[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3] xen: introduce VCPUOP_register_runstate_phys_memory_area hypercall

>>> On 10.06.19 at 13:44, <julien.grall@xxxxxxx> wrote:
> Hi Jan,
> 
> On 07/06/2019 15:23, Jan Beulich wrote:
>>>>> On 24.05.19 at 20:12, <andrii.anisov@xxxxxxxxx> wrote:
>>> From: Andrii Anisov <andrii_anisov@xxxxxxxx>
>>>
>>> Existing interface to register runstate are with its virtual address
>>> is prone to issues which became more obvious with KPTI enablement in
>>> guests. The nature of those issues is the fact that the guest could
>>> be interrupted by the hypervisor at any time, and there is no guarantee
>>> to have the registered virtual address translated with the currently
>>> available guest's page tables. Before the KPTI such a situation was
>>> possible in case the guest is caught in the middle of PT processing
>>> (e.g. superpage shattering). With the KPTI this happens also when the
>>> guest runs userspace, so has a pretty high probability.
>> 
>> Except when there's no need for KPTI in the guest in the first place,
>> as is the case for x86-64 PV guests. I think this is worthwhile clarifying.
> 
> I am not sure what is your point here. At least on Arm, using virtual address 
> is 
> not safe at all (whether KPTI is used or not). A guest can genuinely decides 
> to 
> shatter the mapping where the virtual address is. On Arm, this require to use 
> the break-before-make sequence. It means the translation VA -> PA may fail is 
> you happen to do it while the guest is using the sequence.
> 
> Some of the intermittent issues I have seen on the Arndale in the past [1] 
> might 
> be related to using virtual address. I am not 100% sure because even if the 
> debug, the error does not make sense. But this is the most plausible reason 
> for 
> the failure.

All fine, but Arm-specific. The point of my comment was to ask to call
out that there is one environment (x86-64 PV) where this KPTI
discussion is entirely inapplicable.

>>> @@ -35,8 +37,16 @@ arch_compat_vcpu_op(
>>>                !compat_handle_okay(area.addr.h, 1) )
>>>               break;
>>>   
>>> +        while( xchg(&v->runstate_in_use, 1) == 0);
>> 
>> At the very least such loops want a cpu_relax() in their bodies.
>> But this being on a hypercall path - are there theoretical guarantees
>> that a guest can't abuse this to lock up a CPU?
> Hmmm, I suggested this but it looks like a guest may call the hypercall 
> multiple 
> time from different vCPU. So this could be a way to delay work on the CPU.
> 
> I wanted to make the context switch mostly lockless and therefore avoiding to 
> introduce a spinlock.

Well, constructs like the above are trying to mimic a spinlock
without actually using a spinlock. There are extremely rare
situation in which this may indeed be warranted, but here it
falls in the common "makes things worse overall" bucket, I
think. To not unduly penalize the actual update paths, I think
using a r/w lock would be appropriate here.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.