From: David Hildenbrand <david@redhat.com> To: ankita@nvidia.com, jgg@nvidia.com, maz@kernel.org, oliver.upton@linux.dev, james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, reinette.chatre@intel.com, surenb@google.com, stefanha@redhat.com, brauner@kernel.org, catalin.marinas@arm.com, will@kernel.org, mark.rutland@arm.com, alex.williamson@redhat.com, kevin.tian@intel.com, yi.l.liu@intel.com, ardb@kernel.org, akpm@linux-foundation.org, andreyknvl@gmail.com, wangjinchao@xfusion.com, gshan@redhat.com, shahuang@redhat.com, ricarkol@google.com, linux-mm@kvack.org, lpieralisi@kernel.org, rananta@google.com, ryan.roberts@arm.com, linus.walleij@linaro.org, bhe@redhat.com Cc: aniketa@nvidia.com, cjia@nvidia.com, kwankhede@nvidia.com, targupta@nvidia.com, vsethi@nvidia.com, acurrid@nvidia.com, apopple@nvidia.com, jhubbard@nvidia.com, danw@nvidia.com, kvmarm@lists.linux.dev, mochs@nvidia.com, zhiw@nvidia.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory Date: Mon, 12 Feb 2024 11:26:12 +0100 [thread overview] Message-ID: <aa6c1708-d6ac-46f7-b7ab-e97a273a90c2@redhat.com> (raw) In-Reply-To: <20240211174705.31992-1-ankita@nvidia.com> On 11.02.24 18:47, ankita@nvidia.com wrote: > From: Ankit Agrawal <ankita@nvidia.com> > Hi, > Currently, KVM for ARM64 maps at stage 2 memory that is considered device > with DEVICE_nGnRE memory attributes; this setting overrides (per > ARM architecture [1]) any device MMIO mapping present at stage 1, > resulting in a set-up whereby a guest operating system cannot > determine device MMIO mapping memory attributes on its own but > it is always overridden by the KVM stage 2 default. > > This set-up does not allow guest operating systems to select device > memory attributes independently from KVM stage-2 mappings > (refer to [1], "Combining stage 1 and stage 2 memory type attributes"), > which turns out to be an issue in that guest operating systems > (e.g. Linux) may request to map devices MMIO regions with memory > attributes that guarantee better performance (e.g. gathering > attribute - that for some devices can generate larger PCIe memory > writes TLPs) and specific operations (e.g. unaligned transactions) > such as the NormalNC memory type. > > The default device stage 2 mapping was chosen in KVM for ARM64 since > it was considered safer (i.e. it would not allow guests to trigger > uncontained failures ultimately crashing the machine) but this > turned out to be asynchronous (SError) defeating the purpose. > > For these reasons, relax the KVM stage 2 device memory attributes > from DEVICE_nGnRE to Normal-NC. > > Generalizing to other devices may be problematic, however. E.g. > GICv2 VCPU interface, which is effectively a shared peripheral, can > allow a guest to affect another guest's interrupt distribution. Hence > limit the change to VFIO PCI as caution. This is achieved by > making the VFIO PCI core module set a flag that is tested by KVM > to activate the code. This could be extended to other devices in > the future once that is deemed safe. I still have to digest some of the stuff I learned about this issue, please bear with me :) (1) PCI BARs might contain mixtures of RAM and MMIO, the exact locations/semantics within a BAR are only really known to the actual device driver. We must not unconditionally map PFNs "the wrong way", because it can have undesired side effects. Side effects might include read-speculation, that can be very problematic with MMIO regions. The safe way (for the host) is DEVICE_nGnRE. But that is actually problematic for performance (where we want WC?) and unaligned accesses (where we want NC?). We can trigger both cases right now inside VMs, where we want the device driver to actually make the decision. (2) For a VM, that device driver lives inside the VM, for DPDK and friends, it lives in user space. They have this information. We only focus here on optimizing (fixing?) the mapping for VMs, DPDK is out of the picture. So we want to allow the VM to achieve a WC/NC mapping by using a relaxed (NC) mapping in stage-1. Whatever is set in stage-2 wins. (3) vfio knows whether using WC (and NC?) could be problematic, and must forbid it, if that is the case. There are cases where we could otherwise cause harm (bring down the host?). We must keep mapping the memory as DEVICE_nGnRE when in doubt. Now, what the new mmap() flag does is tell the world "using the wrong mapping type cannot bring down the host", and KVM uses that to use a different mapping type (NC) in stage-1 as setup by vfio in the user space page tables. I was trying to find ways of avoiding a mmap() flag and was hoping that we could just use a PTE bit that does not have semantics in VM_PFNMAP mappings. Unfortunately, arm64 does not support uffd-wp, which I had in mind, so it's not that easy. Further, I was wondering if there would be a way to let DPDK similarly benefit, because it looks like we are happily ignoring that (I was told they apply some hacks to work around that). In essence, user space knows how it will consume that memory: QEMU wants to mmap() it only to get it into stage-1 and not access it via the user page tables. DPDK wants to mmap() it to actually access it from user space. So I am curious, is the following problematic, and why: (a) User space tells VFIO which parts of a BAR it would like to have mapped differently. For QEMU, this would mean, requesting a NC mapping for the whole BAR. For DPDK, it could mean requesting different types for parts of a BAR. (b) VFIO decides if it is safe to use a relaxed mapping. If in doubt, it falls back to existing (legacy) handling -- DEVICE_nGnRE. (c) KVM simply uses the existing mapping type instead of diverging from the one in the user space mapping. That would mean, that we would map NC already in QEMU. I wonder if that could be a problem with read speculation, even if QEMU never really accesses that mmap'ed region. Something like that would of course require user space changes. Handling it without such changes (ignoring DPDK of course) would require some information exchange between KVM and vfio, like the mmap flag proposed. -- Cheers, David / dhildenb
WARNING: multiple messages have this Message-ID (diff)
From: David Hildenbrand <david@redhat.com> To: ankita@nvidia.com, jgg@nvidia.com, maz@kernel.org, oliver.upton@linux.dev, james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, reinette.chatre@intel.com, surenb@google.com, stefanha@redhat.com, brauner@kernel.org, catalin.marinas@arm.com, will@kernel.org, mark.rutland@arm.com, alex.williamson@redhat.com, kevin.tian@intel.com, yi.l.liu@intel.com, ardb@kernel.org, akpm@linux-foundation.org, andreyknvl@gmail.com, wangjinchao@xfusion.com, gshan@redhat.com, shahuang@redhat.com, ricarkol@google.com, linux-mm@kvack.org, lpieralisi@kernel.org, rananta@google.com, ryan.roberts@arm.com, linus.walleij@linaro.org, bhe@redhat.com Cc: aniketa@nvidia.com, cjia@nvidia.com, kwankhede@nvidia.com, targupta@nvidia.com, vsethi@nvidia.com, acurrid@nvidia.com, apopple@nvidia.com, jhubbard@nvidia.com, danw@nvidia.com, kvmarm@lists.linux.dev, mochs@nvidia.com, zhiw@nvidia.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory Date: Mon, 12 Feb 2024 11:26:12 +0100 [thread overview] Message-ID: <aa6c1708-d6ac-46f7-b7ab-e97a273a90c2@redhat.com> (raw) In-Reply-To: <20240211174705.31992-1-ankita@nvidia.com> On 11.02.24 18:47, ankita@nvidia.com wrote: > From: Ankit Agrawal <ankita@nvidia.com> > Hi, > Currently, KVM for ARM64 maps at stage 2 memory that is considered device > with DEVICE_nGnRE memory attributes; this setting overrides (per > ARM architecture [1]) any device MMIO mapping present at stage 1, > resulting in a set-up whereby a guest operating system cannot > determine device MMIO mapping memory attributes on its own but > it is always overridden by the KVM stage 2 default. > > This set-up does not allow guest operating systems to select device > memory attributes independently from KVM stage-2 mappings > (refer to [1], "Combining stage 1 and stage 2 memory type attributes"), > which turns out to be an issue in that guest operating systems > (e.g. Linux) may request to map devices MMIO regions with memory > attributes that guarantee better performance (e.g. gathering > attribute - that for some devices can generate larger PCIe memory > writes TLPs) and specific operations (e.g. unaligned transactions) > such as the NormalNC memory type. > > The default device stage 2 mapping was chosen in KVM for ARM64 since > it was considered safer (i.e. it would not allow guests to trigger > uncontained failures ultimately crashing the machine) but this > turned out to be asynchronous (SError) defeating the purpose. > > For these reasons, relax the KVM stage 2 device memory attributes > from DEVICE_nGnRE to Normal-NC. > > Generalizing to other devices may be problematic, however. E.g. > GICv2 VCPU interface, which is effectively a shared peripheral, can > allow a guest to affect another guest's interrupt distribution. Hence > limit the change to VFIO PCI as caution. This is achieved by > making the VFIO PCI core module set a flag that is tested by KVM > to activate the code. This could be extended to other devices in > the future once that is deemed safe. I still have to digest some of the stuff I learned about this issue, please bear with me :) (1) PCI BARs might contain mixtures of RAM and MMIO, the exact locations/semantics within a BAR are only really known to the actual device driver. We must not unconditionally map PFNs "the wrong way", because it can have undesired side effects. Side effects might include read-speculation, that can be very problematic with MMIO regions. The safe way (for the host) is DEVICE_nGnRE. But that is actually problematic for performance (where we want WC?) and unaligned accesses (where we want NC?). We can trigger both cases right now inside VMs, where we want the device driver to actually make the decision. (2) For a VM, that device driver lives inside the VM, for DPDK and friends, it lives in user space. They have this information. We only focus here on optimizing (fixing?) the mapping for VMs, DPDK is out of the picture. So we want to allow the VM to achieve a WC/NC mapping by using a relaxed (NC) mapping in stage-1. Whatever is set in stage-2 wins. (3) vfio knows whether using WC (and NC?) could be problematic, and must forbid it, if that is the case. There are cases where we could otherwise cause harm (bring down the host?). We must keep mapping the memory as DEVICE_nGnRE when in doubt. Now, what the new mmap() flag does is tell the world "using the wrong mapping type cannot bring down the host", and KVM uses that to use a different mapping type (NC) in stage-1 as setup by vfio in the user space page tables. I was trying to find ways of avoiding a mmap() flag and was hoping that we could just use a PTE bit that does not have semantics in VM_PFNMAP mappings. Unfortunately, arm64 does not support uffd-wp, which I had in mind, so it's not that easy. Further, I was wondering if there would be a way to let DPDK similarly benefit, because it looks like we are happily ignoring that (I was told they apply some hacks to work around that). In essence, user space knows how it will consume that memory: QEMU wants to mmap() it only to get it into stage-1 and not access it via the user page tables. DPDK wants to mmap() it to actually access it from user space. So I am curious, is the following problematic, and why: (a) User space tells VFIO which parts of a BAR it would like to have mapped differently. For QEMU, this would mean, requesting a NC mapping for the whole BAR. For DPDK, it could mean requesting different types for parts of a BAR. (b) VFIO decides if it is safe to use a relaxed mapping. If in doubt, it falls back to existing (legacy) handling -- DEVICE_nGnRE. (c) KVM simply uses the existing mapping type instead of diverging from the one in the user space mapping. That would mean, that we would map NC already in QEMU. I wonder if that could be a problem with read speculation, even if QEMU never really accesses that mmap'ed region. Something like that would of course require user space changes. Handling it without such changes (ignoring DPDK of course) would require some information exchange between KVM and vfio, like the mmap flag proposed. -- Cheers, David / dhildenb _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2024-02-12 10:26 UTC|newest] Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top 2024-02-11 17:47 [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory ankita 2024-02-11 17:47 ` ankita 2024-02-11 17:47 ` [PATCH v7 1/4] kvm: arm64: introduce new flag for non-cacheable " ankita 2024-02-11 17:47 ` ankita 2024-02-11 17:47 ` [PATCH v7 2/4] mm: introduce new flag to indicate wc safe ankita 2024-02-11 17:47 ` ankita 2024-02-12 13:13 ` David Hildenbrand 2024-02-12 13:13 ` David Hildenbrand 2024-02-13 3:41 ` Ankit Agrawal 2024-02-13 3:41 ` Ankit Agrawal 2024-02-11 17:47 ` [PATCH v7 3/4] kvm: arm64: set io memory s2 pte as normalnc for vfio pci device ankita 2024-02-11 17:47 ` ankita 2024-02-11 17:47 ` [PATCH v7 4/4] vfio: convey kvm that the vfio-pci device is wc safe ankita 2024-02-11 17:47 ` ankita 2024-02-12 13:16 ` David Hildenbrand 2024-02-12 13:16 ` David Hildenbrand 2024-02-12 17:05 ` Alex Williamson 2024-02-12 17:05 ` Alex Williamson 2024-02-12 17:20 ` Jason Gunthorpe 2024-02-12 17:20 ` Jason Gunthorpe 2024-02-12 17:27 ` Alex Williamson 2024-02-12 17:27 ` Alex Williamson 2024-02-13 1:59 ` Ankit Agrawal 2024-02-13 1:59 ` Ankit Agrawal 2024-02-12 10:26 ` David Hildenbrand [this message] 2024-02-12 10:26 ` [PATCH v7 0/4] kvm: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory David Hildenbrand 2024-02-12 12:56 ` Jason Gunthorpe 2024-02-12 12:56 ` Jason Gunthorpe 2024-02-12 13:06 ` David Hildenbrand 2024-02-12 13:06 ` David Hildenbrand 2024-02-12 20:24 ` Oliver Upton 2024-02-12 20:24 ` Oliver Upton 2024-02-13 2:29 ` Ankit Agrawal 2024-02-13 2:29 ` Ankit Agrawal
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=aa6c1708-d6ac-46f7-b7ab-e97a273a90c2@redhat.com \ --to=david@redhat.com \ --cc=acurrid@nvidia.com \ --cc=akpm@linux-foundation.org \ --cc=alex.williamson@redhat.com \ --cc=andreyknvl@gmail.com \ --cc=aniketa@nvidia.com \ --cc=ankita@nvidia.com \ --cc=apopple@nvidia.com \ --cc=ardb@kernel.org \ --cc=bhe@redhat.com \ --cc=brauner@kernel.org \ --cc=catalin.marinas@arm.com \ --cc=cjia@nvidia.com \ --cc=danw@nvidia.com \ --cc=gshan@redhat.com \ --cc=james.morse@arm.com \ --cc=jgg@nvidia.com \ --cc=jhubbard@nvidia.com \ --cc=kevin.tian@intel.com \ --cc=kvm@vger.kernel.org \ --cc=kvmarm@lists.linux.dev \ --cc=kwankhede@nvidia.com \ --cc=linus.walleij@linaro.org \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=lpieralisi@kernel.org \ --cc=mark.rutland@arm.com \ --cc=maz@kernel.org \ --cc=mochs@nvidia.com \ --cc=oliver.upton@linux.dev \ --cc=rananta@google.com \ --cc=reinette.chatre@intel.com \ --cc=ricarkol@google.com \ --cc=ryan.roberts@arm.com \ --cc=shahuang@redhat.com \ --cc=stefanha@redhat.com \ --cc=surenb@google.com \ --cc=suzuki.poulose@arm.com \ --cc=targupta@nvidia.com \ --cc=vsethi@nvidia.com \ --cc=wangjinchao@xfusion.com \ --cc=will@kernel.org \ --cc=yi.l.liu@intel.com \ --cc=yuzenghui@huawei.com \ --cc=zhiw@nvidia.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.