From: Alexander Graf <agraf@suse.de>
To: Paul Mackerras <paulus@samba.org>
Cc: kvm-ppc@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH 3/5] KVM: PPC: Book3S HV: Improve handling of local vs. global TLB invalidations
Date: Mon, 26 Nov 2012 14:10:33 +0100 [thread overview]
Message-ID: <EA8533AA-C03C-4C27-986D-2CE91B325142@suse.de> (raw)
In-Reply-To: <20121123220701.GB23537@bloggs.ozlabs.ibm.com>
On 23.11.2012, at 23:07, Paul Mackerras wrote:
> On Fri, Nov 23, 2012 at 04:43:03PM +0100, Alexander Graf wrote:
>>
>> On 22.11.2012, at 10:28, Paul Mackerras wrote:
>>
>>> - With the possibility of the host paging out guest pages, the use of
>>> H_LOCAL by an SMP guest is dangerous since the guest could possibly
>>> retain and use a stale TLB entry pointing to a page that had been
>>> removed from the guest.
>>
>> I don't understand this part. Don't we flush the TLB when the page gets evicted from the shadow HTAB?
>
> The H_LOCAL flag is something that we invented to allow the guest to
> tell the host "I only ever used this translation (HPTE) on the current
> vcpu" when it's removing or modifying an HPTE. The idea is that that
> would then let the host use the tlbiel instruction (local TLB
> invalidate) rather than the usual global tlbie instruction. Tlbiel is
> faster because it doesn't need to go out on the fabric and get
> processed by all cpus. In fact our guests don't use it at present,
> but we put it in because we thought we should be able to get a
> performance improvement, particularly on large machines.
>
> However, the catch is that the guest's setting of H_LOCAL might be
> incorrect, in which case we could have a stale TLB entry on another
> physical cpu. While the physical page that it refers to is still
> owned by the guest, that stale entry doesn't matter from the host's
> point of view. But if the host wants to take that page away from the
> guest, the stale entry becomes a problem.
That's exactly where my question lies. Does that mean we don't flush the TLB entry regardless when we take the page away from the guest?
Alex
>
> The solution I implement here is just not to use tlbiel in SMP guests.
> UP guests are not so much of a problem because the potential attack
> from the guest relies on having one cpu remove the HPTE and do tlbiel
> while another cpu uses the stale TLB entry, which you can't do if you
> only have one cpu.
>
> Paul.
WARNING: multiple messages have this Message-ID (diff)
From: Alexander Graf <agraf@suse.de>
To: Paul Mackerras <paulus@samba.org>
Cc: kvm-ppc@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH 3/5] KVM: PPC: Book3S HV: Improve handling of local vs. global TLB invalidations
Date: Mon, 26 Nov 2012 13:10:33 +0000 [thread overview]
Message-ID: <EA8533AA-C03C-4C27-986D-2CE91B325142@suse.de> (raw)
In-Reply-To: <20121123220701.GB23537@bloggs.ozlabs.ibm.com>
On 23.11.2012, at 23:07, Paul Mackerras wrote:
> On Fri, Nov 23, 2012 at 04:43:03PM +0100, Alexander Graf wrote:
>>
>> On 22.11.2012, at 10:28, Paul Mackerras wrote:
>>
>>> - With the possibility of the host paging out guest pages, the use of
>>> H_LOCAL by an SMP guest is dangerous since the guest could possibly
>>> retain and use a stale TLB entry pointing to a page that had been
>>> removed from the guest.
>>
>> I don't understand this part. Don't we flush the TLB when the page gets evicted from the shadow HTAB?
>
> The H_LOCAL flag is something that we invented to allow the guest to
> tell the host "I only ever used this translation (HPTE) on the current
> vcpu" when it's removing or modifying an HPTE. The idea is that that
> would then let the host use the tlbiel instruction (local TLB
> invalidate) rather than the usual global tlbie instruction. Tlbiel is
> faster because it doesn't need to go out on the fabric and get
> processed by all cpus. In fact our guests don't use it at present,
> but we put it in because we thought we should be able to get a
> performance improvement, particularly on large machines.
>
> However, the catch is that the guest's setting of H_LOCAL might be
> incorrect, in which case we could have a stale TLB entry on another
> physical cpu. While the physical page that it refers to is still
> owned by the guest, that stale entry doesn't matter from the host's
> point of view. But if the host wants to take that page away from the
> guest, the stale entry becomes a problem.
That's exactly where my question lies. Does that mean we don't flush the TLB entry regardless when we take the page away from the guest?
Alex
>
> The solution I implement here is just not to use tlbiel in SMP guests.
> UP guests are not so much of a problem because the potential attack
> from the guest relies on having one cpu remove the HPTE and do tlbiel
> while another cpu uses the stale TLB entry, which you can't do if you
> only have one cpu.
>
> Paul.
next prev parent reply other threads:[~2012-11-26 13:10 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-22 9:24 [PATCH 0/5] KVM: PPC: Fix various bugs and vulnerabilities in HV KVM Paul Mackerras
2012-11-22 9:24 ` Paul Mackerras
2012-11-22 9:25 ` [PATCH 1/5] KVM: PPC: Book3S HV: Handle guest-caused machine checks on POWER7 without panicking Paul Mackerras
2012-11-22 9:25 ` Paul Mackerras
2012-11-23 14:13 ` Alexander Graf
2012-11-23 14:13 ` Alexander Graf
2012-11-23 21:42 ` Paul Mackerras
2012-11-23 21:42 ` Paul Mackerras
2012-11-26 13:15 ` Alexander Graf
2012-11-26 13:15 ` Alexander Graf
2012-11-26 21:33 ` Paul Mackerras
2012-11-26 21:33 ` Paul Mackerras
2012-11-26 21:55 ` Alexander Graf
2012-11-26 21:55 ` Alexander Graf
2012-11-26 22:03 ` Alexander Graf
2012-11-26 22:03 ` Alexander Graf
2012-11-26 23:11 ` Paul Mackerras
2012-11-26 23:11 ` Paul Mackerras
2012-11-24 8:37 ` [PATCH v2] " Paul Mackerras
2012-11-24 8:37 ` Paul Mackerras
2012-11-26 23:16 ` Alexander Graf
2012-11-26 23:16 ` Alexander Graf
2012-11-26 23:18 ` Paul Mackerras
2012-11-26 23:18 ` Paul Mackerras
2012-11-26 23:20 ` Alexander Graf
2012-11-26 23:20 ` Alexander Graf
2012-11-27 0:20 ` Paul Mackerras
2012-11-27 0:20 ` Paul Mackerras
2012-12-22 14:09 ` [PATCH] KVM: PPC: Book3S HV: Fix compilation without CONFIG_PPC_POWERNV Andreas Schwab
2012-12-22 14:09 ` Andreas Schwab
2013-01-06 13:05 ` Alexander Graf
2013-01-06 13:05 ` Alexander Graf
2012-11-22 9:27 ` [PATCH 2/5] KVM: PPC: Book3S HV: Reset reverse-map chains when resetting the HPT Paul Mackerras
2012-11-22 9:27 ` Paul Mackerras
2012-11-22 9:28 ` [PATCH 3/5] KVM: PPC: Book3S HV: Improve handling of local vs. global TLB invalidations Paul Mackerras
2012-11-22 9:28 ` Paul Mackerras
2012-11-23 15:43 ` Alexander Graf
2012-11-23 15:43 ` Alexander Graf
2012-11-23 22:07 ` Paul Mackerras
2012-11-23 22:07 ` Paul Mackerras
2012-11-26 13:10 ` Alexander Graf [this message]
2012-11-26 13:10 ` Alexander Graf
2012-11-26 21:48 ` Paul Mackerras
2012-11-26 21:48 ` Paul Mackerras
2012-11-26 22:03 ` Alexander Graf
2012-11-26 22:03 ` Alexander Graf
2012-11-26 23:16 ` Paul Mackerras
2012-11-26 23:16 ` Paul Mackerras
2012-11-26 23:18 ` Alexander Graf
2012-11-26 23:18 ` Alexander Graf
2012-11-22 9:28 ` [PATCH 4/5] KVM: PPC: Book3S HV: Don't give the guest RW access to RO pages Paul Mackerras
2012-11-22 9:28 ` Paul Mackerras
2012-11-23 15:47 ` Alexander Graf
2012-11-23 15:47 ` Alexander Graf
2012-11-23 22:13 ` Paul Mackerras
2012-11-23 22:13 ` Paul Mackerras
2012-11-24 9:05 ` Alexander Graf
2012-11-24 9:05 ` Alexander Graf
2012-11-24 9:32 ` Paul Mackerras
2012-11-24 9:32 ` Paul Mackerras
2012-11-26 13:09 ` Alexander Graf
2012-11-26 13:09 ` Alexander Graf
2012-11-22 9:29 ` [PATCH 5/5] KVM: PPC: Book3S HV: Report correct HPT entry index when reading HPT Paul Mackerras
2012-11-22 9:29 ` Paul Mackerras
2012-11-23 15:48 ` [PATCH 0/5] KVM: PPC: Fix various bugs and vulnerabilities in HV KVM Alexander Graf
2012-11-23 15:48 ` Alexander Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=EA8533AA-C03C-4C27-986D-2CE91B325142@suse.de \
--to=agraf@suse.de \
--cc=kvm-ppc@vger.kernel.org \
--cc=kvm@vger.kernel.org \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.