From: Rusty Russell <rusty@rustcorp.com.au>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: virtualization <virtualization@lists.linux-foundation.org>,
Rafael Aquini <aquini@redhat.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: RFD: virtio balloon API use (was Re: [PATCH 5 of 5] virtio: expose added descriptors immediately)
Date: Mon, 02 Jul 2012 10:35:47 +0930 [thread overview]
Message-ID: <87d34fx990.fsf@rustcorp.com.au> (raw)
In-Reply-To: <20120701092051.GA4515@redhat.com>
On Sun, 1 Jul 2012 12:20:51 +0300, "Michael S. Tsirkin" <mst@redhat.com> wrote:
> On Thu, Nov 03, 2011 at 06:12:53PM +1030, Rusty Russell wrote:
> > A virtio driver does virtqueue_add_buf() multiple times before finally
> > calling virtqueue_kick(); previously we only exposed the added buffers
> > in the virtqueue_kick() call. This means we don't need a memory
> > barrier in virtqueue_add_buf(), but it reduces concurrency as the
> > device (ie. host) can't see the buffers until the kick.
> >
> > Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
>
> Looking at recent mm compaction patches made me look at locking
> in balloon closely. And I noticed the referenced patch (commit
> ee7cd8981e15bcb365fc762afe3fc47b8242f630 upstream) interacts strangely
> with virtio balloon; balloon currently does:
>
> static void tell_host(struct virtio_balloon *vb, struct virtqueue *vq)
> {
> struct scatterlist sg;
>
> sg_init_one(&sg, vb->pfns, sizeof(vb->pfns[0]) * vb->num_pfns);
>
> init_completion(&vb->acked);
>
> /* We should always be able to add one buffer to an empty queue. */
> if (virtqueue_add_buf(vq, &sg, 1, 0, vb, GFP_KERNEL) < 0)
> BUG();
> virtqueue_kick(vq);
>
> /* When host has read buffer, this completes via balloon_ack */
> wait_for_completion(&vb->acked);
> }
>
>
> While vq callback does:
>
> static void balloon_ack(struct virtqueue *vq)
> {
> struct virtio_balloon *vb;
> unsigned int len;
>
> vb = virtqueue_get_buf(vq, &len);
> if (vb)
> complete(&vb->acked);
> }
>
>
> So virtqueue_get_buf might now run concurrently with virtqueue_kick.
> I audited both and this seems safe in practice but I think
Good spotting!
Agreed. Because there's only add_buf, we get away with it: the add_buf
must be almost finished by the time get_buf runs because the device has
seen the buffer.
> we need to either declare this legal at the API level
> or add locking in driver.
I wonder if we should just lock in the balloon driver, rather than
document this corner case and set a bad example. Are there other
drivers which take the same shortcut?
> Further, is there a guarantee that we never get
> spurious callbacks? We currently check ring not empty
> but esp for non shared MSI this might not be needed.
Yes, I think this saves us. A spurious interrupt won't trigger
a spurious callback.
> If a spurious callback triggers, virtqueue_get_buf can run
> concurrently with virtqueue_add_buf which is known to be racy.
> Again I think this is currently safe as no spurious callbacks in
> practice but should we guarantee no spurious callbacks at the API level
> or add locking in driver?
I think we should guarantee it, but is there a hole in the current
implementation?
Thanks,
Rusty.
WARNING: multiple messages have this Message-ID (diff)
From: Rusty Russell <rusty@rustcorp.com.au>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Rafael Aquini <aquini@redhat.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
virtualization <virtualization@lists.linux-foundation.org>
Subject: Re: RFD: virtio balloon API use (was Re: [PATCH 5 of 5] virtio: expose added descriptors immediately)
Date: Mon, 02 Jul 2012 10:35:47 +0930 [thread overview]
Message-ID: <87d34fx990.fsf@rustcorp.com.au> (raw)
In-Reply-To: <20120701092051.GA4515@redhat.com>
On Sun, 1 Jul 2012 12:20:51 +0300, "Michael S. Tsirkin" <mst@redhat.com> wrote:
> On Thu, Nov 03, 2011 at 06:12:53PM +1030, Rusty Russell wrote:
> > A virtio driver does virtqueue_add_buf() multiple times before finally
> > calling virtqueue_kick(); previously we only exposed the added buffers
> > in the virtqueue_kick() call. This means we don't need a memory
> > barrier in virtqueue_add_buf(), but it reduces concurrency as the
> > device (ie. host) can't see the buffers until the kick.
> >
> > Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
>
> Looking at recent mm compaction patches made me look at locking
> in balloon closely. And I noticed the referenced patch (commit
> ee7cd8981e15bcb365fc762afe3fc47b8242f630 upstream) interacts strangely
> with virtio balloon; balloon currently does:
>
> static void tell_host(struct virtio_balloon *vb, struct virtqueue *vq)
> {
> struct scatterlist sg;
>
> sg_init_one(&sg, vb->pfns, sizeof(vb->pfns[0]) * vb->num_pfns);
>
> init_completion(&vb->acked);
>
> /* We should always be able to add one buffer to an empty queue. */
> if (virtqueue_add_buf(vq, &sg, 1, 0, vb, GFP_KERNEL) < 0)
> BUG();
> virtqueue_kick(vq);
>
> /* When host has read buffer, this completes via balloon_ack */
> wait_for_completion(&vb->acked);
> }
>
>
> While vq callback does:
>
> static void balloon_ack(struct virtqueue *vq)
> {
> struct virtio_balloon *vb;
> unsigned int len;
>
> vb = virtqueue_get_buf(vq, &len);
> if (vb)
> complete(&vb->acked);
> }
>
>
> So virtqueue_get_buf might now run concurrently with virtqueue_kick.
> I audited both and this seems safe in practice but I think
Good spotting!
Agreed. Because there's only add_buf, we get away with it: the add_buf
must be almost finished by the time get_buf runs because the device has
seen the buffer.
> we need to either declare this legal at the API level
> or add locking in driver.
I wonder if we should just lock in the balloon driver, rather than
document this corner case and set a bad example. Are there other
drivers which take the same shortcut?
> Further, is there a guarantee that we never get
> spurious callbacks? We currently check ring not empty
> but esp for non shared MSI this might not be needed.
Yes, I think this saves us. A spurious interrupt won't trigger
a spurious callback.
> If a spurious callback triggers, virtqueue_get_buf can run
> concurrently with virtqueue_add_buf which is known to be racy.
> Again I think this is currently safe as no spurious callbacks in
> practice but should we guarantee no spurious callbacks at the API level
> or add locking in driver?
I think we should guarantee it, but is there a hole in the current
implementation?
Thanks,
Rusty.
next prev parent reply other threads:[~2012-07-02 1:05 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <patchbomb.1320306168@localhost6.localdomain6>
2011-11-03 7:42 ` [PATCH 1 of 5] virtio: document functions better Rusty Russell
2011-11-03 7:42 ` Rusty Russell
2011-11-03 7:49 ` Christoph Hellwig
2011-11-03 7:49 ` Christoph Hellwig
2011-11-03 7:42 ` [PATCH 2 of 5] virtio: rename virtqueue_add_buf_gfp to virtqueue_add_buf Rusty Russell
2011-11-03 7:42 ` Rusty Russell
2011-11-03 7:50 ` Christoph Hellwig
2011-11-03 7:50 ` Christoph Hellwig
2011-11-03 7:42 ` [PATCH 3 of 5] virtio: support unlocked queue kick Rusty Russell
2011-11-03 7:42 ` Rusty Russell
2011-11-03 7:52 ` Christoph Hellwig
2011-11-04 10:09 ` Stefan Hajnoczi
2011-11-04 10:09 ` Stefan Hajnoczi
2011-11-04 10:36 ` Rusty Russell
2011-11-04 10:36 ` Rusty Russell
2011-11-04 10:36 ` Rusty Russell
2011-11-03 7:52 ` Christoph Hellwig
2011-11-03 7:42 ` [PATCH 4 of 5] virtio: avoid modulus operation Rusty Russell
2011-11-03 7:42 ` Rusty Russell
2011-11-03 7:51 ` Pekka Enberg
2011-11-03 10:18 ` Rusty Russell
2011-11-03 10:18 ` Rusty Russell
2011-11-03 7:51 ` Pekka Enberg
2011-11-03 7:42 ` [PATCH 5 of 5] virtio: expose added descriptors immediately Rusty Russell
2011-11-03 7:42 ` Rusty Russell
2011-11-13 21:03 ` Michael S. Tsirkin
2011-11-13 21:03 ` Michael S. Tsirkin
2011-11-14 0:43 ` Rusty Russell
2011-11-14 0:43 ` Rusty Russell
2011-11-14 0:43 ` Rusty Russell
2011-11-14 6:56 ` Michael S. Tsirkin
2011-11-16 0:21 ` Rusty Russell
2011-11-16 7:18 ` Michael S. Tsirkin
2011-11-21 1:48 ` Rusty Russell
2011-11-21 11:57 ` Michael S. Tsirkin
2011-11-22 0:33 ` Rusty Russell
2011-11-22 6:29 ` Michael S. Tsirkin
2011-11-23 1:19 ` Rusty Russell
2011-11-23 8:30 ` Michael S. Tsirkin
2012-07-01 9:20 ` RFD: virtio balloon API use (was Re: [PATCH 5 of 5] virtio: expose added descriptors immediately) Michael S. Tsirkin
2012-07-01 9:20 ` Michael S. Tsirkin
2012-07-02 1:05 ` Rusty Russell [this message]
2012-07-02 1:05 ` Rusty Russell
2012-07-02 7:25 ` Michael S. Tsirkin
2012-07-02 7:25 ` Michael S. Tsirkin
2012-07-02 16:08 ` Rafael Aquini
2012-07-02 16:08 ` Rafael Aquini
2012-07-03 0:47 ` Rusty Russell
2012-07-03 16:26 ` Rafael Aquini
2012-07-03 16:26 ` Rafael Aquini
2012-07-04 10:55 ` Michael S. Tsirkin
2012-07-04 10:55 ` Michael S. Tsirkin
2012-07-08 23:39 ` Rusty Russell
2012-07-08 23:39 ` Rusty Russell
2012-07-04 10:55 ` Michael S. Tsirkin
2012-07-04 10:55 ` Michael S. Tsirkin
2012-07-02 7:33 ` [PATCH RFC] virtio-balloon: fix add/get API use Michael S. Tsirkin
2012-07-02 7:33 ` Michael S. Tsirkin
2012-07-04 3:27 ` Rusty Russell
2012-07-04 3:27 ` Rusty Russell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d34fx990.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=aquini@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.