Received: by 10.192.165.148 with SMTP id m20csp445689imm; Wed, 25 Apr 2018 02:04:14 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+Omfsfekrntdu9neP6FTZ5OhqXXTFIsXQczcC46oS93B6L04fHINiTVV+kp/2NEGPtH/FJ X-Received: by 2002:a17:902:7841:: with SMTP id e1-v6mr28756513pln.197.1524647054790; Wed, 25 Apr 2018 02:04:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524647054; cv=none; d=google.com; s=arc-20160816; b=ZLew/ub3BXmTsW7r6SxTsyy1/xJ2imVL7R1ylr3mY2jh2aEWF7HDzHBp9CXjlcVkXe GnhQ8WLHZSuD60eZ6e6IQyOEMnNpNm/uD+RQIYayb4Z/UKCHeqgJDWMK8z667bGlLZLI 5K44B1aaogRprIqH7pACBHE9vywj54Z5UvP0w79J2zjbaNYqrhWRUtTXJ16RdeE+R4fQ ajzQAVTXlHFWs97Uw7nad4VpTghbFXNJWT7DmZdnCQFnVccfhlIN75oEFTIjUx1MyXkV iGe8J2edCN7AyrjY/Yf2tm/HYe+K/W1v9zn+tO41WhdKun5V1CrZZcDk5pP8WNzNQvMO IbSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:subject:cc:to:from:message-id :date:arc-authentication-results; bh=4B6DFlBWqVLcZSe1EYufGiB8P4B81YflKqVszq3fKTo=; b=T4VSgGyd2R5Isu3l0bDjC2jU2lHQFKeuOtzbuJ5tdbDuWji0D2huxvFRrxTEbHX2Ul p0CQCDa5hG+l3oQWzictGjbrE0EQF6fpgJ+48BJ5ldYoMbyYGY4XECVT6DWnGgmhpUxp zo5ZT+n+uI3NeWB9qMZu2FWTqu9HlZT5sBsIrzMi4MCDDHkIsRXsl7+GP1a1E69Ry+4m /7ojuzZ9DOVhLKQnFUbXQO7Ls1vHX8oaj0f8IDyvqHQKOrXcIpoOwe75+ds2lw32PpRV 1znV/xdpAPHPceXCVBKjtcjhnPj3X/4Dcsf8K7JPciFYMJSopkyYSTohlCfA7iH2Fh24 psBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d124si3051982pgc.6.2018.04.25.02.04.00; Wed, 25 Apr 2018 02:04:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752000AbeDYJCf (ORCPT + 99 others); Wed, 25 Apr 2018 05:02:35 -0400 Received: from mx2.suse.de ([195.135.220.15]:41166 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751971AbeDYJC1 (ORCPT ); Wed, 25 Apr 2018 05:02:27 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 6DD06AE2A; Wed, 25 Apr 2018 09:02:25 +0000 (UTC) Date: Wed, 25 Apr 2018 11:02:23 +0200 Message-ID: From: Takashi Iwai To: Oleksandr Andrushchenko Cc: alsa-devel@alsa-project.org, xen-devel@lists.xenproject.org, boris.ostrovsky@oracle.com, konrad.wilk@oracle.com, perex@perex.cz, Juergen Gross , linux-kernel@vger.kernel.org, Oleksandr Andrushchenko Subject: Re: [PATCH v2 3/5] ALSA: xen-front: Implement Xen event channel handling In-Reply-To: <04e313e5-4fdb-9f7b-43e3-f1551f582db2@gmail.com> References: <20180416062453.24743-1-andr2000@gmail.com> <20180416062453.24743-4-andr2000@gmail.com> <04e313e5-4fdb-9f7b-43e3-f1551f582db2@gmail.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 25 Apr 2018 10:26:34 +0200, Oleksandr Andrushchenko wrote: > > On 04/24/2018 07:23 PM, Oleksandr Andrushchenko wrote: > > On 04/24/2018 06:02 PM, Takashi Iwai wrote: > >> On Tue, 24 Apr 2018 16:58:43 +0200, > >> Oleksandr Andrushchenko wrote: > >>> On 04/24/2018 05:35 PM, Takashi Iwai wrote: > >>>> On Tue, 24 Apr 2018 16:29:15 +0200, > >>>> Oleksandr Andrushchenko wrote: > >>>>> On 04/24/2018 05:20 PM, Takashi Iwai wrote: > >>>>>> On Mon, 16 Apr 2018 08:24:51 +0200, > >>>>>> Oleksandr Andrushchenko wrote: > >>>>>>> +static irqreturn_t evtchnl_interrupt_req(int irq, void *dev_id) > >>>>>>> +{ > >>>>>>> +    struct xen_snd_front_evtchnl *channel = dev_id; > >>>>>>> +    struct xen_snd_front_info *front_info = channel->front_info; > >>>>>>> +    struct xensnd_resp *resp; > >>>>>>> +    RING_IDX i, rp; > >>>>>>> +    unsigned long flags; > >>>>>>> + > >>>>>>> +    if (unlikely(channel->state != EVTCHNL_STATE_CONNECTED)) > >>>>>>> +        return IRQ_HANDLED; > >>>>>>> + > >>>>>>> +    spin_lock_irqsave(&front_info->io_lock, flags); > >>>>>>> + > >>>>>>> +again: > >>>>>>> +    rp = channel->u.req.ring.sring->rsp_prod; > >>>>>>> +    /* ensure we see queued responses up to rp */ > >>>>>>> +    rmb(); > >>>>>>> + > >>>>>>> +    for (i = channel->u.req.ring.rsp_cons; i != rp; i++) { > >>>>>> I'm not familiar with Xen stuff in general, but through a quick > >>>>>> glance, this kind of code worries me a bit. > >>>>>> > >>>>>> If channel->u.req.ring.rsp_cons has a bogus number, this may > >>>>>> lead to a > >>>>>> very long loop, no?  Better to have a sanity check of the ring > >>>>>> buffer > >>>>>> size. > >>>>> In this loop I have: > >>>>> resp = RING_GET_RESPONSE(&channel->u.req.ring, i); > >>>>> and the RING_GET_RESPONSE macro is designed in the way that > >>>>> it wraps around when *i* in the question gets bigger than > >>>>> the ring size: > >>>>> > >>>>> #define RING_GET_REQUEST(_r, _idx)                    \ > >>>>>       (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req)) > >>>>> > >>>>> So, even if the counter has a bogus number it will not last long > >>>> Hm, this prevents from accessing outside the ring buffer, but does it > >>>> change the loop behavior? > >>> no, it doesn't > >>>> Suppose channel->u.req.ring_rsp_cons = 1, and rp = 0, the loop below > >>>> would still consume the whole 32bit counts, no? > >>>> > >>>>     for (i = channel->u.req.ring.rsp_cons; i != rp; i++) { > >>>>         resp = RING_GET_RESPONSE(&channel->u.req.ring, i); > >>>>         ... > >>>>     } > >>> You are right here and the comment is totally valid. > >>> I'll put an additional check like here [1] and here [2] > >>> Will this address your comment? > >> Yep, this kind of sanity checks should work. > >> > > Great, will implement the checks this way then > Well, after thinking a bit more on that and chatting on #xendevel IRC > with Juergen (he is on CC list), it seems that the way the code is now > it is all fine without the checks: the assumption here is that > the backend is trusted to always write sane values to the ring counters, > thus no overflow checks on frontend side are required. > Even if I implement the checks then I have no means to recover, but > just print > an error message and bail out not handling any responses. > This is probably why the checks [1] and [2] are only implemented for the > backend side and there are no such macros for the frontend side. > > Takashi, please let me know if the above sounds reasonable and > addresses your comments. If it's guaranteed to work, that's OK. But maybe it's worth to comment for readers. thanks, Takashi