Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp66479rdb;
        Wed, 14 Feb 2024 12:55:34 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCXRYyohWDexFFH3hU2hzQ44dj0uHSzJNLeTwl/Gm4ZwRZyi3e5qtetY+ccR9AgxlqxGHp7puvq+8GTAyod7J/uXQUckoQk7jge1drfjOg==
X-Google-Smtp-Source: AGHT+IGKsqhySzq+nn1RmnpcbNdt+2jEvstHUhnGmiahkVYJ3fwfa+Dj1le4AoC7uzoYuISJ8/z4
X-Received: by 2002:a19:f80c:0:b0:511:aae2:e5e8 with SMTP id a12-20020a19f80c000000b00511aae2e5e8mr1765782lff.52.1707944134135;
        Wed, 14 Feb 2024 12:55:34 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707944134; cv=pass;
        d=google.com; s=arc-20160816;
        b=uMnV1YRqGy1STxSuqelQnELNi7JygFnTFJLiuAAMRVVJ+Uqk6qeZVPIOlrw3doVw+G
         uMpXfnYC9XEn1u6S7Msix0RGdfZWCOtlS89nIJFJndV61lzu6llLMUE387GRx5ppaSte
         GAmKyChovuj5wNss+SvaU8Zav0wJrdro5onCOdeogAu5u5rBbJzX3v1Pq2lxzk0tsGr4
         db3kzuwvI69TpiMdqEX4+dp4a9lzvJ/yjCOsLTGMPR2ZtQwDNCc/5aENoxztzoBylm5l
         4Ub4RD49VE+VSCE1qRuHQesERxYuKopES2zX5CQNso/RVhQQfRNpqareYE94rciEbNGz
         nhyQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:dkim-signature:date;
        bh=xo8269aewKOfShv/31KAAKnpB/F7S+Kl3+Lk1/FPD3g=;
        fh=cZNVNxUtW7SPAC0HGH8AlEUN8kq36/+TSIiKVjVgX0k=;
        b=Ckyzy3LnbMlErFo91IB7QNPdYJ8wlQ38TEl5kJits92kFV1fKuSYQnXd5/brzfsFWz
         0r2vPYSoBKX8GYzimnHhiEvN9JFwzgCrc6bQykmACX8jg//Lp+EsArWfwlCgoY1icdd8
         bhqiy10ok6RmDTrvfl2GO+EnltgcWLT04aqoiqk2RfUPag88LeFa7F/K0OQf5nruI0O7
         d2B2CoQkWkpajFYCOu3W6hZXbszlbaIggJtFKcszdlIYAoFP43o5Fz0PHA1NVjI1REcY
         L4Y88Ns0ugc6F8DOkvzoFmwQw9+TcFAJYjTMJh6qkyrGj6oo0uJBRvGVoSdBKDm6GPPD
         sBRQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=Pk1ICBHh;
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-65958-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65958-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
X-Forwarded-Encrypted: i=2; AJvYcCWuuDxIqSbDgEhVyJiIcp4TT9QJUVqsmXTbd09wMtMjFy9R1mVW5iLjWq63sLrFoJmB918uNZO6E6LesnKX9McpuZeqVU++XqDJZP2Xdg==
Return-Path: <linux-kernel+bounces-65958-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id gn41-20020a1709070d2900b00a3d1bfa0b20si1722912ejc.203.2024.02.14.12.55.34
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 14 Feb 2024 12:55:34 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-65958-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=Pk1ICBHh;
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-65958-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65958-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id D9D201F22108
	for <linux.lists.archive@gmail.com>; Wed, 14 Feb 2024 20:55:33 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1450E13EFF1;
	Wed, 14 Feb 2024 20:55:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="Pk1ICBHh"
Received: from out-185.mta0.migadu.com (out-185.mta0.migadu.com [91.218.175.185])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99CDE13DBBF
	for <linux-kernel@vger.kernel.org>; Wed, 14 Feb 2024 20:55:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.185
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1707944124; cv=none; b=hCP2lKZUL5sj7F7GRn91rw4oXO07/ZKDwEhrCKuC/ZIOfN51cXwb8sYJRtfAn+zsToLKM9WJgLExAaKArK1jrcNalboNn9iXK0jg6EXyXYBwe+1SGZvNclUllX7gLuJMi9G7WBFYWxMsfmZuRKXJAPhK/vF1IfD3oiGmNrSWEhU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1707944124; c=relaxed/simple;
	bh=3iFXhBXrEO5fMGfS3YlOFuiqKJb2jToIVEM1adjf3KE=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=fXyWIUv3oxnSFCrUApeDIoKiGw9zlJiVCGd2VZF0mNRmr9uUTJNAl8ADE7WeGB5s6c+k3eJyyu7UzLxtjzjkLEdyC9BT3zCiZJrzWzJf3Ror41Awr4iK/oRXAhhtT2fdVFl6TMXGEHgY1yUpc2+H/KiNGE5tSScafaWz3TkaYXs=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=Pk1ICBHh; arc=none smtp.client-ip=91.218.175.185
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev
Date: Wed, 14 Feb 2024 12:55:11 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1707944119;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=xo8269aewKOfShv/31KAAKnpB/F7S+Kl3+Lk1/FPD3g=;
	b=Pk1ICBHhIE2T5qz5LlX4RF1DHCijddx53Q7QHWurpgjANNIC33z13Uq6ipi2CzOcOeqdhg
	w/lP6rjgfoYdEZWWP+xT9pzh+YW4UGPBq4xUkainwHB4dsNoMuCAhDvTmTjjN/6DiCOZ6p
	/k8iGjl1Iy8+O/twNjnbNz7WKb+nXKs=
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Oliver Upton <oliver.upton@linux.dev>
To: Marc Zyngier <maz@kernel.org>
Cc: kvmarm@lists.linux.dev, kvm@vger.kernel.org,
	James Morse <james.morse@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Zenghui Yu <yuzenghui@huawei.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 19/23] KVM: selftests: Add a minimal library for
 interacting with an ITS
Message-ID: <Zc0orzU-CeKEyx3j@linux.dev>
References: <20240213093250.3960069-1-oliver.upton@linux.dev>
 <20240213094114.3961683-1-oliver.upton@linux.dev>
 <86zfw33qae.wl-maz@kernel.org>
 <Zc0NsFm40nIqTmRf@linux.dev>
 <86v86q4xkf.wl-maz@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <86v86q4xkf.wl-maz@kernel.org>
X-Migadu-Flow: FLOW_OUT

On Wed, Feb 14, 2024 at 08:09:52PM +0000, Marc Zyngier wrote:
> > If the order of restore from userspace is CBASER, CWRITER, CREADR then
> > we **wind up replaying the entire command queue**. While insane, I'm
> > pretty sure it is legal for the guest to write garbage after the read
> > pointer has moved past a particular command index.
> > 
> > Fsck!!!
> 
> This is documented Documentation/virt/kvm/devices/arm-vgic-its.rst to
> some extent, and it is allowed for the guest to crap itself on behalf
> of userspace if the ordering isn't respected.

Ah, fair, I missed the documentation here. If we require userspace to
write CTLR last then we _should_ be fine, but damn is this a tricky set
of expectations.

> > So, how about we do this:
> > 
> >  - Provide a uaccess hook for CWRITER that changes the write-pointer
> >    without processing any commands
> > 
> >  - Assert an invariant that at any time CWRITER or CREADR are read from
> >    userspace that CREADR == CWRITER. Fail the ioctl and scream if that
> >    isn't the case, so that way we never need to worry about processing
> >    'in-flight' commands at the destination.
> 
> Are we guaranteed that we cannot ever see CWRITER != CREADR at VM
> dumping time? I'm not convinced that we cannot preempt the vcpu thread
> at the right spot, specially given that you can have an arbitrary
> large batch of commands to execute.
> 
> Just add a page-fault to the mix, and a signal pending. Pronto, you
> see a guest exit and you should be able to start dumping things
> without the ITS having processed much. I haven't tried, but that
> doesn't seem totally unlikely.

Well, we would need to run all userspace reads and writes through the
cmd_lock in this case, which is what we already do for the CREADR
uaccess hook. To me the 'racy' queue accessors only make sense for guest
accesses, since the driver is expecting to poll for completion in that
case.

Otherwise we decide the existing rules for restoring the ITS are fine
and I get to keep my funky driver :)

-- 
Thanks,
Oliver