From: Stefano Stabellini <sstabellini@kernel.org>
To: "Herongguang (Stephen)" <herongguang.he@huawei.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
hrg <hrgstephen@gmail.com>,
Anthony PERARD <anthony.perard@citrix.com>,
xen-devel@lists.xensource.com, qemu-devel@nongnu.org,
Jun Nakajima <jun.nakajima@intel.com>,
Alexander Graf <agraf@suse.de>,
xen-devel@lists.xenproject.org, xen-devel@lists.xen.org,
wangxinxin.wang@huawei.com
Subject: Re: [Qemu-devel] [RFC/BUG] xen-mapcache: buggy invalidate map cache?
Date: Wed, 12 Apr 2017 16:51:46 -0700 (PDT) [thread overview]
Message-ID: <alpine.DEB.2.10.1704121645470.2759@sstabellini-ThinkPad-X260> (raw)
In-Reply-To: <58EDE1E4.2090003@huawei.com>
On Wed, 12 Apr 2017, Herongguang (Stephen) wrote:
> On 2017/4/12 6:32, Stefano Stabellini wrote:
> > On Tue, 11 Apr 2017, hrg wrote:
> > > On Tue, Apr 11, 2017 at 3:50 AM, Stefano Stabellini
> > > <sstabellini@kernel.org> wrote:
> > > > On Mon, 10 Apr 2017, Stefano Stabellini wrote:
> > > > > On Mon, 10 Apr 2017, hrg wrote:
> > > > > > On Sun, Apr 9, 2017 at 11:55 PM, hrg <hrgstephen@gmail.com> wrote:
> > > > > > > On Sun, Apr 9, 2017 at 11:52 PM, hrg <hrgstephen@gmail.com> wrote:
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > In xen_map_cache_unlocked(), map to guest memory maybe in
> > > > > > > > entry->next
> > > > > > > > instead of first level entry (if map to rom other than guest
> > > > > > > > memory
> > > > > > > > comes first), while in xen_invalidate_map_cache(), when VM
> > > > > > > > ballooned
> > > > > > > > out memory, qemu did not invalidate cache entries in linked
> > > > > > > > list(entry->next), so when VM balloon back in memory, gfns
> > > > > > > > probably
> > > > > > > > mapped to different mfns, thus if guest asks device to DMA to
> > > > > > > > these
> > > > > > > > GPA, qemu may DMA to stale MFNs.
> > > > > > > >
> > > > > > > > So I think in xen_invalidate_map_cache() linked lists should
> > > > > > > > also be
> > > > > > > > checked and invalidated.
> > > > > > > >
> > > > > > > > What’s your opinion? Is this a bug? Is my analyze correct?
> > > > > Yes, you are right. We need to go through the list for each element of
> > > > > the array in xen_invalidate_map_cache. Can you come up with a patch?
> > > > I spoke too soon. In the regular case there should be no locked mappings
> > > > when xen_invalidate_map_cache is called (see the DPRINTF warning at the
> > > > beginning of the functions). Without locked mappings, there should never
> > > > be more than one element in each list (see xen_map_cache_unlocked:
> > > > entry->lock == true is a necessary condition to append a new entry to
> > > > the list, otherwise it is just remapped).
> > > >
> > > > Can you confirm that what you are seeing are locked mappings
> > > > when xen_invalidate_map_cache is called? To find out, enable the DPRINTK
> > > > by turning it into a printf or by defininig MAPCACHE_DEBUG.
> > > In fact, I think the DPRINTF above is incorrect too. In
> > > pci_add_option_rom(), rtl8139 rom is locked mapped in
> > > pci_add_option_rom->memory_region_get_ram_ptr (after
> > > memory_region_init_ram). So actually I think we should remove the
> > > DPRINTF warning as it is normal.
> > Let me explain why the DPRINTF warning is there: emulated dma operations
> > can involve locked mappings. Once a dma operation completes, the related
> > mapping is unlocked and can be safely destroyed. But if we destroy a
> > locked mapping in xen_invalidate_map_cache, while a dma is still
> > ongoing, QEMU will crash. We cannot handle that case.
> >
> > However, the scenario you described is different. It has nothing to do
> > with DMA. It looks like pci_add_option_rom calls
> > memory_region_get_ram_ptr to map the rtl8139 rom. The mapping is a
> > locked mapping and it is never unlocked or destroyed.
> >
> > It looks like "ptr" is not used after pci_add_option_rom returns. Does
> > the append patch fix the problem you are seeing? For the proper fix, I
> > think we probably need some sort of memory_region_unmap wrapper or maybe
> > a call to address_space_unmap.
>
> Yes, I think so, maybe this is the proper way to fix this.
Would you be up for sending a proper patch and testing it? We cannot call
xen_invalidate_map_cache_entry directly from pci.c though, it would need
to be one of the other functions like address_space_unmap for example.
> > diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> > index e6b08e1..04f98b7 100644
> > --- a/hw/pci/pci.c
> > +++ b/hw/pci/pci.c
> > @@ -2242,6 +2242,7 @@ static void pci_add_option_rom(PCIDevice *pdev, bool
> > is_default_rom,
> > }
> > pci_register_bar(pdev, PCI_ROM_SLOT, 0, &pdev->rom);
> > + xen_invalidate_map_cache_entry(ptr);
> > }
> > static void pci_del_option_rom(PCIDevice *pdev)
WARNING: multiple messages have this Message-ID (diff)
From: Stefano Stabellini <sstabellini@kernel.org>
To: "Herongguang (Stephen)" <herongguang.he@huawei.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
wangxinxin.wang@huawei.com, qemu-devel@nongnu.org,
Alexander Graf <agraf@suse.de>,
xen-devel@lists.xensource.com,
Jun Nakajima <jun.nakajima@intel.com>,
Anthony PERARD <anthony.perard@citrix.com>,
xen-devel@lists.xenproject.org, xen-devel@lists.xen.org,
hrg <hrgstephen@gmail.com>
Subject: Re: [Qemu-devel] [RFC/BUG] xen-mapcache: buggy invalidate map cache?
Date: Wed, 12 Apr 2017 16:51:46 -0700 (PDT) [thread overview]
Message-ID: <alpine.DEB.2.10.1704121645470.2759@sstabellini-ThinkPad-X260> (raw)
In-Reply-To: <58EDE1E4.2090003@huawei.com>
[-- Attachment #1: Type: TEXT/PLAIN, Size: 4106 bytes --]
On Wed, 12 Apr 2017, Herongguang (Stephen) wrote:
> On 2017/4/12 6:32, Stefano Stabellini wrote:
> > On Tue, 11 Apr 2017, hrg wrote:
> > > On Tue, Apr 11, 2017 at 3:50 AM, Stefano Stabellini
> > > <sstabellini@kernel.org> wrote:
> > > > On Mon, 10 Apr 2017, Stefano Stabellini wrote:
> > > > > On Mon, 10 Apr 2017, hrg wrote:
> > > > > > On Sun, Apr 9, 2017 at 11:55 PM, hrg <hrgstephen@gmail.com> wrote:
> > > > > > > On Sun, Apr 9, 2017 at 11:52 PM, hrg <hrgstephen@gmail.com> wrote:
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > In xen_map_cache_unlocked(), map to guest memory maybe in
> > > > > > > > entry->next
> > > > > > > > instead of first level entry (if map to rom other than guest
> > > > > > > > memory
> > > > > > > > comes first), while in xen_invalidate_map_cache(), when VM
> > > > > > > > ballooned
> > > > > > > > out memory, qemu did not invalidate cache entries in linked
> > > > > > > > list(entry->next), so when VM balloon back in memory, gfns
> > > > > > > > probably
> > > > > > > > mapped to different mfns, thus if guest asks device to DMA to
> > > > > > > > these
> > > > > > > > GPA, qemu may DMA to stale MFNs.
> > > > > > > >
> > > > > > > > So I think in xen_invalidate_map_cache() linked lists should
> > > > > > > > also be
> > > > > > > > checked and invalidated.
> > > > > > > >
> > > > > > > > What’s your opinion? Is this a bug? Is my analyze correct?
> > > > > Yes, you are right. We need to go through the list for each element of
> > > > > the array in xen_invalidate_map_cache. Can you come up with a patch?
> > > > I spoke too soon. In the regular case there should be no locked mappings
> > > > when xen_invalidate_map_cache is called (see the DPRINTF warning at the
> > > > beginning of the functions). Without locked mappings, there should never
> > > > be more than one element in each list (see xen_map_cache_unlocked:
> > > > entry->lock == true is a necessary condition to append a new entry to
> > > > the list, otherwise it is just remapped).
> > > >
> > > > Can you confirm that what you are seeing are locked mappings
> > > > when xen_invalidate_map_cache is called? To find out, enable the DPRINTK
> > > > by turning it into a printf or by defininig MAPCACHE_DEBUG.
> > > In fact, I think the DPRINTF above is incorrect too. In
> > > pci_add_option_rom(), rtl8139 rom is locked mapped in
> > > pci_add_option_rom->memory_region_get_ram_ptr (after
> > > memory_region_init_ram). So actually I think we should remove the
> > > DPRINTF warning as it is normal.
> > Let me explain why the DPRINTF warning is there: emulated dma operations
> > can involve locked mappings. Once a dma operation completes, the related
> > mapping is unlocked and can be safely destroyed. But if we destroy a
> > locked mapping in xen_invalidate_map_cache, while a dma is still
> > ongoing, QEMU will crash. We cannot handle that case.
> >
> > However, the scenario you described is different. It has nothing to do
> > with DMA. It looks like pci_add_option_rom calls
> > memory_region_get_ram_ptr to map the rtl8139 rom. The mapping is a
> > locked mapping and it is never unlocked or destroyed.
> >
> > It looks like "ptr" is not used after pci_add_option_rom returns. Does
> > the append patch fix the problem you are seeing? For the proper fix, I
> > think we probably need some sort of memory_region_unmap wrapper or maybe
> > a call to address_space_unmap.
>
> Yes, I think so, maybe this is the proper way to fix this.
Would you be up for sending a proper patch and testing it? We cannot call
xen_invalidate_map_cache_entry directly from pci.c though, it would need
to be one of the other functions like address_space_unmap for example.
> > diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> > index e6b08e1..04f98b7 100644
> > --- a/hw/pci/pci.c
> > +++ b/hw/pci/pci.c
> > @@ -2242,6 +2242,7 @@ static void pci_add_option_rom(PCIDevice *pdev, bool
> > is_default_rom,
> > }
> > pci_register_bar(pdev, PCI_ROM_SLOT, 0, &pdev->rom);
> > + xen_invalidate_map_cache_entry(ptr);
> > }
> > static void pci_del_option_rom(PCIDevice *pdev)
[-- Attachment #2: Type: text/plain, Size: 127 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-04-12 23:51 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-09 15:52 [Qemu-devel] [RFC/BUG] xen-mapcache: buggy invalidate map cache? hrg
2017-04-09 15:52 ` hrg
2017-04-09 15:55 ` hrg
2017-04-09 15:55 ` hrg
2017-04-09 16:36 ` hrg
2017-04-09 16:36 ` hrg
2017-04-09 17:52 ` [Qemu-devel] [Xen-devel] " Alexey G
2017-04-09 17:52 ` [Qemu-devel] " Alexey G
2017-04-10 19:04 ` Stefano Stabellini
2017-04-10 19:04 ` Stefano Stabellini
2017-04-10 19:50 ` Stefano Stabellini
2017-04-10 19:50 ` Stefano Stabellini
2017-04-11 4:47 ` hrg
2017-04-11 4:47 ` hrg
2017-04-11 22:32 ` Stefano Stabellini
2017-04-11 22:32 ` Stefano Stabellini
2017-04-12 6:17 ` [Qemu-devel] [Xen-devel] " Alexey G
2017-04-12 6:17 ` [Qemu-devel] " Alexey G
2017-04-12 8:28 ` [Qemu-devel] [Xen-devel] " Herongguang (Stephen)
2017-04-12 8:28 ` [Qemu-devel] " Herongguang (Stephen)
2017-04-12 23:51 ` [Qemu-devel] [Xen-devel] " Stefano Stabellini
2017-04-12 23:51 ` [Qemu-devel] " Stefano Stabellini
2017-04-12 8:14 ` Herongguang (Stephen)
2017-04-12 8:14 ` Herongguang (Stephen)
2017-04-12 23:51 ` Stefano Stabellini [this message]
2017-04-12 23:51 ` Stefano Stabellini
2017-04-13 5:47 ` Herongguang (Stephen)
2017-04-13 5:47 ` Herongguang (Stephen)
2017-04-28 23:51 ` Stefano Stabellini
2017-04-28 23:51 ` Stefano Stabellini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.10.1704121645470.2759@sstabellini-ThinkPad-X260 \
--to=sstabellini@kernel.org \
--cc=agraf@suse.de \
--cc=anthony.perard@citrix.com \
--cc=herongguang.he@huawei.com \
--cc=hrgstephen@gmail.com \
--cc=jun.nakajima@intel.com \
--cc=qemu-devel@nongnu.org \
--cc=wangxinxin.wang@huawei.com \
--cc=xen-devel@lists.xen.org \
--cc=xen-devel@lists.xenproject.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.