On Sat, Sep 30, 2023, David Woodhouse wrote:
> @@ -146,6 +160,14 @@ static enum hrtimer_restart xen_timer_callback(struct hrtimer *timer)
>
> static void kvm_xen_start_timer(struct kvm_vcpu *vcpu, u64 guest_abs, s64 delta_ns)
> {
> + /*
> + * Avoid races with the old timer firing. Checking timer_expires
> + * to avoid calling hrtimer_cancel() will only have false positives
> + * so is fine.
> + */
> + if (vcpu->arch.xen.timer_expires)
> + hrtimer_cancel(&vcpu->arch.xen.timer);
> +
> atomic_set(&vcpu->arch.xen.timer_pending, 0);
> vcpu->arch.xen.timer_expires = guest_abs;
>
> @@ -1019,9 +1041,36 @@ int kvm_xen_vcpu_get_attr(struct kvm_vcpu *vcpu, struct kvm_xen_vcpu_attr *data)
> break;
>
> case KVM_XEN_VCPU_ATTR_TYPE_TIMER:
> + /*
> + * Ensure a consistent snapshot of state is captured, with a
> + * timer either being pending, or the event channel delivered
> + * to the corresponding bit in the shared_info. Not still
> + * lurking in the timer_pending flag for deferred delivery.
> + * Purely as an optimisation, if the timer_expires field is
> + * zero, that means the timer isn't active (or even in the
> + * timer_pending flag) and there is no need to cancel it.
> + */
Ah, kvm_xen_start_timer() zeros timer_pending.
Given that, shouldn't it be impossible for xen_timer_callback() to observe a
non-zero timer_pending value? E.g. couldn't this code WARN?
if (atomic_read(&vcpu->arch.xen.timer_pending))
return HRTIMER_NORESTART;
Obviously not a blocker for this patch, I'm mostly just curious to know if I'm
missing something.
