xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Jan Beulich <jbeulich@suse.com>
To: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
	Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>,
	George Dunlap <george.dunlap@citrix.com>,
	Ian Jackson <iwj@xenproject.org>
Subject: Re: [PATCH v2 8/8] x86/PV: use get_unsafe() instead of copy_from_unsafe()
Date: Tue, 23 Feb 2021 17:13:21 +0100	[thread overview]
Message-ID: <4fdb5952-6196-3a79-1306-e65d75e495d2@suse.com> (raw)
In-Reply-To: <YDUhKw+19ITgVmml@Air-de-Roger>

On 23.02.2021 16:37, Roger Pau Monné wrote:
> On Tue, Feb 23, 2021 at 04:25:00PM +0100, Jan Beulich wrote:
>> On 23.02.2021 12:59, Roger Pau Monné wrote:
>>> On Wed, Feb 17, 2021 at 09:23:33AM +0100, Jan Beulich wrote:
>>>> The former expands to a single (memory accessing) insn, which the latter
>>>> does not guarantee. Yet we'd prefer to read consistent PTEs rather than
>>>> risking a split read racing with an update done elsewhere.
>>>>
>>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>>>
>>> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
>>>
>>> Albeit I wonder why the __builtin_constant_p check done in
>>> copy_from_unsafe is not enough to take the get_unsafe_size branch in
>>> there. Doesn't sizeof(l{1,2}_pgentry_t) qualify as a built time
>>> constant?
>>>
>>> Or the fact that n it's a parameter to an inline function hides this,
>>> in which case the __builtin_constant_p is pointless?
>>
>> Without (enough) optimization, __builtin_constant_p() may indeed
>> yield false in such cases. But that wasn't actually what I had
>> in mind when making this change (and the original similar on in
>> shadow code). Instead, at the time I made the shadow side change,
>> I had removed this optimization from the new function flavors.
>> With that removal, things are supposed to still be correct - it's
>> an optimization only, after all. Meanwhile the optimizations are
>> back, so there's no immediate problem as long as the optimizer
>> doesn't decide to out-of-line the function invocations (we
>> shouldn't forget that even always_inline is not a guarantee for
>> inlining to actually occur).
> 
> I'm fine with you switching those use cases to get_unsafe, but I think
> the commit message should be slightly adjusted to notice that
> copy_from_unsafe will likely do the right thing, but that it's simply
> clearer to call get_unsafe directly, also in case copy_from_unsafe
> gets changed in the future to drop the get_unsafe paths.

How about this then?

"The former expands to a single (memory accessing) insn, which the latter
 does not guarantee (the __builtin_constant_p() based switch() statement
 there is just an optimization). Yet we'd prefer to read consistent PTEs
 rather than risking a split read racing with an update done elsewhere."

Jan


  reply	other threads:[~2021-02-23 16:13 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-17  8:16 [PATCH v2 0/8] x86/PV: avoid speculation abuse through guest accessors Jan Beulich
2021-02-17  8:19 ` [PATCH v2 1/8] x86: split __{get,put}_user() into "guest" and "unsafe" variants Jan Beulich
2021-02-17  8:20 ` [PATCH v2 2/8] x86: split __copy_{from,to}_user() " Jan Beulich
2021-02-17  8:20 ` [PATCH v2 3/8] x86/PV: harden guest memory accesses against speculative abuse Jan Beulich
2021-02-17  8:21 ` [PATCH v2 4/8] x86: rename {get,put}_user() to {get,put}_guest() Jan Beulich
2021-02-22 15:22   ` Roger Pau Monné
2021-02-17  8:21 ` [PATCH v2 5/8] x86/gdbsx: convert "user" to "guest" accesses Jan Beulich
2021-02-22 15:31   ` Roger Pau Monné
2021-02-22 15:55     ` Jan Beulich
2021-02-22 16:08       ` Roger Pau Monné
2021-02-17  8:22 ` [PATCH v2 6/8] x86: rename copy_{from,to}_user() to copy_{from,to}_guest_pv() Jan Beulich
2021-02-23 11:04   ` Roger Pau Monné
2021-02-23 15:15     ` Jan Beulich
2021-02-17  8:22 ` [PATCH v2 7/8] x86: move stac()/clac() from {get,put}_unsafe_asm() Jan Beulich
2021-02-23 11:40   ` Roger Pau Monné
2021-02-17  8:23 ` [PATCH v2 8/8] x86/PV: use get_unsafe() instead of copy_from_unsafe() Jan Beulich
2021-02-23 11:59   ` Roger Pau Monné
2021-02-23 15:25     ` Jan Beulich
2021-02-23 15:37       ` Roger Pau Monné
2021-02-23 16:13         ` Jan Beulich [this message]
2021-02-23 18:03           ` Roger Pau Monné
2021-02-19 15:50 ` [PATCH v2 0/8] x86/PV: avoid speculation abuse through guest accessors Ian Jackson
2021-02-19 15:56   ` Jan Beulich
2021-02-19 16:13     ` Ian Jackson
2021-02-19 16:16       ` Jan Beulich
2021-02-19 16:30         ` Ian Jackson
2021-02-24 11:13   ` Jan Beulich
2021-02-24 13:08     ` Ian Jackson
2021-02-24 13:18       ` Jan Beulich
2021-02-24 13:26         ` Ian Jackson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4fdb5952-6196-3a79-1306-e65d75e495d2@suse.com \
    --to=jbeulich@suse.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=george.dunlap@citrix.com \
    --cc=iwj@xenproject.org \
    --cc=roger.pau@citrix.com \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).