From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
To: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Avi Kivity <avi@redhat.com>, Paul Mackerras <paulus@samba.org>,
Gleb Natapov <gleb@redhat.com>,
Alex Williamson <alex.williamson@redhat.com>,
Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>,
Alexander Graf <agraf@suse.de>,
kvm-ppc@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH 3/5] KVM: PPC: Book3S HV: Handle memory slot deletion and modification correctly
Date: Fri, 17 Aug 2012 17:06:18 +1000 [thread overview]
Message-ID: <1345187178.11751.49.camel@pasglop> (raw)
In-Reply-To: <20120815175920.GB18452@amt.cnet>
On Wed, 2012-08-15 at 14:59 -0300, Marcelo Tosatti wrote:
>
> The guest should not expect memory accesses to an address
> to behave sanely while changing a BAR anyway.
>
> Yes, compatibility for change of GPA base can be done in the
> kernel. I can look into it next week if nobody has done so at
> that point.
There's one thing to be extra careful about here is if we start
doing that for normal memory (in case we start breaking it up
in slots, such as NUMA setups etc...).
The problem is that we must not allow normal memory accesses to be
handled via the "emulation" code (ie MMIO emulation or load/store
emulation, whatever we call it).
Part of the issues is that on architectures that don't use IPIs for
TLB invalidations but instead use some form of HW broadcast such as
PowerPC or ARM, there is an inherent race in that the emulation code can
keep a guest physical address (and perform the relevant access to the
corresponding memory region) way beyond the point where the guest
virtual->physical translation leading to that address has been
invalidated.
This doesn't happen on x86 because essentially the completion of the
invalidation IPI has to wait for all VCPUs to "respond" and thus to
finish whatever emulation they are doing. This is not the case on archs
with a HW invalidate broadcast.
This is a nasty race, and while we more/less decided that it was
survivable as long as we only go through emulation for devices (as we
don't play swapping games with them in the guest kernel), the minute we
allow normal guest memory access to "slip through", we have broken the
guest virtual memory model.
So if we are manipulated memory slots used for guest RAM we must -not-
break atomicity, since during the time the slot is gone, it will
fallback to emulation, introducing the above race (at least on PowerPC
and ARM).
Cheers,
Ben.
WARNING: multiple messages have this Message-ID (diff)
From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
To: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Avi Kivity <avi@redhat.com>, Paul Mackerras <paulus@samba.org>,
Gleb Natapov <gleb@redhat.com>,
Alex Williamson <alex.williamson@redhat.com>,
Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>,
Alexander Graf <agraf@suse.de>,
kvm-ppc@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH 3/5] KVM: PPC: Book3S HV: Handle memory slot deletion and modification correctly
Date: Fri, 17 Aug 2012 07:06:18 +0000 [thread overview]
Message-ID: <1345187178.11751.49.camel@pasglop> (raw)
In-Reply-To: <20120815175920.GB18452@amt.cnet>
On Wed, 2012-08-15 at 14:59 -0300, Marcelo Tosatti wrote:
>
> The guest should not expect memory accesses to an address
> to behave sanely while changing a BAR anyway.
>
> Yes, compatibility for change of GPA base can be done in the
> kernel. I can look into it next week if nobody has done so at
> that point.
There's one thing to be extra careful about here is if we start
doing that for normal memory (in case we start breaking it up
in slots, such as NUMA setups etc...).
The problem is that we must not allow normal memory accesses to be
handled via the "emulation" code (ie MMIO emulation or load/store
emulation, whatever we call it).
Part of the issues is that on architectures that don't use IPIs for
TLB invalidations but instead use some form of HW broadcast such as
PowerPC or ARM, there is an inherent race in that the emulation code can
keep a guest physical address (and perform the relevant access to the
corresponding memory region) way beyond the point where the guest
virtual->physical translation leading to that address has been
invalidated.
This doesn't happen on x86 because essentially the completion of the
invalidation IPI has to wait for all VCPUs to "respond" and thus to
finish whatever emulation they are doing. This is not the case on archs
with a HW invalidate broadcast.
This is a nasty race, and while we more/less decided that it was
survivable as long as we only go through emulation for devices (as we
don't play swapping games with them in the guest kernel), the minute we
allow normal guest memory access to "slip through", we have broken the
guest virtual memory model.
So if we are manipulated memory slots used for guest RAM we must -not-
break atomicity, since during the time the slot is gone, it will
fallback to emulation, introducing the above race (at least on PowerPC
and ARM).
Cheers,
Ben.
next prev parent reply other threads:[~2012-08-17 7:06 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 10:02 [PATCH 0/5] Improve memory slot handling and other fixes Paul Mackerras
2012-08-06 10:02 ` Paul Mackerras
2012-08-06 10:03 ` [PATCH 1/5] KVM: PPC: Book3S HV: Fix incorrect branch in H_CEDE code Paul Mackerras
2012-08-06 10:03 ` Paul Mackerras
2012-08-06 10:04 ` [PATCH 2/5] KVM: PPC: Quieten message about allocating linear regions Paul Mackerras
2012-08-06 10:04 ` Paul Mackerras
2012-08-06 10:06 ` [PATCH 3/5] KVM: PPC: Book3S HV: Handle memory slot deletion and modification correctly Paul Mackerras
2012-08-06 10:06 ` Paul Mackerras
2012-08-09 18:16 ` Marcelo Tosatti
2012-08-09 18:16 ` Marcelo Tosatti
2012-08-10 0:34 ` Paul Mackerras
2012-08-10 0:34 ` Paul Mackerras
2012-08-10 1:25 ` Marcelo Tosatti
2012-08-10 1:25 ` Marcelo Tosatti
2012-08-10 1:33 ` Marcelo Tosatti
2012-08-10 1:33 ` Marcelo Tosatti
2012-08-10 2:09 ` Takuya Yoshikawa
2012-08-10 2:09 ` Takuya Yoshikawa
2012-08-10 18:35 ` Marcelo Tosatti
2012-08-10 18:35 ` Marcelo Tosatti
2012-08-11 0:37 ` Paul Mackerras
2012-08-11 0:37 ` Paul Mackerras
2012-08-13 16:34 ` Marcelo Tosatti
2012-08-13 16:34 ` Marcelo Tosatti
2012-08-13 22:04 ` Marcelo Tosatti
2012-08-13 22:04 ` Marcelo Tosatti
2012-08-15 9:26 ` Avi Kivity
2012-08-15 9:26 ` Avi Kivity
2012-08-15 17:59 ` Marcelo Tosatti
2012-08-15 17:59 ` Marcelo Tosatti
2012-08-17 7:06 ` Benjamin Herrenschmidt [this message]
2012-08-17 7:06 ` Benjamin Herrenschmidt
2012-08-17 18:39 ` Marcelo Tosatti
2012-08-17 18:39 ` Marcelo Tosatti
2012-08-17 20:32 ` Benjamin Herrenschmidt
2012-08-17 20:32 ` Benjamin Herrenschmidt
2012-08-23 13:55 ` Marcelo Tosatti
2012-08-23 13:55 ` Marcelo Tosatti
2012-08-24 9:29 ` Paul Mackerras
2012-08-24 9:29 ` Paul Mackerras
2012-08-24 18:58 ` Marcelo Tosatti
2012-08-24 18:58 ` Marcelo Tosatti
2012-08-19 9:39 ` Avi Kivity
2012-08-19 9:39 ` Avi Kivity
2012-08-15 6:06 ` Paul Mackerras
2012-08-15 6:06 ` Paul Mackerras
2012-08-15 9:23 ` Avi Kivity
2012-08-15 9:23 ` Avi Kivity
2012-08-06 10:06 ` [PATCH 4/5] KVM: PPC: Book3S HV: Take the SRCU read lock before looking up memslots Paul Mackerras
2012-08-06 10:06 ` Paul Mackerras
2012-08-09 18:22 ` Marcelo Tosatti
2012-08-09 18:22 ` Marcelo Tosatti
2012-08-10 0:45 ` Paul Mackerras
2012-08-10 0:45 ` Paul Mackerras
2012-08-06 10:08 ` [RFC PATCH 5/5] KVM: PPC: Take the SRCU lock around memslot use Paul Mackerras
2012-08-06 10:08 ` Paul Mackerras
2012-08-09 18:27 ` Marcelo Tosatti
2012-08-09 18:27 ` Marcelo Tosatti
2012-08-10 0:37 ` Paul Mackerras
2012-08-10 0:37 ` Paul Mackerras
2012-08-10 9:27 ` Alexander Graf
2012-08-10 9:27 ` Alexander Graf
2012-08-15 8:16 ` Benjamin Herrenschmidt
2012-08-15 8:16 ` Benjamin Herrenschmidt
2012-08-10 9:23 ` [PATCH 0/5] Improve memory slot handling and other fixes Alexander Graf
2012-08-10 9:23 ` Alexander Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1345187178.11751.49.camel@pasglop \
--to=benh@kernel.crashing.org \
--cc=agraf@suse.de \
--cc=alex.williamson@redhat.com \
--cc=avi@redhat.com \
--cc=gleb@redhat.com \
--cc=kvm-ppc@vger.kernel.org \
--cc=kvm@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=paulus@samba.org \
--cc=yoshikawa.takuya@oss.ntt.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.