From: Oliver Upton <oliver.upton@linux.dev>
To: Marc Zyngier <maz@kernel.org>
Cc: kvmarm@lists.linux.dev, kvm@vger.kernel.org,
James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 19/23] KVM: selftests: Add a minimal library for interacting with an ITS
Date: Wed, 14 Feb 2024 12:55:11 -0800 [thread overview]
Message-ID: <Zc0orzU-CeKEyx3j@linux.dev> (raw)
In-Reply-To: <86v86q4xkf.wl-maz@kernel.org>
On Wed, Feb 14, 2024 at 08:09:52PM +0000, Marc Zyngier wrote:
> > If the order of restore from userspace is CBASER, CWRITER, CREADR then
> > we **wind up replaying the entire command queue**. While insane, I'm
> > pretty sure it is legal for the guest to write garbage after the read
> > pointer has moved past a particular command index.
> >
> > Fsck!!!
>
> This is documented Documentation/virt/kvm/devices/arm-vgic-its.rst to
> some extent, and it is allowed for the guest to crap itself on behalf
> of userspace if the ordering isn't respected.
Ah, fair, I missed the documentation here. If we require userspace to
write CTLR last then we _should_ be fine, but damn is this a tricky set
of expectations.
> > So, how about we do this:
> >
> > - Provide a uaccess hook for CWRITER that changes the write-pointer
> > without processing any commands
> >
> > - Assert an invariant that at any time CWRITER or CREADR are read from
> > userspace that CREADR == CWRITER. Fail the ioctl and scream if that
> > isn't the case, so that way we never need to worry about processing
> > 'in-flight' commands at the destination.
>
> Are we guaranteed that we cannot ever see CWRITER != CREADR at VM
> dumping time? I'm not convinced that we cannot preempt the vcpu thread
> at the right spot, specially given that you can have an arbitrary
> large batch of commands to execute.
>
> Just add a page-fault to the mix, and a signal pending. Pronto, you
> see a guest exit and you should be able to start dumping things
> without the ITS having processed much. I haven't tried, but that
> doesn't seem totally unlikely.
Well, we would need to run all userspace reads and writes through the
cmd_lock in this case, which is what we already do for the CREADR
uaccess hook. To me the 'racy' queue accessors only make sense for guest
accesses, since the driver is expecting to poll for completion in that
case.
Otherwise we decide the existing rules for restoring the ITS are fine
and I get to keep my funky driver :)
--
Thanks,
Oliver
next prev parent reply other threads:[~2024-02-14 20:55 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-13 9:32 [PATCH v2 00/23] KVM: arm64: Improvements to LPI injection Oliver Upton
2024-02-13 9:32 ` [PATCH v2 01/23] KVM: arm64: Add tracepoints + stats for LPI cache effectiveness Oliver Upton
2024-02-14 15:55 ` Marc Zyngier
2024-02-13 9:32 ` [PATCH v2 02/23] KVM: arm64: vgic: Store LPIs in an xarray Oliver Upton
2024-02-13 21:52 ` Oliver Upton
2024-02-13 9:32 ` [PATCH v2 03/23] KVM: arm64: vgic: Use xarray to find LPI in vgic_get_lpi() Oliver Upton
2024-02-13 9:32 ` [PATCH v2 04/23] KVM: arm64: vgic-v3: Iterate the xarray to find pending LPIs Oliver Upton
2024-02-13 9:32 ` [PATCH v2 05/23] KVM: arm64: vgic-its: Walk the LPI xarray in vgic_copy_lpi_list() Oliver Upton
2024-02-13 9:32 ` [PATCH v2 06/23] KVM: arm64: vgic: Get rid of the LPI linked-list Oliver Upton
2024-02-13 9:32 ` [PATCH v2 07/23] KVM: arm64: vgic: Use atomics to count LPIs Oliver Upton
2024-02-14 16:47 ` Marc Zyngier
2024-02-14 18:32 ` Oliver Upton
2024-02-14 20:01 ` Marc Zyngier
2024-02-14 23:01 ` Oliver Upton
2024-02-15 9:44 ` Marc Zyngier
2024-02-13 9:32 ` [PATCH v2 08/23] KVM: arm64: vgic: Free LPI vgic_irq structs in an RCU-safe manner Oliver Upton
2024-02-13 9:32 ` [PATCH v2 09/23] KVM: arm64: vgic: Rely on RCU protection in vgic_get_lpi() Oliver Upton
2024-02-13 9:32 ` [PATCH v2 10/23] KVM: arm64: vgic: Ensure the irq refcount is nonzero when taking a ref Oliver Upton
2024-02-13 9:32 ` [PATCH v2 11/23] KVM: arm64: vgic: Don't acquire the lpi_list_lock in vgic_put_irq() Oliver Upton
2024-02-13 9:32 ` [PATCH v2 12/23] KVM: arm64: vgic-its: Lazily allocate LPI translation cache Oliver Upton
2024-02-13 9:32 ` [PATCH v2 13/23] KVM: arm64: vgic-its: Pick cache victim based on usage count Oliver Upton
2024-02-13 9:37 ` [PATCH v2 14/23] KVM: arm64: vgic-its: Protect cached vgic_irq pointers with RCU Oliver Upton
2024-02-13 9:39 ` [PATCH v2 15/23] KVM: arm64: vgic-its: Treat the LPI translation cache as an rculist Oliver Upton
2024-02-13 9:40 ` [PATCH v2 16/23] KVM: arm64: vgic-its: Rely on RCU to protect translation cache reads Oliver Upton
2024-02-13 9:40 ` [PATCH v2 17/23] KVM: selftests: Align with kernel's GIC definitions Oliver Upton
2024-02-13 9:40 ` [PATCH v2 18/23] KVM: selftests: Standardise layout of GIC frames Oliver Upton
2024-02-13 9:41 ` [PATCH v2 19/23] KVM: selftests: Add a minimal library for interacting with an ITS Oliver Upton
2024-02-14 17:32 ` Marc Zyngier
2024-02-14 19:00 ` Oliver Upton
2024-02-14 20:09 ` Marc Zyngier
2024-02-14 20:55 ` Oliver Upton [this message]
2024-02-14 21:06 ` Oliver Upton
2024-02-13 9:41 ` [PATCH v2 20/23] KVM: selftests: Add helper for enabling LPIs on a redistributor Oliver Upton
2024-02-13 9:42 ` [PATCH v2 21/23] KVM: selftests: Use MPIDR_HWID_BITMASK from cputype.h Oliver Upton
2024-02-13 9:43 ` [PATCH v2 22/23] KVM: selftests: Hack in support for aligned page allocations Oliver Upton
2024-02-13 9:43 ` [PATCH v2 23/23] KVM: selftests: Add stress test for LPI injection Oliver Upton
2024-02-13 20:12 ` [PATCH v2 00/23] KVM: arm64: Improvements to " Oliver Upton
2024-02-14 17:43 ` Marc Zyngier
2024-02-14 18:40 ` Oliver Upton
2024-02-15 15:37 ` Marc Zyngier
2024-02-15 20:15 ` Oliver Upton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zc0orzU-CeKEyx3j@linux.dev \
--to=oliver.upton@linux.dev \
--cc=james.morse@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).