>>>> On 04/24/2018 05:20 PM, Takashi Iwai wrote: >>>>>> On Mon, 16 Apr 2018 08:24:51 +0200, >>>>>> Oleksandr Andrushchenko wrote: >>>>>>> +static irqreturn_t evtchnl_interrupt_req(int irq, void *dev_id) >>>>>>> +{ >>>>>>> +    struct xen_snd_front_evtchnl *channel = dev_id; >>>>>>> +    struct xen_snd_front_info *front_info = channel->front_info; >>>>>>> +    struct xensnd_resp *resp; >>>>>>> +    RING_IDX i, rp; >>>>>>> +    unsigned long flags; >>>>>>> + >>>>>>> +    if (unlikely(channel->state != EVTCHNL_STATE_CONNECTED)) >>>>>>> +        return IRQ_HANDLED; >>>>>>> + >>>>>>> +    spin_lock_irqsave(&front_info->io_lock, flags); >>>>>>> + >>>>>>> +again: >>>>>>> +    rp = channel->u.req.ring.sring->rsp_prod; >>>>>>> +    /* ensure we see queued responses up to rp */ >>>>>>> +    rmb(); >>>>>>> + >>>>>>> +    for (i = channel->u.req.ring.rsp_cons; i != rp; i++) { >>>>>> I'm not familiar with Xen stuff in general, but through a quick >>>>>> glance, this kind of code worries me a bit. >>>>>> >>>>>> If channel->u.req.ring.rsp_cons has a bogus number, this may lead >>>>>> to a >>>>>> very long loop, no?  Better to have a sanity check of the ring >>>>>> buffer >>>>>> size. >>>>> In this loop I have: >>>>> resp = RING_GET_RESPONSE(&channel->u.req.ring, i); >>>>> and the RING_GET_RESPONSE macro is designed in the way that >>>>> it wraps around when *i* in the question gets bigger than >>>>> the ring size: >>>>> >>>>> #define RING_GET_REQUEST(_r, _idx)                    \ >>>>>       (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) >>>>> >>>>> So, even if the counter has a bogus number it will not last long >>>> Hm, this prevents from accessing outside the ring buffer, but does it >>>> change the loop behavior? >>> no, it doesn't >>>> Suppose channel->u.req.ring_rsp_cons = 1, and rp = 0, the loop below >>>> would still consume the whole 32bit counts, no? >>>> >>>>     for (i = channel->u.req.ring.rsp_cons; i != rp; i++) { >>>>         resp = RING_GET_RESPONSE(&channel->u.req.ring, i); >>>>         ... >>>>     } >>> You are right here and the comment is totally valid. >>> I'll put an additional check like here [1] and here [2] >>> Will this address your comment? >> Yep, this kind of sanity checks should work. >> > Great, will implement the checks this way then Well, after thinking a bit more on that and chatting on #xendevel IRC with Juergen (he is on CC list), it seems that the way the code is now it is all fine without the checks: the assumption here is that the backend is trusted to always write sane values to the ring counters, thus no overflow checks on frontend side are required. Even if I implement the checks then I have no means to recover, but just print an error message and bail out not handling any responses. This is probably why the checks [1] and [2] are only implemented for the backend side and there are no such macros for the frontend side. Takashi, please let me know if the above sounds reasonable and addresses your comments. >> thanks, >> >> Takashi > Thank you, > Oleksandr >>>> Takashi >>> Thank you, >>> Oleksandr >>> >>> [1] >>> https://elixir.bootlin.com/linux/v4.17-rc2/source/drivers/block/xen-blkback/blkback.c#L1127 >>> >>> [2] >>> https://elixir.bootlin.com/linux/v4.17-rc2/source/drivers/block/xen-blkback/blkback.c#L1135 >>> >>> >