[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v4] altp2m: Allow the hostp2m entries to be of type p2m_ram_shared

On Thu, May 26, 2016 at 5:17 PM, Tamas K Lengyel <tamas@xxxxxxxxxxxxx> wrote:
>
> On May 26, 2016 04:40, "George Dunlap" <george.dunlap@xxxxxxxxxx> wrote:
>>
>> On 26/05/16 04:55, Tamas K Lengyel wrote:
>> > Move sharing locks above altp2m to avoid locking order violation. Allow
>> > applying altp2m mem_access settings when the hostp2m entries are shared.
>> > Also, do not trigger PoD for hostp2m when setting altp2m mem_access to
>> > be
>> > in-line with non-altp2m mem_access path. Also allow gfn remapping with
>> > p2m_ram_shared type gfns in altp2m views.
>> >
>> > When using mem_sharing in combination with altp2m, unsharing events
>> > overwrite
>> > altp2m entries with that of the hostp2m (both remapped entries and
>> > mem_access
>> > settings). User should take precaution to not share pages where this
>> > behavior
>> > is undesired.
>>
>> I'm afraid this is not acceptable.  How could this ever be even remotely
>> usable?  If this is a necessary side effect of sharing, then I think the
>> original functionality, of un-sharing when setting an altp2m entry is
>> the only option (and not allowing sharing to happen when an altp2m is
>> present for a particular gfn).
>>
>> Hmm, but actually this also brings up another tricky point: In an altp2m
>> you can change the mfn which backs a gfn.  This would need to be handled
>> properly in the reverse map, which it doesn't look like it is at the
>> moment.
>>
>> On the whole, I think if you're going to allow a single gfn to be
>> simultaneously shared and allow an altp2m for it, you're going to need
>> to do a lot more work.
>>
>> (Sorry for not catching a lot of this before...)
>>
>
> Well this patch resolves the locking order violation and allows the
> xen-access tool's altp2m tests to pass, so it does improve on the current
> situation which is a hypervisor crash. To help with the override issue the
> user can apply W mem_access permission on the shared hostp2m entries. That
> way they get notification through vm_event of the event that leads to
> unsharing and can then reapply the altp2m changes. So IMHO this patch is
> already quite workable and while it requires more setup from the userside,
> the VMM side is OK with this change.

So correct me if I'm wrong here.

The altp2m stuff was primarily designed for guest operating systems to
be able to make alternate "views" of their own P2M.  When enabled,
extra p2ms are allocated which allow a VM to remap a gfn to point to
the gfn of an mfn in its own address space.

For example, suppose domain 1 host p2m gfns A, B, and C point to mA,
mB, and mC respectively.  The guest can create an altp2m a1 such that
gfns O, P, and Q also point to mA, mB, and mC.  The guest can also
register to receive #VE for violations of an altp2m which are not
violations under the hostp2m.

mem sharing allows a process in domain 0 (or some other privileged
domain) to nominate two gfns in different domains to be shared; say,
domain 1 gfn A and domain 2 gfn X (d1gA and d2gX, respectively).  This
works by first "nominating" the respective gfns, then sharing them.
"Nominating" a gfn tells the sharing infrastructure to start tracking
mappings of that page in a reverse map; after nomination mA's page
structure will point to d1gA, and mX's page structure will point to
d2gX.  At that point they can be "shared", at which point (for
example) both d1gA and d2gX will point to mA, and mA's reverse map
will contain d1gA and d2gX.

However, the mem sharing code has no visibility into altp2ms.  There
are two cases we need to consider: the sharing of a gfn for which
there is another gfn in an altp2m pointing to it (as in the case of
domain 1 gfn A above -- both hostp2m gfn A and alt2m gfn O point to
mA), and the sharing of a gfn for which there is an altp2m if that gfn
pointing to a different gfn (as in the case of domain 1 gfn O above --
hostp2m gfn O points to mO, altp2m gfn O points to mA).  Then we also
have to consider the order in which things happen: altp2m then
sharing, sharing then altp2m.

Let's first consider the case of domain 1 gfn A being shared.  At the
moment, if the situation described above happens in that order (altp2m
set up first, then sharing) then the page nomination of d1gA will most
likely fail because the refcount on mA will be one more than expected.
If it happened in the reverse order (sharing set up first, then
altp2m), then setting the altp2m would unshare d1gA.  Both should be
safe.

Now what happens if we accept your patch as-is?  It looks like altp2m
first then sharing will behave the same way -- the refcount will be
too high, so the nomination will fail.  But if you share first and
then set the altp2m, then the altp2m gfn O will have a reference to mA
that isn't in your reverse map.  If you get an unshare on domain 1
altp2m gfn O, it looks to me like you'll get an unshare on *hostp2m*
gfn O, which points to mO, which is *not* shared -- at which point it
looks like you'll BUG().  If you get an unshare on domain 1 gfn A, it
looks to me like you'll get a new page, mN, at gfn A, but that altp2m
gfn O will still still point to mA -- effectively breaking whatever
the guest meant to be doing when it was using the altp2ms.

I could go on in the analysis, but the point is that there's a morass
of interactions here all of which need to be correct, which this patch
does not address.  You have a long way to go before sharing and altp2m
can be safely used on the same gfn ranges.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.