[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5 08/10] x86/mm: make code robust to future PAT changes

  • To: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 22 Dec 2022 10:54:48 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3kCIRZyz+4akDPdFSli8KPUeWsLxiwk/RnxHMhE8Ztc=; b=mAIUq8RnVHFvQ/+OkMJ9upOld5EiYy+IgxXayzGXmUS4Hjm1W5pWH+larCzxLnks0UGpGMelJX6LG9ntBtf8lF2NMD1F3jR1HfDQuZImwindGonQaRKs0g4qaLMp4R19n9XFKJbvoPobtQ4jDSfyGGHEccomuujW7qXwWYMVtSzeFCz9XrdbUAN3UP1KKcYqMf0maxzMoDOkHb4QUsBgJHzCrv8FuEq/ePDp4YbemaSePAzhn3UhaOqdGCdf00T33SurhEsRbF86VNu+hKBmEOKNiQcAOelheuu158pUCSskv/HvmMnXpyoZD6rb1NS083cUk2Iy+nzxqttEigKIBw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ezJm5EiburevLXVlVL38mDUJlu/U/XHDQ4lk7TV2+mGpHjqlmYv7Axu/tgZhNaCM8WYzqF4X5x60lG9lrtq+s+BWmetU5E7yKxOscOV+9kPYervIOEvznTZXR9st4TRFUdeX63whcSbPep/xYn+O4O3H0iNsq/78We+IxQByCDMDj43/aBlH0TX9CeMYKQzDhhKCoEa0IDCprIMDugz8t+FN2hwT6viCtz3yVTOwYUxhdJzy5r9EaD8VROX/XCi35+db1YKB0gctAVG+o24Jp0O5OSE+qtZeggNElu5cDdyWzvdNupmwAyMg9Bn5JQirklQ18C8v6ZPNzXw9VxudxA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 22 Dec 2022 09:54:57 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 22.12.2022 10:50, Demi Marie Obenour wrote:
> On Thu, Dec 22, 2022 at 10:35:08AM +0100, Jan Beulich wrote:
>> On 20.12.2022 02:07, Demi Marie Obenour wrote:
>>> --- a/xen/arch/x86/mm.c
>>> +++ b/xen/arch/x86/mm.c
>>> @@ -6352,6 +6352,11 @@ unsigned long get_upper_mfn_bound(void)
>>>      return min(max_mfn, 1UL << (paddr_bits - PAGE_SHIFT)) - 1;
>>>  }
>>>  
>>> +
>>> +/*
>>> + * A bunch of static assertions to check that the XEN_MSR_PAT is valid
>>> + * and consistent with the _PAGE_* macros, and that _PAGE_WB is zero.
>>> + */
>>>  static void __init __maybe_unused build_assertions(void)
>>>  {
>>>      /*
>>> @@ -6361,6 +6366,72 @@ static void __init __maybe_unused 
>>> build_assertions(void)
>>>       * using different PATs will not work.
>>>       */
>>>      BUILD_BUG_ON(XEN_MSR_PAT != 0x050100070406ULL);
>>> +
>>> +    /*
>>> +     * _PAGE_WB must be zero for several reasons, not least because Linux
>>> +     * assumes it.
>>> +     */
>>> +    BUILD_BUG_ON(_PAGE_WB);
>>
>> Strictly speaking this is a requirement only for PV guests. We may not
>> want to go as far as putting "#ifdef CONFIG_PV" around it, but at least
>> the code comment (and then also the part of the description referring
>> to this) will imo want to say so.
> 
> Does Xen itself depend on this?

With the wording in the description I was going from the assumption that
you have audited code and found that we properly use _PAGE_* constants
everywhere.

>>> +} while (0)
>>> +
>>> +    /*
>>> +     * If one of these trips, the corresponding _PAGE_* macro is 
>>> inconsistent
>>> +     * with XEN_MSR_PAT.  This would cause Xen to use incorrect 
>>> cacheability
>>> +     * flags, with results that are undefined and probably harmful.
>>
>> Why "undefined"? They may be wrong / broken, but the result is still well-
>> defined afaict.
> 
> “undefined” is meant as “one has violated a core assumption that
> higher-level stuff depends on, so things can go arbitrarily wrong,
> including e.g. corrupting memory or data”.  Is this accurate?  Should I
> drop the dependent clause, or do you have a suggestion for something
> better?

s/undefined/unknown/ ?

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.