[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3] xen: introduce VCPUOP_register_runstate_phys_memory_area hypercall

To: Jan Beulich <JBeulich@xxxxxxxx>, andrii.anisov@xxxxxxxxx
From: Julien Grall <julien.grall@xxxxxxx>
Date: Mon, 10 Jun 2019 12:44:22 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "andrii_anisov@xxxxxxxx" <andrii_anisov@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
Delivery-date: Mon, 10 Jun 2019 11:44:36 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Jan,

On 07/06/2019 15:23, Jan Beulich wrote:

On 24.05.19 at 20:12, <andrii.anisov@xxxxxxxxx> wrote:

From: Andrii Anisov <andrii_anisov@xxxxxxxx>

Existing interface to register runstate are with its virtual address
is prone to issues which became more obvious with KPTI enablement in
guests. The nature of those issues is the fact that the guest could
be interrupted by the hypervisor at any time, and there is no guarantee
to have the registered virtual address translated with the currently
available guest's page tables. Before the KPTI such a situation was
possible in case the guest is caught in the middle of PT processing
(e.g. superpage shattering). With the KPTI this happens also when the
guest runs userspace, so has a pretty high probability.


Except when there's no need for KPTI in the guest in the first place,
as is the case for x86-64 PV guests. I think this is worthwhile clarifying.

I am not sure what is your point here. At least on Arm, using virtual address isnot safe at all (whether KPTI is used or not). A guest can genuinely decides toshatter the mapping where the virtual address is. On Arm, this require to usethe break-before-make sequence. It means the translation VA -> PA may fail isyou happen to do it while the guest is using the sequence.

Some of the intermittent issues I have seen on the Arndale in the past [1] mightbe related to using virtual address. I am not 100% sure because even if thedebug, the error does not make sense. But this is the most plausible reason forthe failure.

I want to discuss this in part of the bigger attempt to rework the hypercall ABIduring Xen Summit in July.


[...]

@@ -35,8 +37,16 @@ arch_compat_vcpu_op(
               !compat_handle_okay(area.addr.h, 1) )
              break;
+ while( xchg(&v->runstate_in_use, 1) == 0);


At the very least such loops want a cpu_relax() in their bodies.
But this being on a hypercall path - are there theoretical guarantees
that a guest can't abuse this to lock up a CPU?

Hmmm, I suggested this but it looks like a guest may call the hypercall multipletime from different vCPU. So this could be a way to delay work on the CPU.

I wanted to make the context switch mostly lockless and therefore avoiding tointroduce a spinlock.


[1] https://lists.xen.org/archives/html/xen-devel/2017-11/msg00942.html

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v3] xen: introduce VCPUOP_register_runstate_phys_memory_area hypercall
  - From: Jan Beulich

References:
- Re: [Xen-devel] [PATCH v3] xen: introduce VCPUOP_register_runstate_phys_memory_area hypercall
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH v2] xen/arm: irq: Don't use _IRQ_PENDING when handling host interrupt
Next by Date: [Xen-devel] [xen-4.12-testing test] 137475: regressions - FAIL
Previous by thread: Re: [Xen-devel] [PATCH v3] xen: introduce VCPUOP_register_runstate_phys_memory_area hypercall
Next by thread: Re: [Xen-devel] [PATCH v3] xen: introduce VCPUOP_register_runstate_phys_memory_area hypercall
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.