All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
	Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>,
	George Dunlap <george.dunlap@citrix.com>,
	Ian Jackson <iwj@xenproject.org>
Subject: Re: [PATCH v2 8/8] x86/PV: use get_unsafe() instead of copy_from_unsafe()
Date: Tue, 23 Feb 2021 19:03:34 +0100	[thread overview]
Message-ID: <YDVDdozqBnoZjD/H@Air-de-Roger> (raw)
In-Reply-To: <4fdb5952-6196-3a79-1306-e65d75e495d2@suse.com>

On Tue, Feb 23, 2021 at 05:13:21PM +0100, Jan Beulich wrote:
> On 23.02.2021 16:37, Roger Pau Monné wrote:
> > On Tue, Feb 23, 2021 at 04:25:00PM +0100, Jan Beulich wrote:
> >> On 23.02.2021 12:59, Roger Pau Monné wrote:
> >>> On Wed, Feb 17, 2021 at 09:23:33AM +0100, Jan Beulich wrote:
> >>>> The former expands to a single (memory accessing) insn, which the latter
> >>>> does not guarantee. Yet we'd prefer to read consistent PTEs rather than
> >>>> risking a split read racing with an update done elsewhere.
> >>>>
> >>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> >>>
> >>> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
> >>>
> >>> Albeit I wonder why the __builtin_constant_p check done in
> >>> copy_from_unsafe is not enough to take the get_unsafe_size branch in
> >>> there. Doesn't sizeof(l{1,2}_pgentry_t) qualify as a built time
> >>> constant?
> >>>
> >>> Or the fact that n it's a parameter to an inline function hides this,
> >>> in which case the __builtin_constant_p is pointless?
> >>
> >> Without (enough) optimization, __builtin_constant_p() may indeed
> >> yield false in such cases. But that wasn't actually what I had
> >> in mind when making this change (and the original similar on in
> >> shadow code). Instead, at the time I made the shadow side change,
> >> I had removed this optimization from the new function flavors.
> >> With that removal, things are supposed to still be correct - it's
> >> an optimization only, after all. Meanwhile the optimizations are
> >> back, so there's no immediate problem as long as the optimizer
> >> doesn't decide to out-of-line the function invocations (we
> >> shouldn't forget that even always_inline is not a guarantee for
> >> inlining to actually occur).
> > 
> > I'm fine with you switching those use cases to get_unsafe, but I think
> > the commit message should be slightly adjusted to notice that
> > copy_from_unsafe will likely do the right thing, but that it's simply
> > clearer to call get_unsafe directly, also in case copy_from_unsafe
> > gets changed in the future to drop the get_unsafe paths.
> 
> How about this then?
> 
> "The former expands to a single (memory accessing) insn, which the latter
>  does not guarantee (the __builtin_constant_p() based switch() statement
>  there is just an optimization). Yet we'd prefer to read consistent PTEs
>  rather than risking a split read racing with an update done elsewhere."

LGTM, thanks.

Roger.


  reply	other threads:[~2021-02-23 18:03 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-17  8:16 [PATCH v2 0/8] x86/PV: avoid speculation abuse through guest accessors Jan Beulich
2021-02-17  8:19 ` [PATCH v2 1/8] x86: split __{get,put}_user() into "guest" and "unsafe" variants Jan Beulich
2021-02-17  8:20 ` [PATCH v2 2/8] x86: split __copy_{from,to}_user() " Jan Beulich
2021-02-17  8:20 ` [PATCH v2 3/8] x86/PV: harden guest memory accesses against speculative abuse Jan Beulich
2021-02-17  8:21 ` [PATCH v2 4/8] x86: rename {get,put}_user() to {get,put}_guest() Jan Beulich
2021-02-22 15:22   ` Roger Pau Monné
2021-02-17  8:21 ` [PATCH v2 5/8] x86/gdbsx: convert "user" to "guest" accesses Jan Beulich
2021-02-22 15:31   ` Roger Pau Monné
2021-02-22 15:55     ` Jan Beulich
2021-02-22 16:08       ` Roger Pau Monné
2021-02-17  8:22 ` [PATCH v2 6/8] x86: rename copy_{from,to}_user() to copy_{from,to}_guest_pv() Jan Beulich
2021-02-23 11:04   ` Roger Pau Monné
2021-02-23 15:15     ` Jan Beulich
2021-02-17  8:22 ` [PATCH v2 7/8] x86: move stac()/clac() from {get,put}_unsafe_asm() Jan Beulich
2021-02-23 11:40   ` Roger Pau Monné
2021-02-17  8:23 ` [PATCH v2 8/8] x86/PV: use get_unsafe() instead of copy_from_unsafe() Jan Beulich
2021-02-23 11:59   ` Roger Pau Monné
2021-02-23 15:25     ` Jan Beulich
2021-02-23 15:37       ` Roger Pau Monné
2021-02-23 16:13         ` Jan Beulich
2021-02-23 18:03           ` Roger Pau Monné [this message]
2021-02-19 15:50 ` [PATCH v2 0/8] x86/PV: avoid speculation abuse through guest accessors Ian Jackson
2021-02-19 15:56   ` Jan Beulich
2021-02-19 16:13     ` Ian Jackson
2021-02-19 16:16       ` Jan Beulich
2021-02-19 16:30         ` Ian Jackson
2021-02-24 11:13   ` Jan Beulich
2021-02-24 13:08     ` Ian Jackson
2021-02-24 13:18       ` Jan Beulich
2021-02-24 13:26         ` Ian Jackson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YDVDdozqBnoZjD/H@Air-de-Roger \
    --to=roger.pau@citrix.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=george.dunlap@citrix.com \
    --cc=iwj@xenproject.org \
    --cc=jbeulich@suse.com \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.