From: Peter Xu <peterx@redhat.com>
To: Marc Zyngier <maz@kernel.org>
Cc: shuah@kernel.org, kvm@vger.kernel.org, andrew.jones@linux.dev,
dmatlack@google.com, will@kernel.org, shan.gavin@gmail.com,
bgardon@google.com, kvmarm@lists.linux.dev, pbonzini@redhat.com,
zhenyzha@redhat.com, catalin.marinas@arm.com,
kvmarm@lists.cs.columbia.edu, ajones@ventanamicro.com
Subject: Re: [PATCH v7 1/9] KVM: x86: Introduce KVM_REQ_DIRTY_RING_SOFT_FULL
Date: Wed, 2 Nov 2022 12:23:16 -0400 [thread overview]
Message-ID: <Y2KZdDAQN4889W9V@x1n> (raw)
In-Reply-To: <867d0de4b0.wl-maz@kernel.org>
On Wed, Nov 02, 2022 at 03:58:43PM +0000, Marc Zyngier wrote:
> On Wed, 02 Nov 2022 14:29:26 +0000,
> Peter Xu <peterx@redhat.com> wrote:
> >
> > On Tue, Nov 01, 2022 at 07:39:25PM +0000, Sean Christopherson wrote:
> > > > @@ -142,13 +144,17 @@ int kvm_dirty_ring_reset(struct kvm *kvm, struct kvm_dirty_ring *ring)
> > > >
> > > > kvm_reset_dirty_gfn(kvm, cur_slot, cur_offset, mask);
> > > >
> > > > + if (!kvm_dirty_ring_soft_full(ring))
> > > > + kvm_clear_request(KVM_REQ_DIRTY_RING_SOFT_FULL, vcpu);
> > > > +
> > >
> > > Marc, Peter, and/or Paolo, can you confirm that clearing the
> > > request here won't cause ordering problems? Logically, this makes
> > > perfect sense (to me, since I suggested it), but I'm mildly
> > > concerned I'm overlooking an edge case where KVM could end up with
> > > a soft-full ring but no pending request.
> >
> > I don't see an ordering issue here, as long as kvm_clear_request() is using
> > atomic version of bit clear, afaict that's genuine RMW and should always
> > imply a full memory barrier (on any arch?) between the soft full check and
> > the bit clear. At least for x86 the lock prefix was applied.
>
> No, clear_bit() is not a full barrier. It only atomic, and thus
> completely unordered (see Documentation/atomic_bitops.txt). If you
> want a full barrier, you need to use test_and_clear_bit().
Right, I mixed it up again. :( It's genuine RMW indeed (unlike _set/_read)
but I forgot it needs to have a retval to have the memory barriers.
Quotting atomic_t.rst:
---8<---
ORDERING (go read memory-barriers.txt first)
--------
The rule of thumb:
- non-RMW operations are unordered;
- RMW operations that have no return value are unordered;
- RMW operations that have a return value are fully ordered;
- RMW operations that are conditional are unordered on FAILURE,
otherwise the above rules apply.
---8<---
Bit clear unordered.
>
> >
> > However I don't see anything stops a simple "race" to trigger like below:
> >
> > recycle thread vcpu thread
> > -------------- -----------
> > if (!dirty_ring_soft_full) <--- not full
> > dirty_ring_push();
> > if (dirty_ring_soft_full) <--- full due to the push
> > set_request(SOFT_FULL);
> > clear_request(SOFT_FULL); <--- can wrongly clear the request?
> >
>
> Hmmm, well spotted. That's another ugly effect of the recycle thread
> playing with someone else's toys.
>
> > But I don't think that's a huge matter, as it'll just let the vcpu to have
> > one more chance to do another round of KVM_RUN. Normally I think it means
> > there can be one more dirty GFN (perhaps there're cases that it can push >1
> > gfns for one KVM_RUN cycle? I never figured out the details here, but
> > still..) pushed to the ring so closer to the hard limit, but we have had a
> > buffer zone of KVM_DIRTY_RING_RSVD_ENTRIES (64) entries. So I assume
> > that's still fine, but maybe worth a short comment here?
> >
> > I never know what's the maximum possible GFNs being dirtied for a KVM_RUN
> > cycle. It would be good if there's an answer to that from anyone.
>
> This is dangerous, and I'd rather not go there.
>
> It is starting to look like we need the recycle thread to get out of
> the way. And to be honest:
>
> + if (!kvm_dirty_ring_soft_full(ring))
> + kvm_clear_request(KVM_REQ_DIRTY_RING_SOFT_FULL, vcpu);
>
> seems rather superfluous. Only clearing the flag in the vcpu entry
> path feels much saner, and I can't see anything that would break.
>
> Thoughts?
Sounds good here.
Might be slightly off-topic: I didn't quickly spot how do we guarantee two
threads doing KVM_RUN ioctl on the same vcpu fd concurrently. I know
that's insane and could have corrupted things, but I just want to make sure
e.g. even a malicious guest app won't be able to trigger host warnings.
--
Peter Xu
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Peter Xu <peterx@redhat.com>
To: Marc Zyngier <maz@kernel.org>
Cc: Sean Christopherson <seanjc@google.com>,
Gavin Shan <gshan@redhat.com>,
kvmarm@lists.linux.dev, kvm@vger.kernel.org,
kvmarm@lists.cs.columbia.edu, andrew.jones@linux.dev,
ajones@ventanamicro.com, bgardon@google.com,
catalin.marinas@arm.com, dmatlack@google.com, will@kernel.org,
pbonzini@redhat.com, oliver.upton@linux.dev, james.morse@arm.com,
shuah@kernel.org, suzuki.poulose@arm.com,
alexandru.elisei@arm.com, zhenyzha@redhat.com,
shan.gavin@gmail.com
Subject: Re: [PATCH v7 1/9] KVM: x86: Introduce KVM_REQ_DIRTY_RING_SOFT_FULL
Date: Wed, 2 Nov 2022 12:23:16 -0400 [thread overview]
Message-ID: <Y2KZdDAQN4889W9V@x1n> (raw)
In-Reply-To: <867d0de4b0.wl-maz@kernel.org>
On Wed, Nov 02, 2022 at 03:58:43PM +0000, Marc Zyngier wrote:
> On Wed, 02 Nov 2022 14:29:26 +0000,
> Peter Xu <peterx@redhat.com> wrote:
> >
> > On Tue, Nov 01, 2022 at 07:39:25PM +0000, Sean Christopherson wrote:
> > > > @@ -142,13 +144,17 @@ int kvm_dirty_ring_reset(struct kvm *kvm, struct kvm_dirty_ring *ring)
> > > >
> > > > kvm_reset_dirty_gfn(kvm, cur_slot, cur_offset, mask);
> > > >
> > > > + if (!kvm_dirty_ring_soft_full(ring))
> > > > + kvm_clear_request(KVM_REQ_DIRTY_RING_SOFT_FULL, vcpu);
> > > > +
> > >
> > > Marc, Peter, and/or Paolo, can you confirm that clearing the
> > > request here won't cause ordering problems? Logically, this makes
> > > perfect sense (to me, since I suggested it), but I'm mildly
> > > concerned I'm overlooking an edge case where KVM could end up with
> > > a soft-full ring but no pending request.
> >
> > I don't see an ordering issue here, as long as kvm_clear_request() is using
> > atomic version of bit clear, afaict that's genuine RMW and should always
> > imply a full memory barrier (on any arch?) between the soft full check and
> > the bit clear. At least for x86 the lock prefix was applied.
>
> No, clear_bit() is not a full barrier. It only atomic, and thus
> completely unordered (see Documentation/atomic_bitops.txt). If you
> want a full barrier, you need to use test_and_clear_bit().
Right, I mixed it up again. :( It's genuine RMW indeed (unlike _set/_read)
but I forgot it needs to have a retval to have the memory barriers.
Quotting atomic_t.rst:
---8<---
ORDERING (go read memory-barriers.txt first)
--------
The rule of thumb:
- non-RMW operations are unordered;
- RMW operations that have no return value are unordered;
- RMW operations that have a return value are fully ordered;
- RMW operations that are conditional are unordered on FAILURE,
otherwise the above rules apply.
---8<---
Bit clear unordered.
>
> >
> > However I don't see anything stops a simple "race" to trigger like below:
> >
> > recycle thread vcpu thread
> > -------------- -----------
> > if (!dirty_ring_soft_full) <--- not full
> > dirty_ring_push();
> > if (dirty_ring_soft_full) <--- full due to the push
> > set_request(SOFT_FULL);
> > clear_request(SOFT_FULL); <--- can wrongly clear the request?
> >
>
> Hmmm, well spotted. That's another ugly effect of the recycle thread
> playing with someone else's toys.
>
> > But I don't think that's a huge matter, as it'll just let the vcpu to have
> > one more chance to do another round of KVM_RUN. Normally I think it means
> > there can be one more dirty GFN (perhaps there're cases that it can push >1
> > gfns for one KVM_RUN cycle? I never figured out the details here, but
> > still..) pushed to the ring so closer to the hard limit, but we have had a
> > buffer zone of KVM_DIRTY_RING_RSVD_ENTRIES (64) entries. So I assume
> > that's still fine, but maybe worth a short comment here?
> >
> > I never know what's the maximum possible GFNs being dirtied for a KVM_RUN
> > cycle. It would be good if there's an answer to that from anyone.
>
> This is dangerous, and I'd rather not go there.
>
> It is starting to look like we need the recycle thread to get out of
> the way. And to be honest:
>
> + if (!kvm_dirty_ring_soft_full(ring))
> + kvm_clear_request(KVM_REQ_DIRTY_RING_SOFT_FULL, vcpu);
>
> seems rather superfluous. Only clearing the flag in the vcpu entry
> path feels much saner, and I can't see anything that would break.
>
> Thoughts?
Sounds good here.
Might be slightly off-topic: I didn't quickly spot how do we guarantee two
threads doing KVM_RUN ioctl on the same vcpu fd concurrently. I know
that's insane and could have corrupted things, but I just want to make sure
e.g. even a malicious guest app won't be able to trigger host warnings.
--
Peter Xu
next prev parent reply other threads:[~2022-11-02 16:23 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-31 0:36 [PATCH v7 0/9] KVM: arm64: Enable ring-based dirty memory tracking Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-10-31 0:36 ` [PATCH v7 1/9] KVM: x86: Introduce KVM_REQ_DIRTY_RING_SOFT_FULL Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-11-01 19:39 ` Sean Christopherson
2022-11-01 19:39 ` Sean Christopherson
2022-11-02 14:29 ` Peter Xu
2022-11-02 14:29 ` Peter Xu
2022-11-02 15:58 ` Marc Zyngier
2022-11-02 15:58 ` Marc Zyngier
2022-11-02 16:11 ` Sean Christopherson
2022-11-02 16:11 ` Sean Christopherson
2022-11-02 16:44 ` Marc Zyngier
2022-11-02 16:44 ` Marc Zyngier
2022-11-03 0:44 ` Gavin Shan
2022-11-03 0:44 ` Gavin Shan
2022-11-02 16:23 ` Peter Xu [this message]
2022-11-02 16:23 ` Peter Xu
2022-11-02 16:33 ` Sean Christopherson
2022-11-02 16:33 ` Sean Christopherson
2022-11-02 16:43 ` Peter Xu
2022-11-02 16:43 ` Peter Xu
2022-11-02 16:48 ` Marc Zyngier
2022-11-02 16:48 ` Marc Zyngier
2022-11-02 14:31 ` Marc Zyngier
2022-11-02 14:31 ` Marc Zyngier
2022-10-31 0:36 ` [PATCH v7 2/9] KVM: Move declaration of kvm_cpu_dirty_log_size() to kvm_dirty_ring.h Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-10-31 0:36 ` [PATCH v7 3/9] KVM: Check KVM_CAP_DIRTY_LOG_{RING, RING_ACQ_REL} prior to enabling them Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-10-31 9:18 ` Oliver Upton
2022-10-31 9:18 ` Oliver Upton
2022-10-31 0:36 ` [PATCH v7 4/9] KVM: Support dirty ring in conjunction with bitmap Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-11-03 19:33 ` Peter Xu
2022-11-03 19:33 ` Peter Xu
2022-11-03 23:32 ` Oliver Upton
2022-11-03 23:32 ` Oliver Upton
2022-11-04 0:12 ` Gavin Shan
2022-11-04 0:12 ` Gavin Shan
2022-11-04 1:06 ` Oliver Upton
2022-11-04 1:06 ` Oliver Upton
2022-11-04 6:57 ` Gavin Shan
2022-11-04 6:57 ` Gavin Shan
2022-11-04 20:12 ` Oliver Upton
2022-11-04 20:12 ` Oliver Upton
2022-11-04 21:57 ` Gavin Shan
2022-11-04 21:57 ` Gavin Shan
2022-11-04 22:23 ` Oliver Upton
2022-11-04 22:23 ` Oliver Upton
2022-10-31 0:36 ` [PATCH v7 5/9] KVM: arm64: Improve no-running-vcpu report for dirty ring Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-10-31 9:08 ` Oliver Upton
2022-10-31 9:08 ` Oliver Upton
2022-10-31 23:08 ` Gavin Shan
2022-10-31 23:08 ` Gavin Shan
2022-11-02 17:18 ` Marc Zyngier
2022-11-02 17:18 ` Marc Zyngier
2022-10-31 0:36 ` [PATCH v7 6/9] KVM: arm64: Enable ring-based dirty memory tracking Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-10-31 0:36 ` [PATCH v7 7/9] KVM: selftests: Use host page size to map ring buffer in dirty_log_test Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-10-31 0:36 ` [PATCH v7 8/9] KVM: selftests: Clear dirty ring states between two modes " Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-10-31 0:36 ` [PATCH v7 9/9] KVM: selftests: Automate choosing dirty ring size " Gavin Shan
2022-10-31 0:36 ` Gavin Shan
2022-10-31 17:23 ` (subset) [PATCH v7 0/9] KVM: arm64: Enable ring-based dirty memory tracking Marc Zyngier
2022-10-31 17:23 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y2KZdDAQN4889W9V@x1n \
--to=peterx@redhat.com \
--cc=ajones@ventanamicro.com \
--cc=andrew.jones@linux.dev \
--cc=bgardon@google.com \
--cc=catalin.marinas@arm.com \
--cc=dmatlack@google.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=pbonzini@redhat.com \
--cc=shan.gavin@gmail.com \
--cc=shuah@kernel.org \
--cc=will@kernel.org \
--cc=zhenyzha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.