[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 02/12] x86/shadow: call sh_update_cr3() directly from sh_page_fault()

  • To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Fri, 20 Feb 2026 14:45:38 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eSUifaZHUGwmzRe4KPJHz/PDlv3KpgVkIVifw+mGS2E=; b=cAR5K+c6Sj+Nz6C0UCJOT+4S9nKhJWPnLWW/DNVLLnZ1iRvz9eoSFCWgCETYRzs3ArdCNebyZvykwB9pElMQPjLGP2dKhA+i88m03lBNXDQE7+nM1wqBwrvcAjsLfjUriXk8eykIDcgQGK7leQ54N9qN7lkvfv2W2nBzTxchOgFUEPSRJQFE+ZjWlMO7HeFk8eA2y7959umTtWJtiL24BabRqVTYkqt70/PzW1Razl7Fu5f/17wXLollSsM/nWg9/als11ReFWV4AIyFQCGiQMGBewr/tlVPxQELF4NXBehBP5Khq3mJYyZMYtplzZZzZ4wRiUYsO8y+YT44Ita5CQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RwMFMVKxXc48iPsbwSDvFYFg84iDrEJLN+X/H7OQdMsdKZnWG0uSB48Oi5saQv2Q8INqkpjd76I3ELH3D7TQSWGJPEcL7f71WcixJ8dCe8q+X7SfPSgAlfsbX5bfGb5WcYm6oo3YcRWkiZUZSfBVIv+dItlNp+AU/SeU+AABUZiSICJX75aUfMfT55lgMDVDqB38GoZ6W/bIz9oQ8s4UJMKL4k7pwX7UWDhLWXSD89vrrtB613yrT5WLYGb/wuvDOjlqYZWvPpUcLEXs1F5sU9TPdPuOmcxTs3PRUzwsKgGQCFldCQrl0oN5QN9cGkTmoUQEW1btiSuIrz5mhadxvA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>
  • Delivery-date: Fri, 20 Feb 2026 14:46:07 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 16/05/2023 8:38 am, Jan Beulich wrote:
> There's no need for an indirect call here, as the mode is invariant
> throughout the entire paging-locked region. All it takes to avoid it is
> to have a forward declaration of sh_update_cr3() in place.
>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

> ---
> I find this and the respective Win7 related comment suspicious: If we
> really need to "fix up" L3 entries "on demand", wouldn't we better retry
> the shadow_get_and_create_l1e() rather than exit? The spurious page
> fault that the guest observes can, after all, not be known to be non-
> fatal inside the guest. That's purely an OS policy.
>
> Furthermore the sh_update_cr3() will also invalidate L3 entries which
> were loaded successfully before, but invalidated by the guest
> afterwards. I strongly suspect that the described hardware behavior is
> _only_ to load previously not-present entries from the PDPT, but not
> purge ones already marked present. IOW I think sh_update_cr3() would
> need calling in an "incremental" mode here. (The alternative of doing
> this in shadow_get_and_create_l3e() instead would likely be more
> cumbersome.)
>
> Beyond the "on demand" L3 entry creation I also can't see what guest
> actions could lead to the ASSERT() being inapplicable in the PAE case.
> The 3-level code in shadow_get_and_create_l2e() doesn't consult guest
> PDPTEs, and all other logic is similar to that for other modes.
>
> (See 89329d832aed ["x86 shadow: Update cr3 in PAE mode when guest walk
> succeed but shadow walk fails"].)

I recall this being an issue in flight when I joined Citrix, and relates
to PDPTRs.

Architecturally, PDPTRs are are loaded on MOV CR3, the TLB flushing
subset of MOV CR0/4, and Task Switch, and are otherwise non-coherent
with RAM.  PDPTRs are not shot down by INVLPG/#PF/etc (they're not part
of the TLB state, they're "roots" of the paging structures like CR3 is).

(If you recall, this was one of my major concerns with your PTE caching
series, and I still need to figure out how to make this case work.)

Intel maintains the behaviour with 4x PDPTR fields in the VMCS, but AMD
punted on the problem by declaring that 32bit PAE paging under NPT would
behave as "normal" PTEs and get loaded on demand.

For a while, there was a threat in the APM saying that this behaviour
might start applying to native scenarios too, but I recall AMD saying
that this hadn't happened and was unlikely to.


Either way.  All OSes need to cope with both behaviour.  It's probably
easiest for Shadow to stick to strictly architectural behaviour, rather
than trying to account for a behaviour that only manifests in another
context.

I vaguely recall discussion of Windows 7 expecting one behaviour and
shadow implementing the other, but it was 15 years ago and probably at
least partial speculation over an unfixed bug.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.