From: Jeremy Fitzhardinge <jeremy@goop.org>
To: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux Memory Management List <linux-mm@kvack.org>,
the arch/x86 maintainers <x86@kernel.org>,
Arjan van de Ven <arjan@linux.intel.com>
Subject: Re: [PATCH RFC] vm_unmap_aliases: allow callers to inhibit TLB flush
Date: Thu, 19 Feb 2009 11:11:32 -0800 [thread overview]
Message-ID: <499DAEE4.8010507@goop.org> (raw)
In-Reply-To: <200902200441.08541.nickpiggin@yahoo.com.au>
Nick Piggin wrote:
> Then what is the point of the vm_unmap_aliases? If you are doing it
> for security it won't work because other CPUs might still be able
> to write through dangling TLBs. If you are not doing it for
> security then it does not need to be done at all.
>
Xen will make sure any danging tlb entries are flushed before handing
the page out to anyone else.
> Unless it is something strange that Xen does with the page table
> structure and you just need to get rid of those?
>
Yeah. A pte pointing at a page holds a reference on it, saying that it
belongs to the domain. You can't return it to Xen until the refcount is 0.
>> (Xen does something like this internally to either defer or avoid many
>> expensive tlb operations.)
>>
>>
>>>> For Xen dom0, when someone does something like dma_alloc_coherent, we
>>>> allocate the memory as normal, and then swizzle the underlying physical
>>>> pages to be machine physically contiguous (vs contiguous pseudo-physical
>>>> guest memory), and within the addressable range for the device. In
>>>> order to do that, we need to make sure the pages are only mapped by the
>>>> linear mapping, and there are no other aliases.
>>>>
>>> These are just stale aliases that will no longer be operated on
>>> unless there is a kernel bug -- so can you just live with them,
>>> or is it a security issue of memory access escaping its domain?
>>>
>> The underlying physical page is being exchanged, so the old page is
>> being returned to Xen's free page pool. It will refuse to do the
>> exchange if the guest still has pagetable references to the page.
>>
>
> But it refuses to do this because it is worried about dangling TLBs?
> Or some implementation detail that can't handle the page table
> entries?
>
Right. The actual pte pointing at the page hold the reference. We need
to drop all the references before doing the exchange.
> Hmm. Let's just try to establish that it is really required first.
>
Well, its desireable anyway. The using IPI for any kind of tlb flushing
is pretty pessimal under Xen (or any virtual environment); Xen has a
much better idea about which real cpus have stale tlb state for which vcpus.
> Or... what if we just allow a compile and/or boot time flag to direct
> that it does not want lazy vmap unmapping and it will just revert to
> synchronous unmapping? If Xen needs lots of flushing anyway it might
> not be a win anyway.
>
That may be worth considering.
J
WARNING: multiple messages have this Message-ID (diff)
From: Jeremy Fitzhardinge <jeremy@goop.org>
To: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux Memory Management List <linux-mm@kvack.org>,
the arch/x86 maintainers <x86@kernel.org>,
Arjan van de Ven <arjan@linux.intel.com>
Subject: Re: [PATCH RFC] vm_unmap_aliases: allow callers to inhibit TLB flush
Date: Thu, 19 Feb 2009 11:11:32 -0800 [thread overview]
Message-ID: <499DAEE4.8010507@goop.org> (raw)
In-Reply-To: <200902200441.08541.nickpiggin@yahoo.com.au>
Nick Piggin wrote:
> Then what is the point of the vm_unmap_aliases? If you are doing it
> for security it won't work because other CPUs might still be able
> to write through dangling TLBs. If you are not doing it for
> security then it does not need to be done at all.
>
Xen will make sure any danging tlb entries are flushed before handing
the page out to anyone else.
> Unless it is something strange that Xen does with the page table
> structure and you just need to get rid of those?
>
Yeah. A pte pointing at a page holds a reference on it, saying that it
belongs to the domain. You can't return it to Xen until the refcount is 0.
>> (Xen does something like this internally to either defer or avoid many
>> expensive tlb operations.)
>>
>>
>>>> For Xen dom0, when someone does something like dma_alloc_coherent, we
>>>> allocate the memory as normal, and then swizzle the underlying physical
>>>> pages to be machine physically contiguous (vs contiguous pseudo-physical
>>>> guest memory), and within the addressable range for the device. In
>>>> order to do that, we need to make sure the pages are only mapped by the
>>>> linear mapping, and there are no other aliases.
>>>>
>>> These are just stale aliases that will no longer be operated on
>>> unless there is a kernel bug -- so can you just live with them,
>>> or is it a security issue of memory access escaping its domain?
>>>
>> The underlying physical page is being exchanged, so the old page is
>> being returned to Xen's free page pool. It will refuse to do the
>> exchange if the guest still has pagetable references to the page.
>>
>
> But it refuses to do this because it is worried about dangling TLBs?
> Or some implementation detail that can't handle the page table
> entries?
>
Right. The actual pte pointing at the page hold the reference. We need
to drop all the references before doing the exchange.
> Hmm. Let's just try to establish that it is really required first.
>
Well, its desireable anyway. The using IPI for any kind of tlb flushing
is pretty pessimal under Xen (or any virtual environment); Xen has a
much better idea about which real cpus have stale tlb state for which vcpus.
> Or... what if we just allow a compile and/or boot time flag to direct
> that it does not want lazy vmap unmapping and it will just revert to
> synchronous unmapping? If Xen needs lots of flushing anyway it might
> not be a win anyway.
>
That may be worth considering.
J
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2009-02-19 19:11 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-11 19:05 [PATCH RFC] vm_unmap_aliases: allow callers to inhibit TLB flush Jeremy Fitzhardinge
2007-07-24 0:52 ` Nick Piggin
2008-12-12 1:59 ` Jeremy Fitzhardinge
2007-07-24 1:40 ` Nick Piggin
2008-12-16 1:28 ` Jeremy Fitzhardinge
2008-12-16 1:28 ` Jeremy Fitzhardinge
2008-12-30 3:42 ` Nick Piggin
2008-12-30 3:42 ` Nick Piggin
2008-12-30 11:27 ` Jeremy Fitzhardinge
2008-12-30 11:27 ` Jeremy Fitzhardinge
2009-02-17 21:57 ` Jeremy Fitzhardinge
2009-02-17 21:57 ` Jeremy Fitzhardinge
2009-02-19 11:54 ` Nick Piggin
2009-02-19 11:54 ` Nick Piggin
2009-02-19 17:02 ` Jeremy Fitzhardinge
2009-02-19 17:02 ` Jeremy Fitzhardinge
2009-02-19 17:41 ` Nick Piggin
2009-02-19 17:41 ` Nick Piggin
2009-02-19 19:11 ` Jeremy Fitzhardinge [this message]
2009-02-19 19:11 ` Jeremy Fitzhardinge
2009-02-23 4:14 ` Nick Piggin
2009-02-23 4:14 ` Nick Piggin
2009-02-23 7:30 ` Jeremy Fitzhardinge
2009-02-23 7:30 ` Jeremy Fitzhardinge
2009-02-23 9:13 ` Nick Piggin
2009-02-23 9:13 ` Nick Piggin
2009-02-23 19:27 ` Jeremy Fitzhardinge
2009-02-23 19:27 ` Jeremy Fitzhardinge
2009-02-24 12:23 ` Nick Piggin
2009-02-24 12:23 ` Nick Piggin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499DAEE4.8010507@goop.org \
--to=jeremy@goop.org \
--cc=akpm@linux-foundation.org \
--cc=arjan@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=nickpiggin@yahoo.com.au \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.