From: David Matlack <dmatlack@google.com> To: Mingwei Zhang <mizhang@google.com> Cc: Sean Christopherson <seanjc@google.com>, Paolo Bonzini <pbonzini@redhat.com>, Marc Zyngier <maz@kernel.org>, Huacai Chen <chenhuacai@kernel.org>, Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>, Anup Patel <anup@brainfault.org>, Paul Walmsley <paul.walmsley@sifive.com>, Palmer Dabbelt <palmer@dabbelt.com>, Albert Ou <aou@eecs.berkeley.edu>, Andrew Jones <drjones@redhat.com>, Ben Gardon <bgardon@google.com>, Peter Xu <peterx@redhat.com>, "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>, "moderated list:KERNEL VIRTUAL MACHINE FOR ARM64 (KVM/arm64)" <kvmarm@lists.cs.columbia.edu>, "open list:KERNEL VIRTUAL MACHINE FOR MIPS (KVM/mips)" <linux-mips@vger.kernel.org>, "open list:KERNEL VIRTUAL MACHINE FOR MIPS (KVM/mips)" <kvm@vger.kernel.org>, "open list:KERNEL VIRTUAL MACHINE FOR RISC-V (KVM/riscv)" <kvm-riscv@lists.infradead.org>, Peter Feiner <pfeiner@google.com>, Lai Jiangshan <jiangshanlai@gmail.com> Subject: Re: [PATCH v6 21/22] KVM: Allow for different capacities in kvm_mmu_memory_cache structs Date: Mon, 23 May 2022 11:22:57 -0700 [thread overview] Message-ID: <CALzav=dcFmkZsEBUWGECUQVzrE4TiF=eOxhRXW-XQ-_q4cXchA@mail.gmail.com> (raw) In-Reply-To: <CAL715WL8g4y=agnMCM7uX6dhBp1JdFKHOCcYsh-=HT0wF=sQUA@mail.gmail.com> On Mon, May 23, 2022 at 11:13 AM Mingwei Zhang <mizhang@google.com> wrote: > > On Mon, May 23, 2022 at 10:44 AM David Matlack <dmatlack@google.com> wrote: > > > > On Mon, May 23, 2022 at 10:37 AM Sean Christopherson <seanjc@google.com> wrote: > > > > > > On Fri, May 20, 2022, Mingwei Zhang wrote: > > > > On Mon, May 16, 2022 at 4:24 PM David Matlack <dmatlack@google.com> wrote: > > > > > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c > > > > > index e089db822c12..5e2e75014256 100644 > > > > > --- a/virt/kvm/kvm_main.c > > > > > +++ b/virt/kvm/kvm_main.c > > > > > @@ -369,14 +369,31 @@ static inline void *mmu_memory_cache_alloc_obj(struct kvm_mmu_memory_cache *mc, > > > > > return (void *)__get_free_page(gfp_flags); > > > > > } > > > > > > > > > > -int kvm_mmu_topup_memory_cache(struct kvm_mmu_memory_cache *mc, int min) > > > > > +static int __kvm_mmu_topup_memory_cache(struct kvm_mmu_memory_cache *mc, int capacity, int min) > > > > > { > > > > > + gfp_t gfp = GFP_KERNEL_ACCOUNT; > > > > > void *obj; > > > > > > > > > > if (mc->nobjs >= min) > > > > > return 0; > > > > > - while (mc->nobjs < ARRAY_SIZE(mc->objects)) { > > > > > - obj = mmu_memory_cache_alloc_obj(mc, GFP_KERNEL_ACCOUNT); > > > > > + > > > > > + if (unlikely(!mc->objects)) { > > > > > + if (WARN_ON_ONCE(!capacity)) > > > > > + return -EIO; > > > > > + > > > > > + mc->objects = kvmalloc_array(sizeof(void *), capacity, gfp); > > > > > + if (!mc->objects) > > > > > + return -ENOMEM; > > > > > + > > > > > + mc->capacity = capacity; > > > > > > > > Do we want to ensure the minimum value of the capacity? I think > > > > otherwise, we may more likely start using memory from GFP_ATOMIC if > > > > the capacity is less than, say 5? But the minimum value seems related > > > > to each cache type. > > > > > > Eh, if we specify a minimum, just make the arch default the minimum. That way we > > > avoid adding even more magic/arbitrary numbers. E.g. for whatever reason, MIPS's > > > default is '4'. > > > > I'm not exactly sure what you had in mind Mingwei. But there is a bug > > in this code if min > capacity. This function will happily return 0 > > after filling up the cache, even though it did not allocate min > > objects. The same bug existed before this patch if min > > > ARRAY_SIZE(mc->objects). I can include a separate patch to fix this > > bug (e.g. WARN and return -ENOMEM if min > capacity). > > oh, what I am saying is this one: > https://elixir.bootlin.com/linux/latest/source/virt/kvm/kvm_main.c#L417 > > If we are running out of kmem cache, then we start to use > __GFP_ATOMIC, which should be avoided as much as we can? Since this > patch parameterized the 'capacity', then to avoid the future usage > where caller provides a too small value, maybe we could add a warning > if the 'capacity' is too small, say, smaller than 40 (the default > value)? I'm not too worried about that. Callers of kvm_mmu_topup_memory_cache() are responsible for passing in a min value. It doesn't matter if capacity is a number lower than 40, as long as kvm_mmu_topup_memory_cache() is able to allocate min objects, the call is a success (and the GFP_ATOMIC fallback should never trigger, and if it does, we'll get a WARN splat). The only actual loophole I can spot is if capacity is less than min. In that case topup will return 0 despite allocating less than min objects. Again we'll still hit the GFP_ATOMIC and get a WARN splat, but we can detect the problem in kvm_mmu_topup_memory_cache() which will include the buggy callsite in the backtrace. > > The case of 'capacity' < min would be a more serious issue, that > situation probably should never be allowed.
WARNING: multiple messages have this Message-ID (diff)
From: David Matlack <dmatlack@google.com> To: Mingwei Zhang <mizhang@google.com> Cc: Albert Ou <aou@eecs.berkeley.edu>, "open list:KERNEL VIRTUAL MACHINE FOR RISC-V \(KVM/riscv\)" <kvm-riscv@lists.infradead.org>, "open list:KERNEL VIRTUAL MACHINE FOR MIPS \(KVM/mips\)" <kvm@vger.kernel.org>, Huacai Chen <chenhuacai@kernel.org>, Lai Jiangshan <jiangshanlai@gmail.com>, "open list:KERNEL VIRTUAL MACHINE FOR MIPS \(KVM/mips\)" <linux-mips@vger.kernel.org>, Aleksandar Markovic <aleksandar.qemu.devel@gmail.com>, Palmer Dabbelt <palmer@dabbelt.com>, Paul Walmsley <paul.walmsley@sifive.com>, Marc Zyngier <maz@kernel.org>, Ben Gardon <bgardon@google.com>, Paolo Bonzini <pbonzini@redhat.com>, "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>, "moderated list:KERNEL VIRTUAL MACHINE FOR ARM64 \(KVM/arm64\)" <kvmarm@lists.cs.columbia.edu>, Peter Feiner <pfeiner@google.com> Subject: Re: [PATCH v6 21/22] KVM: Allow for different capacities in kvm_mmu_memory_cache structs Date: Mon, 23 May 2022 11:22:57 -0700 [thread overview] Message-ID: <CALzav=dcFmkZsEBUWGECUQVzrE4TiF=eOxhRXW-XQ-_q4cXchA@mail.gmail.com> (raw) In-Reply-To: <CAL715WL8g4y=agnMCM7uX6dhBp1JdFKHOCcYsh-=HT0wF=sQUA@mail.gmail.com> On Mon, May 23, 2022 at 11:13 AM Mingwei Zhang <mizhang@google.com> wrote: > > On Mon, May 23, 2022 at 10:44 AM David Matlack <dmatlack@google.com> wrote: > > > > On Mon, May 23, 2022 at 10:37 AM Sean Christopherson <seanjc@google.com> wrote: > > > > > > On Fri, May 20, 2022, Mingwei Zhang wrote: > > > > On Mon, May 16, 2022 at 4:24 PM David Matlack <dmatlack@google.com> wrote: > > > > > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c > > > > > index e089db822c12..5e2e75014256 100644 > > > > > --- a/virt/kvm/kvm_main.c > > > > > +++ b/virt/kvm/kvm_main.c > > > > > @@ -369,14 +369,31 @@ static inline void *mmu_memory_cache_alloc_obj(struct kvm_mmu_memory_cache *mc, > > > > > return (void *)__get_free_page(gfp_flags); > > > > > } > > > > > > > > > > -int kvm_mmu_topup_memory_cache(struct kvm_mmu_memory_cache *mc, int min) > > > > > +static int __kvm_mmu_topup_memory_cache(struct kvm_mmu_memory_cache *mc, int capacity, int min) > > > > > { > > > > > + gfp_t gfp = GFP_KERNEL_ACCOUNT; > > > > > void *obj; > > > > > > > > > > if (mc->nobjs >= min) > > > > > return 0; > > > > > - while (mc->nobjs < ARRAY_SIZE(mc->objects)) { > > > > > - obj = mmu_memory_cache_alloc_obj(mc, GFP_KERNEL_ACCOUNT); > > > > > + > > > > > + if (unlikely(!mc->objects)) { > > > > > + if (WARN_ON_ONCE(!capacity)) > > > > > + return -EIO; > > > > > + > > > > > + mc->objects = kvmalloc_array(sizeof(void *), capacity, gfp); > > > > > + if (!mc->objects) > > > > > + return -ENOMEM; > > > > > + > > > > > + mc->capacity = capacity; > > > > > > > > Do we want to ensure the minimum value of the capacity? I think > > > > otherwise, we may more likely start using memory from GFP_ATOMIC if > > > > the capacity is less than, say 5? But the minimum value seems related > > > > to each cache type. > > > > > > Eh, if we specify a minimum, just make the arch default the minimum. That way we > > > avoid adding even more magic/arbitrary numbers. E.g. for whatever reason, MIPS's > > > default is '4'. > > > > I'm not exactly sure what you had in mind Mingwei. But there is a bug > > in this code if min > capacity. This function will happily return 0 > > after filling up the cache, even though it did not allocate min > > objects. The same bug existed before this patch if min > > > ARRAY_SIZE(mc->objects). I can include a separate patch to fix this > > bug (e.g. WARN and return -ENOMEM if min > capacity). > > oh, what I am saying is this one: > https://elixir.bootlin.com/linux/latest/source/virt/kvm/kvm_main.c#L417 > > If we are running out of kmem cache, then we start to use > __GFP_ATOMIC, which should be avoided as much as we can? Since this > patch parameterized the 'capacity', then to avoid the future usage > where caller provides a too small value, maybe we could add a warning > if the 'capacity' is too small, say, smaller than 40 (the default > value)? I'm not too worried about that. Callers of kvm_mmu_topup_memory_cache() are responsible for passing in a min value. It doesn't matter if capacity is a number lower than 40, as long as kvm_mmu_topup_memory_cache() is able to allocate min objects, the call is a success (and the GFP_ATOMIC fallback should never trigger, and if it does, we'll get a WARN splat). The only actual loophole I can spot is if capacity is less than min. In that case topup will return 0 despite allocating less than min objects. Again we'll still hit the GFP_ATOMIC and get a WARN splat, but we can detect the problem in kvm_mmu_topup_memory_cache() which will include the buggy callsite in the backtrace. > > The case of 'capacity' < min would be a more serious issue, that > situation probably should never be allowed. _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
next prev parent reply other threads:[~2022-05-23 18:43 UTC|newest] Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-05-16 23:21 [PATCH v6 00/22] KVM: Extend Eager Page Splitting to the shadow MMU David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-16 23:21 ` [PATCH v6 01/22] KVM: x86/mmu: Optimize MMU page cache lookup for all direct SPs David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-16 23:21 ` [PATCH v6 02/22] KVM: x86/mmu: Use a bool for direct David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-16 23:21 ` [PATCH v6 03/22] KVM: x86/mmu: Stop passing @direct to mmu_alloc_root() David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-16 18:47 ` Sean Christopherson 2022-06-16 18:47 ` Sean Christopherson 2022-06-22 14:06 ` Paolo Bonzini 2022-06-22 14:06 ` Paolo Bonzini 2022-06-22 14:19 ` Sean Christopherson 2022-06-22 14:19 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 04/22] KVM: x86/mmu: Derive shadow MMU page role from parent David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 1:19 ` Sean Christopherson 2022-06-17 1:19 ` Sean Christopherson 2022-06-17 15:12 ` Sean Christopherson 2022-06-17 15:12 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 05/22] KVM: x86/mmu: Always pass 0 for @quadrant when gptes are 8 bytes David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 15:20 ` Sean Christopherson 2022-06-17 15:20 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 06/22] KVM: x86/mmu: Decompose kvm_mmu_get_page() into separate functions David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-16 23:21 ` [PATCH v6 07/22] KVM: x86/mmu: Consolidate shadow page allocation and initialization David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-16 23:21 ` [PATCH v6 08/22] KVM: x86/mmu: Rename shadow MMU functions that deal with shadow pages David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-16 23:21 ` [PATCH v6 09/22] KVM: x86/mmu: Move guest PT write-protection to account_shadowed() David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-16 23:21 ` [PATCH v6 10/22] KVM: x86/mmu: Pass memory caches to allocate SPs separately David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 15:01 ` Sean Christopherson 2022-06-17 15:01 ` Sean Christopherson 2022-06-21 17:06 ` David Matlack 2022-06-21 17:06 ` David Matlack 2022-06-21 17:27 ` Sean Christopherson 2022-06-21 17:27 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 11/22] KVM: x86/mmu: Replace vcpu with kvm in kvm_mmu_alloc_shadow_page() David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-16 23:21 ` [PATCH v6 12/22] KVM: x86/mmu: Pass kvm pointer separately from vcpu to kvm_mmu_find_shadow_page() David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-16 23:21 ` [PATCH v6 13/22] KVM: x86/mmu: Allow NULL @vcpu in kvm_mmu_find_shadow_page() David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 15:28 ` Sean Christopherson 2022-06-17 15:28 ` Sean Christopherson 2022-06-22 14:26 ` Paolo Bonzini 2022-06-22 14:26 ` Paolo Bonzini 2022-05-16 23:21 ` [PATCH v6 14/22] KVM: x86/mmu: Pass const memslot to rmap_add() David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 15:30 ` Sean Christopherson 2022-06-17 15:30 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 15/22] KVM: x86/mmu: Decouple rmap_add() and link_shadow_page() from kvm_vcpu David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 16:39 ` Sean Christopherson 2022-06-17 16:39 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 16/22] KVM: x86/mmu: Update page stats in __rmap_add() David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 16:40 ` Sean Christopherson 2022-06-17 16:40 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 17/22] KVM: x86/mmu: Cache the access bits of shadowed translations David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 16:53 ` Sean Christopherson 2022-06-17 16:53 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 18/22] KVM: x86/mmu: Extend make_huge_page_split_spte() for the shadow MMU David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 16:56 ` Sean Christopherson 2022-06-17 16:56 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 19/22] KVM: x86/mmu: Zap collapsible SPTEs in shadow MMU at all possible levels David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 17:01 ` Sean Christopherson 2022-06-17 17:01 ` Sean Christopherson 2022-06-21 17:24 ` David Matlack 2022-06-21 17:24 ` David Matlack 2022-06-21 17:59 ` Sean Christopherson 2022-06-21 17:59 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 20/22] KVM: x86/mmu: Refactor drop_large_spte() David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-17 17:11 ` Sean Christopherson 2022-06-17 17:11 ` Sean Christopherson 2022-06-22 16:13 ` Paolo Bonzini 2022-06-22 16:13 ` Paolo Bonzini 2022-06-22 16:50 ` Paolo Bonzini 2022-06-22 16:50 ` Paolo Bonzini 2022-05-16 23:21 ` [PATCH v6 21/22] KVM: Allow for different capacities in kvm_mmu_memory_cache structs David Matlack 2022-05-16 23:21 ` David Matlack 2022-05-19 15:33 ` Anup Patel 2022-05-19 15:33 ` Anup Patel 2022-05-20 23:21 ` Mingwei Zhang 2022-05-23 17:37 ` Sean Christopherson 2022-05-23 17:37 ` Sean Christopherson 2022-05-23 17:44 ` David Matlack 2022-05-23 17:44 ` David Matlack 2022-05-23 18:13 ` Mingwei Zhang 2022-05-23 18:13 ` Mingwei Zhang 2022-05-23 18:22 ` David Matlack [this message] 2022-05-23 18:22 ` David Matlack 2022-05-23 23:53 ` David Matlack 2022-05-23 23:53 ` David Matlack 2022-06-17 17:41 ` Sean Christopherson 2022-06-17 17:41 ` Sean Christopherson 2022-06-17 18:34 ` Sean Christopherson 2022-06-17 18:34 ` Sean Christopherson 2022-05-16 23:21 ` [PATCH v6 22/22] KVM: x86/mmu: Extend Eager Page Splitting to nested MMUs David Matlack 2022-05-16 23:21 ` David Matlack 2022-06-01 21:50 ` Ricardo Koller 2022-06-01 21:50 ` Ricardo Koller 2022-06-17 19:08 ` Sean Christopherson 2022-06-17 19:08 ` Sean Christopherson
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CALzav=dcFmkZsEBUWGECUQVzrE4TiF=eOxhRXW-XQ-_q4cXchA@mail.gmail.com' \ --to=dmatlack@google.com \ --cc=aleksandar.qemu.devel@gmail.com \ --cc=anup@brainfault.org \ --cc=aou@eecs.berkeley.edu \ --cc=bgardon@google.com \ --cc=chenhuacai@kernel.org \ --cc=drjones@redhat.com \ --cc=jiangshanlai@gmail.com \ --cc=kvm-riscv@lists.infradead.org \ --cc=kvm@vger.kernel.org \ --cc=kvmarm@lists.cs.columbia.edu \ --cc=linux-mips@vger.kernel.org \ --cc=maciej.szmigiero@oracle.com \ --cc=maz@kernel.org \ --cc=mizhang@google.com \ --cc=palmer@dabbelt.com \ --cc=paul.walmsley@sifive.com \ --cc=pbonzini@redhat.com \ --cc=peterx@redhat.com \ --cc=pfeiner@google.com \ --cc=seanjc@google.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.