From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@redhat.com>
Subject: Re: [RFC] KVM: x86: conditionally acquire/release slots_lock on	entry/exit
Date: Mon, 14 Sep 2009 10:17:03 +0300
Message-ID: <4AADEDEF.60800@redhat.com>
References: <20090827012000.762063112@localhost.localdomain> <20090827155450.GA6312@amt.cnet> <4A96B404.5010500@redhat.com> <20090827225940.GA13571@amt.cnet> <4A977E3C.7050604@redhat.com> <20090910223003.GA658@amt.cnet> <4AAD12F9.5020601@redhat.com> <20090913162652.GF6867@linux.vnet.ibm.com> <20090913224956.GA5142@amt.cnet> <4AADCEB5.7040800@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
	kvm@vger.kernel.org, Gleb Natapov <gleb@redhat.com>
To: Marcelo Tosatti <mtosatti@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:17887 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750870AbZINHRF (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 14 Sep 2009 03:17:05 -0400
In-Reply-To: <4AADCEB5.7040800@redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 09/14/2009 08:03 AM, Avi Kivity wrote:
>> Right it will. But this does not stop the fault path from creating
>> shadow pages with stale sp->gfn (the only way to do that would be mutual
>> exclusion AFAICS).
>
> So we put the kvm_mmu_zap_pages() call as part of the 
> synchronize_srcu() callback to take advantage of the srcu guarantees.  
> We know that when when the callback is called all new reads see the 
> new slots and all old readers have completed.

I think I see your concern - assigning sp->gfn leaks information out of 
the srcu critical section.

Two ways out:

1) copy kvm->slots into sp->slots and use it when dropping the shadow 
page.  Intrusive and increases shadow footprint.

1b) Instead of sp->slots, use a 1-bit generation counter.  Even uglier 
but reduces the shadow footprint.

2) instead of removing the slot in rcu_assign_pointer(), mark it 
invalid.  gfn_to_page() will fail on such slots but the teardown paths 
(like unaccount_shadow) continue to work.  One we've zapped the mmu we 
drop the slot completely (can do in place, no need to rcu_assign_pointer).

-- 
error compiling committee.c: too many arguments to function