From: Shannon Zhao <zhaoshenglong@huawei.com>
To: Marc Zyngier <marc.zyngier@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Christoffer Dall <cdall@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org
Subject: Re: [PATCH] KVM: arm/arm64: Close VMID generation race
Date: Mon, 16 Apr 2018 18:05:44 +0800 [thread overview]
Message-ID: <5AD47578.7010103@huawei.com> (raw)
In-Reply-To: <5ACD6521.5090500@huawei.com>
On 2018/4/11 9:30, Shannon Zhao wrote:
>
> On 2018/4/10 23:37, Marc Zyngier wrote:
>> > On 10/04/18 16:24, Mark Rutland wrote:
>>> >> On Tue, Apr 10, 2018 at 05:05:40PM +0200, Christoffer Dall wrote:
>>>> >>> On Tue, Apr 10, 2018 at 11:51:19AM +0100, Mark Rutland wrote:
>>>>> >>>> I think we also need to update kvm->arch.vttbr before updating
>>>>> >>>> kvm->arch.vmid_gen, otherwise another CPU can come in, see that the
>>>>> >>>> vmid_gen is up-to-date, jump to hyp, and program a stale VTTBR (with the
>>>>> >>>> old VMID).
>>>>> >>>>
>>>>> >>>> With the smp_wmb() and update of kvm->arch.vmid_gen moved to the end of
>>>>> >>>> the critical section, I think that works, modulo using READ_ONCE() and
>>>>> >>>> WRITE_ONCE() to ensure single-copy-atomicity of the fields we access
>>>>> >>>> locklessly.
>>>> >>>
>>>> >>> Indeed, you're right. I would look something like this, then:
>>>> >>>
>>>> >>> diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c
>>>> >>> index 2e43f9d42bd5..6cb08995e7ff 100644
>>>> >>> --- a/virt/kvm/arm/arm.c
>>>> >>> +++ b/virt/kvm/arm/arm.c
>>>> >>> @@ -450,7 +450,9 @@ void force_vm_exit(const cpumask_t *mask)
>>>> >>> */
>>>> >>> static bool need_new_vmid_gen(struct kvm *kvm)
>>>> >>> {
>>>> >>> - return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen));
>>>> >>> + u64 current_vmid_gen = atomic64_read(&kvm_vmid_gen);
>>>> >>> + smp_rmb(); /* Orders read of kvm_vmid_gen and kvm->arch.vmid */
>>>> >>> + return unlikely(READ_ONCE(kvm->arch.vmid_gen) != current_vmid_gen);
>>>> >>> }
>>>> >>>
>>>> >>> /**
>>>> >>> @@ -500,7 +502,6 @@ static void update_vttbr(struct kvm *kvm)
>>>> >>> kvm_call_hyp(__kvm_flush_vm_context);
>>>> >>> }
>>>> >>>
>>>> >>> - kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
>>>> >>> kvm->arch.vmid = kvm_next_vmid;
>>>> >>> kvm_next_vmid++;
>>>> >>> kvm_next_vmid &= (1 << kvm_vmid_bits) - 1;
>>>> >>> @@ -509,7 +510,10 @@ static void update_vttbr(struct kvm *kvm)
>>>> >>> pgd_phys = virt_to_phys(kvm->arch.pgd);
>>>> >>> BUG_ON(pgd_phys & ~VTTBR_BADDR_MASK);
>>>> >>> vmid = ((u64)(kvm->arch.vmid) << VTTBR_VMID_SHIFT) & VTTBR_VMID_MASK(kvm_vmid_bits);
>>>> >>> - kvm->arch.vttbr = pgd_phys | vmid;
>>>> >>> + WRITE_ONCE(kvm->arch.vttbr, pgd_phys | vmid);
>>>> >>> +
>>>> >>> + smp_wmb(); /* Ensure vttbr update is observed before vmid_gen update */
>>>> >>> + kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
>>>> >>>
>>>> >>> spin_unlock(&kvm_vmid_lock);
>>>> >>> }
>>> >>
>>> >> I think that's right, yes.
>>> >>
>>> >> We could replace the smp_{r,w}mb() barriers with an acquire of the
>>> >> kvm_vmid_gen and a release of kvm->arch.vmid_gen, but if we're really
>>> >> trying to optimize things there are larger algorithmic changes necessary
>>> >> anyhow.
>>> >>
>>>> >>> It's probably easier to convince ourselves about the correctness of
>>>> >>> Marc's code using a rwlock instead, though. Thoughts?
>>> >>
>>> >> I believe that Marc's preference was the rwlock; I have no preference
>>> >> either way.
>> >
>> > I don't mind either way. If you can be bothered to write a proper commit
>> > log for this, I'll take it. What I'd really want is Shannon to indicate
>> > whether or not this solves the issue he was seeing.
>> >
> I'll test Marc's patch. This will take about 3 days since it's not 100%
> reproducible.
Hi Marc,
I've run the test for about 4 days. The issue doesn't appear.
So Tested-by: Shannon Zhao <zhaoshenglong@huawei.com>
Thanks,
--
Shannon
WARNING: multiple messages have this Message-ID (diff)
From: zhaoshenglong@huawei.com (Shannon Zhao)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] KVM: arm/arm64: Close VMID generation race
Date: Mon, 16 Apr 2018 18:05:44 +0800 [thread overview]
Message-ID: <5AD47578.7010103@huawei.com> (raw)
In-Reply-To: <5ACD6521.5090500@huawei.com>
On 2018/4/11 9:30, Shannon Zhao wrote:
>
> On 2018/4/10 23:37, Marc Zyngier wrote:
>> > On 10/04/18 16:24, Mark Rutland wrote:
>>> >> On Tue, Apr 10, 2018 at 05:05:40PM +0200, Christoffer Dall wrote:
>>>> >>> On Tue, Apr 10, 2018 at 11:51:19AM +0100, Mark Rutland wrote:
>>>>> >>>> I think we also need to update kvm->arch.vttbr before updating
>>>>> >>>> kvm->arch.vmid_gen, otherwise another CPU can come in, see that the
>>>>> >>>> vmid_gen is up-to-date, jump to hyp, and program a stale VTTBR (with the
>>>>> >>>> old VMID).
>>>>> >>>>
>>>>> >>>> With the smp_wmb() and update of kvm->arch.vmid_gen moved to the end of
>>>>> >>>> the critical section, I think that works, modulo using READ_ONCE() and
>>>>> >>>> WRITE_ONCE() to ensure single-copy-atomicity of the fields we access
>>>>> >>>> locklessly.
>>>> >>>
>>>> >>> Indeed, you're right. I would look something like this, then:
>>>> >>>
>>>> >>> diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c
>>>> >>> index 2e43f9d42bd5..6cb08995e7ff 100644
>>>> >>> --- a/virt/kvm/arm/arm.c
>>>> >>> +++ b/virt/kvm/arm/arm.c
>>>> >>> @@ -450,7 +450,9 @@ void force_vm_exit(const cpumask_t *mask)
>>>> >>> */
>>>> >>> static bool need_new_vmid_gen(struct kvm *kvm)
>>>> >>> {
>>>> >>> - return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen));
>>>> >>> + u64 current_vmid_gen = atomic64_read(&kvm_vmid_gen);
>>>> >>> + smp_rmb(); /* Orders read of kvm_vmid_gen and kvm->arch.vmid */
>>>> >>> + return unlikely(READ_ONCE(kvm->arch.vmid_gen) != current_vmid_gen);
>>>> >>> }
>>>> >>>
>>>> >>> /**
>>>> >>> @@ -500,7 +502,6 @@ static void update_vttbr(struct kvm *kvm)
>>>> >>> kvm_call_hyp(__kvm_flush_vm_context);
>>>> >>> }
>>>> >>>
>>>> >>> - kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
>>>> >>> kvm->arch.vmid = kvm_next_vmid;
>>>> >>> kvm_next_vmid++;
>>>> >>> kvm_next_vmid &= (1 << kvm_vmid_bits) - 1;
>>>> >>> @@ -509,7 +510,10 @@ static void update_vttbr(struct kvm *kvm)
>>>> >>> pgd_phys = virt_to_phys(kvm->arch.pgd);
>>>> >>> BUG_ON(pgd_phys & ~VTTBR_BADDR_MASK);
>>>> >>> vmid = ((u64)(kvm->arch.vmid) << VTTBR_VMID_SHIFT) & VTTBR_VMID_MASK(kvm_vmid_bits);
>>>> >>> - kvm->arch.vttbr = pgd_phys | vmid;
>>>> >>> + WRITE_ONCE(kvm->arch.vttbr, pgd_phys | vmid);
>>>> >>> +
>>>> >>> + smp_wmb(); /* Ensure vttbr update is observed before vmid_gen update */
>>>> >>> + kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
>>>> >>>
>>>> >>> spin_unlock(&kvm_vmid_lock);
>>>> >>> }
>>> >>
>>> >> I think that's right, yes.
>>> >>
>>> >> We could replace the smp_{r,w}mb() barriers with an acquire of the
>>> >> kvm_vmid_gen and a release of kvm->arch.vmid_gen, but if we're really
>>> >> trying to optimize things there are larger algorithmic changes necessary
>>> >> anyhow.
>>> >>
>>>> >>> It's probably easier to convince ourselves about the correctness of
>>>> >>> Marc's code using a rwlock instead, though. Thoughts?
>>> >>
>>> >> I believe that Marc's preference was the rwlock; I have no preference
>>> >> either way.
>> >
>> > I don't mind either way. If you can be bothered to write a proper commit
>> > log for this, I'll take it. What I'd really want is Shannon to indicate
>> > whether or not this solves the issue he was seeing.
>> >
> I'll test Marc's patch. This will take about 3 days since it's not 100%
> reproducible.
Hi Marc,
I've run the test for about 4 days. The issue doesn't appear.
So Tested-by: Shannon Zhao <zhaoshenglong@huawei.com>
Thanks,
--
Shannon
next prev parent reply other threads:[~2018-04-16 10:05 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-09 17:07 [PATCH] KVM: arm/arm64: Close VMID generation race Marc Zyngier
2018-04-09 17:07 ` Marc Zyngier
2018-04-09 20:51 ` Christoffer Dall
2018-04-09 20:51 ` Christoffer Dall
2018-04-10 10:51 ` Mark Rutland
2018-04-10 10:51 ` Mark Rutland
2018-04-10 15:05 ` Christoffer Dall
2018-04-10 15:05 ` Christoffer Dall
2018-04-10 15:24 ` Mark Rutland
2018-04-10 15:24 ` Mark Rutland
2018-04-10 15:35 ` Christoffer Dall
2018-04-10 15:35 ` Christoffer Dall
2018-04-10 15:37 ` Marc Zyngier
2018-04-10 15:37 ` Marc Zyngier
2018-04-10 15:48 ` Christoffer Dall
2018-04-10 15:48 ` Christoffer Dall
2018-04-11 1:30 ` Shannon Zhao
2018-04-11 1:30 ` Shannon Zhao
2018-04-16 10:05 ` Shannon Zhao [this message]
2018-04-16 10:05 ` Shannon Zhao
2018-04-16 10:20 ` Marc Zyngier
2018-04-16 10:20 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5AD47578.7010103@huawei.com \
--to=zhaoshenglong@huawei.com \
--cc=cdall@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.