From: Peter Xu <peterx@redhat.com>
To: Marc Zyngier <maz@kernel.org>
Cc: Gavin Shan <gshan@redhat.com>,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kselftest@vger.kernel.org, pbonzini@redhat.com,
corbet@lwn.net, james.morse@arm.com, alexandru.elisei@arm.com,
suzuki.poulose@arm.com, oliver.upton@linux.dev,
catalin.marinas@arm.com, will@kernel.org, shuah@kernel.org,
seanjc@google.com, drjones@redhat.com, dmatlack@google.com,
bgardon@google.com, ricarkol@google.com, zhenyzha@redhat.com,
shan.gavin@gmail.com
Subject: Re: [PATCH v1 1/5] KVM: arm64: Enable ring-based dirty memory tracking
Date: Tue, 23 Aug 2022 17:20:32 -0400 [thread overview]
Message-ID: <YwVEoM1pj2MPCELp@xz-m1.local> (raw)
In-Reply-To: <87bksawz0w.wl-maz@kernel.org>
On Tue, Aug 23, 2022 at 08:17:03PM +0100, Marc Zyngier wrote:
> I don't think we really need this check on the hot path. All we need
> is to make the request sticky until userspace gets their act together
> and consumes elements in the ring. Something like:
>
> diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> index 986cee6fbc7f..e8ed5e1af159 100644
> --- a/arch/arm64/kvm/arm.c
> +++ b/arch/arm64/kvm/arm.c
> @@ -747,6 +747,14 @@ static int check_vcpu_requests(struct kvm_vcpu *vcpu)
>
> if (kvm_check_request(KVM_REQ_SUSPEND, vcpu))
> return kvm_vcpu_suspend(vcpu);
> +
> + if (kvm_check_request(KVM_REQ_RING_SOFT_FULL, vcpu) &&
> + kvm_dirty_ring_soft_full(vcpu)) {
> + kvm_make_request(KVM_REQ_RING_SOFT_FULL, vcpu);
> + vcpu->run->exit_reason = KVM_EXIT_DIRTY_RING_FULL;
> + trace_kvm_dirty_ring_exit(vcpu);
> + return 0;
> + }
> }
>
> return 1;
Right, this seems working. We can also use kvm_test_request() here.
>
>
> However, I'm a bit concerned by the reset side of things. It iterates
> over the vcpus and expects the view of each ring to be consistent,
> even if userspace is hacking at it from another CPU. For example, I
> can't see what guarantees that the kernel observes the writes from
> userspace in the order they are being performed (the documentation
> provides no requirements other than "it must collect the dirty GFNs in
> sequence", which doesn't mean much from an ordering perspective).
>
> I can see that working on a strongly ordered architecture, but on
> something as relaxed as ARM, the CPUs may^Wwill aggressively reorder
> stuff that isn't explicitly ordered. I have the feeling that a CAS
> operation on both sides would be enough, but someone who actually
> understands how this works should have a look...
I definitely don't think I 100% understand all the ordering things since
they're complicated.. but my understanding is that the reset procedure
didn't need memory barrier (unlike pushing, where we have explicit wmb),
because we assumed the userapp is not hostile so logically it should only
modify the flags which is a 32bit field, assuming atomicity guaranteed.
IIRC we used to discuss similar questions on "what if the user is hostile
and wants to hack the process by messing up with the ring", and our
conclusion was as long as the process wouldn't mess up anything outside
itself it should be okay. E.g. It should not be able to either cause the
host to misfunction, or trigger kernel warnings in dmesg, etc..
Thanks,
--
Peter Xu
WARNING: multiple messages have this Message-ID (diff)
From: Peter Xu <peterx@redhat.com>
To: Marc Zyngier <maz@kernel.org>
Cc: kvm@vger.kernel.org, linux-doc@vger.kernel.org,
catalin.marinas@arm.com, linux-kselftest@vger.kernel.org,
bgardon@google.com, shuah@kernel.org,
kvmarm@lists.cs.columbia.edu, corbet@lwn.net, will@kernel.org,
shan.gavin@gmail.com, drjones@redhat.com, zhenyzha@redhat.com,
dmatlack@google.com, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, pbonzini@redhat.com
Subject: Re: [PATCH v1 1/5] KVM: arm64: Enable ring-based dirty memory tracking
Date: Tue, 23 Aug 2022 17:20:32 -0400 [thread overview]
Message-ID: <YwVEoM1pj2MPCELp@xz-m1.local> (raw)
In-Reply-To: <87bksawz0w.wl-maz@kernel.org>
On Tue, Aug 23, 2022 at 08:17:03PM +0100, Marc Zyngier wrote:
> I don't think we really need this check on the hot path. All we need
> is to make the request sticky until userspace gets their act together
> and consumes elements in the ring. Something like:
>
> diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> index 986cee6fbc7f..e8ed5e1af159 100644
> --- a/arch/arm64/kvm/arm.c
> +++ b/arch/arm64/kvm/arm.c
> @@ -747,6 +747,14 @@ static int check_vcpu_requests(struct kvm_vcpu *vcpu)
>
> if (kvm_check_request(KVM_REQ_SUSPEND, vcpu))
> return kvm_vcpu_suspend(vcpu);
> +
> + if (kvm_check_request(KVM_REQ_RING_SOFT_FULL, vcpu) &&
> + kvm_dirty_ring_soft_full(vcpu)) {
> + kvm_make_request(KVM_REQ_RING_SOFT_FULL, vcpu);
> + vcpu->run->exit_reason = KVM_EXIT_DIRTY_RING_FULL;
> + trace_kvm_dirty_ring_exit(vcpu);
> + return 0;
> + }
> }
>
> return 1;
Right, this seems working. We can also use kvm_test_request() here.
>
>
> However, I'm a bit concerned by the reset side of things. It iterates
> over the vcpus and expects the view of each ring to be consistent,
> even if userspace is hacking at it from another CPU. For example, I
> can't see what guarantees that the kernel observes the writes from
> userspace in the order they are being performed (the documentation
> provides no requirements other than "it must collect the dirty GFNs in
> sequence", which doesn't mean much from an ordering perspective).
>
> I can see that working on a strongly ordered architecture, but on
> something as relaxed as ARM, the CPUs may^Wwill aggressively reorder
> stuff that isn't explicitly ordered. I have the feeling that a CAS
> operation on both sides would be enough, but someone who actually
> understands how this works should have a look...
I definitely don't think I 100% understand all the ordering things since
they're complicated.. but my understanding is that the reset procedure
didn't need memory barrier (unlike pushing, where we have explicit wmb),
because we assumed the userapp is not hostile so logically it should only
modify the flags which is a 32bit field, assuming atomicity guaranteed.
IIRC we used to discuss similar questions on "what if the user is hostile
and wants to hack the process by messing up with the ring", and our
conclusion was as long as the process wouldn't mess up anything outside
itself it should be okay. E.g. It should not be able to either cause the
host to misfunction, or trigger kernel warnings in dmesg, etc..
Thanks,
--
Peter Xu
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Peter Xu <peterx@redhat.com>
To: Marc Zyngier <maz@kernel.org>
Cc: Gavin Shan <gshan@redhat.com>,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kselftest@vger.kernel.org, pbonzini@redhat.com,
corbet@lwn.net, james.morse@arm.com, alexandru.elisei@arm.com,
suzuki.poulose@arm.com, oliver.upton@linux.dev,
catalin.marinas@arm.com, will@kernel.org, shuah@kernel.org,
seanjc@google.com, drjones@redhat.com, dmatlack@google.com,
bgardon@google.com, ricarkol@google.com, zhenyzha@redhat.com,
shan.gavin@gmail.com
Subject: Re: [PATCH v1 1/5] KVM: arm64: Enable ring-based dirty memory tracking
Date: Tue, 23 Aug 2022 17:20:32 -0400 [thread overview]
Message-ID: <YwVEoM1pj2MPCELp@xz-m1.local> (raw)
In-Reply-To: <87bksawz0w.wl-maz@kernel.org>
On Tue, Aug 23, 2022 at 08:17:03PM +0100, Marc Zyngier wrote:
> I don't think we really need this check on the hot path. All we need
> is to make the request sticky until userspace gets their act together
> and consumes elements in the ring. Something like:
>
> diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> index 986cee6fbc7f..e8ed5e1af159 100644
> --- a/arch/arm64/kvm/arm.c
> +++ b/arch/arm64/kvm/arm.c
> @@ -747,6 +747,14 @@ static int check_vcpu_requests(struct kvm_vcpu *vcpu)
>
> if (kvm_check_request(KVM_REQ_SUSPEND, vcpu))
> return kvm_vcpu_suspend(vcpu);
> +
> + if (kvm_check_request(KVM_REQ_RING_SOFT_FULL, vcpu) &&
> + kvm_dirty_ring_soft_full(vcpu)) {
> + kvm_make_request(KVM_REQ_RING_SOFT_FULL, vcpu);
> + vcpu->run->exit_reason = KVM_EXIT_DIRTY_RING_FULL;
> + trace_kvm_dirty_ring_exit(vcpu);
> + return 0;
> + }
> }
>
> return 1;
Right, this seems working. We can also use kvm_test_request() here.
>
>
> However, I'm a bit concerned by the reset side of things. It iterates
> over the vcpus and expects the view of each ring to be consistent,
> even if userspace is hacking at it from another CPU. For example, I
> can't see what guarantees that the kernel observes the writes from
> userspace in the order they are being performed (the documentation
> provides no requirements other than "it must collect the dirty GFNs in
> sequence", which doesn't mean much from an ordering perspective).
>
> I can see that working on a strongly ordered architecture, but on
> something as relaxed as ARM, the CPUs may^Wwill aggressively reorder
> stuff that isn't explicitly ordered. I have the feeling that a CAS
> operation on both sides would be enough, but someone who actually
> understands how this works should have a look...
I definitely don't think I 100% understand all the ordering things since
they're complicated.. but my understanding is that the reset procedure
didn't need memory barrier (unlike pushing, where we have explicit wmb),
because we assumed the userapp is not hostile so logically it should only
modify the flags which is a 32bit field, assuming atomicity guaranteed.
IIRC we used to discuss similar questions on "what if the user is hostile
and wants to hack the process by messing up with the ring", and our
conclusion was as long as the process wouldn't mess up anything outside
itself it should be okay. E.g. It should not be able to either cause the
host to misfunction, or trigger kernel warnings in dmesg, etc..
Thanks,
--
Peter Xu
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-08-23 21:20 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-19 0:55 [PATCH v1 0/5] KVM: arm64: Enable ring-based dirty memory tracking Gavin Shan
2022-08-19 0:55 ` Gavin Shan
2022-08-19 0:55 ` Gavin Shan
2022-08-19 0:55 ` [PATCH v1 1/5] " Gavin Shan
2022-08-19 0:55 ` Gavin Shan
2022-08-19 0:55 ` Gavin Shan
2022-08-19 8:00 ` Marc Zyngier
2022-08-19 8:00 ` Marc Zyngier
2022-08-19 8:00 ` Marc Zyngier
2022-08-22 1:58 ` Gavin Shan
2022-08-22 1:58 ` Gavin Shan
2022-08-22 18:55 ` Peter Xu
2022-08-22 18:55 ` Peter Xu
2022-08-22 18:55 ` Peter Xu
2022-08-23 3:19 ` Gavin Shan
2022-08-23 3:19 ` Gavin Shan
2022-08-23 3:19 ` Gavin Shan
2022-08-22 21:42 ` Marc Zyngier
2022-08-22 21:42 ` Marc Zyngier
2022-08-22 21:42 ` Marc Zyngier
2022-08-23 5:22 ` Gavin Shan
2022-08-23 5:22 ` Gavin Shan
2022-08-23 5:22 ` Gavin Shan
2022-08-23 13:58 ` Peter Xu
2022-08-23 13:58 ` Peter Xu
2022-08-23 13:58 ` Peter Xu
2022-08-23 19:17 ` Marc Zyngier
2022-08-23 19:17 ` Marc Zyngier
2022-08-23 19:17 ` Marc Zyngier
2022-08-23 21:20 ` Peter Xu [this message]
2022-08-23 21:20 ` Peter Xu
2022-08-23 21:20 ` Peter Xu
2022-08-23 22:47 ` Marc Zyngier
2022-08-23 22:47 ` Marc Zyngier
2022-08-23 22:47 ` Marc Zyngier
2022-08-23 23:19 ` Peter Xu
2022-08-23 23:19 ` Peter Xu
2022-08-23 23:19 ` Peter Xu
2022-08-24 14:45 ` Marc Zyngier
2022-08-24 14:45 ` Marc Zyngier
2022-08-24 14:45 ` Marc Zyngier
2022-08-24 16:21 ` Peter Xu
2022-08-24 16:21 ` Peter Xu
2022-08-24 16:21 ` Peter Xu
2022-08-24 20:57 ` Marc Zyngier
2022-08-24 20:57 ` Marc Zyngier
2022-08-24 20:57 ` Marc Zyngier
2022-08-26 6:05 ` Gavin Shan
2022-08-26 6:05 ` Gavin Shan
2022-08-26 6:05 ` Gavin Shan
2022-08-26 10:50 ` Paolo Bonzini
2022-08-26 10:50 ` Paolo Bonzini
2022-08-26 10:50 ` Paolo Bonzini
2022-08-26 15:49 ` Marc Zyngier
2022-08-26 15:49 ` Marc Zyngier
2022-08-26 15:49 ` Marc Zyngier
2022-08-27 8:27 ` Paolo Bonzini
2022-08-27 8:27 ` Paolo Bonzini
2022-08-27 8:27 ` Paolo Bonzini
2022-08-29 10:27 ` Paolo Bonzini
2022-08-23 14:44 ` Oliver Upton
2022-08-23 14:44 ` Oliver Upton
2022-08-23 14:44 ` Oliver Upton
2022-08-23 20:35 ` Marc Zyngier
2022-08-23 20:35 ` Marc Zyngier
2022-08-23 20:35 ` Marc Zyngier
2022-08-26 10:58 ` Paolo Bonzini
2022-08-26 10:58 ` Paolo Bonzini
2022-08-26 10:58 ` Paolo Bonzini
2022-08-26 15:28 ` Marc Zyngier
2022-08-26 15:28 ` Marc Zyngier
2022-08-26 15:28 ` Marc Zyngier
2022-08-30 14:42 ` Peter Xu
2022-08-30 14:42 ` Peter Xu
2022-08-30 14:42 ` Peter Xu
2022-09-02 0:19 ` Paolo Bonzini
2022-09-02 0:19 ` Paolo Bonzini
2022-09-02 0:19 ` Paolo Bonzini
2022-08-19 0:55 ` [PATCH v1 2/5] KVM: selftests: Use host page size to map ring buffer in dirty_log_test Gavin Shan
2022-08-19 0:55 ` Gavin Shan
2022-08-19 0:55 ` Gavin Shan
2022-08-19 0:55 ` [PATCH v1 3/5] KVM: selftests: Dirty host pages " Gavin Shan
2022-08-19 0:55 ` Gavin Shan
2022-08-19 0:55 ` Gavin Shan
2022-08-19 5:28 ` Andrew Jones
2022-08-19 5:28 ` Andrew Jones
2022-08-19 5:28 ` Andrew Jones
2022-08-22 6:29 ` Gavin Shan
2022-08-22 6:29 ` Gavin Shan
2022-08-23 3:09 ` Gavin Shan
2022-08-23 3:09 ` Gavin Shan
2022-08-23 3:09 ` Gavin Shan
2022-08-19 0:56 ` [PATCH v1 4/5] KVM: selftests: Clear dirty ring states between two modes " Gavin Shan
2022-08-19 0:56 ` Gavin Shan
2022-08-19 0:56 ` Gavin Shan
2022-08-19 0:56 ` [PATCH v1 5/5] KVM: selftests: Automate choosing dirty ring size " Gavin Shan
2022-08-19 0:56 ` Gavin Shan
2022-08-19 0:56 ` Gavin Shan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YwVEoM1pj2MPCELp@xz-m1.local \
--to=peterx@redhat.com \
--cc=alexandru.elisei@arm.com \
--cc=bgardon@google.com \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dmatlack@google.com \
--cc=drjones@redhat.com \
--cc=gshan@redhat.com \
--cc=james.morse@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=maz@kernel.org \
--cc=oliver.upton@linux.dev \
--cc=pbonzini@redhat.com \
--cc=ricarkol@google.com \
--cc=seanjc@google.com \
--cc=shan.gavin@gmail.com \
--cc=shuah@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=zhenyzha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.