On Tue, 3 Nov 2020 17:49:21 -0500 Tony Krowiak <akrowiak@xxxxxxxxxxxxx> wrote: > >> > >> +void vfio_ap_mdev_hot_unplug_queue(struct vfio_ap_queue *q) > >> +{ > >> + unsigned long apid = AP_QID_CARD(q->apqn); > >> + > >> + if ((q->matrix_mdev == NULL) || !vfio_ap_mdev_has_crycb(q->matrix_mdev)) > >> + return; > >> + > >> + /* > >> + * If the APID is assigned to the guest, then let's > >> + * go ahead and unplug the adapter since the > >> + * architecture does not provide a means to unplug > >> + * an individual queue. > >> + */ > >> + if (test_bit_inv(apid, q->matrix_mdev->shadow_apcb.apm)) { > >> + clear_bit_inv(apid, q->matrix_mdev->shadow_apcb.apm); > > Shouldn't we check aqm as well? I mean it may be clear at this point > > bacause of info->aqm. If the bit is clear, we don't have to remove > > the apm bit. > > The rule we agreed upon is that if a queue is removed, we unplug > the card because we can't unplug an individual queue, so this code > is consistent with the stated rule. All I'm asking for is to verify that the queue is actually plugged. The queue is actually plugged iff test_bit_inv(apid, q->matrix_mdev->shadow_apcb.apm) && test_bit_inv(apqi, q->matrix_mdev->shadow_apcb.aqm). There is no point in unplugging the whole card, if the queue removed is unplugged in the first place. > Typically, a queue is unplugged > because the adapter has been deconfigured or is broken which means > that all queues for that adapter will be removed in succession. On the > other hand, that situation would be handled when the last queue is > removed if we check the AQM, so I'm not adverse to making that > check if you insist. I don't agree. Let's detail your scenario. We have a nicely operating card which is as a whole passed trough to our guest. It goes broken, and the ap bus decides to deconstruct the queues. Already the first queue removed would unplug the the card, because both the apm and the aqm bits are set at this point. Subsequent removals then see that the apm bit is removed. Actually IMHO everything works like without the extra check on aqm (in this scenario). Would make reasoning about the code much easier to me, so sorry I do insist. > Of course, if the queue is manually unbound from > the vfio driver, what you are asking for makes sense I suppose. I'll have > to think about this one some more, but feel free to respond to this. I'm not sure the situation where the queues ->mdev_matrix pointer is set but the apqi is not in the shadow_apcb can actually happen (races not considered). But I'm sure the code is suggesting it can, because vfio_ap_mdev_filter_guest_matrix() has a third parameter called filter_apid, which governs whether the apm or the aqm bit should be removed. And vfio_ap_mdev_filter_guest_matrix() does get called with filter_apid=false in assign_domain_store() and I don't see subsequent unlink operations that would severe q->mdev_matrix. Another case where the aqm may get filtered in vfio_ap_mdev_filter_guest_matrix() is the info->aqm bit not set, as I've mentioned in my previous mail. If that can not happen, we should turn that into an assert. Actually if you are convinced that apqi bit is always set in the q->matrix_mdev->shadow_apcb.aqm, I would agree to turning that into an assertion instead of condition. Then if not completely convinced, I could at least try to trigger the assert :). Regards, Halil