From: Janosch Frank <frankja@linux.vnet.ibm.com>
To: David Hildenbrand <david@redhat.com>, kvm@vger.kernel.org
Cc: schwidefsky@de.ibm.com, borntraeger@de.ibm.com,
dominik.dingel@gmail.com, linux-s390@vger.kernel.org
Subject: Re: [RFC/PATCH v2 19/22] s390/mm: Split huge pages if granular protection is needed
Date: Thu, 25 Jan 2018 15:55:24 +0100 [thread overview]
Message-ID: <46412d0c-622c-44a3-dff3-48fd6b3ce3ac@linux.vnet.ibm.com> (raw)
In-Reply-To: <c3eb3a5f-fbd7-6581-c88e-cace39bdfbcb@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 4446 bytes --]
On 25.01.2018 15:39, David Hildenbrand wrote:
> On 25.01.2018 08:16, Janosch Frank wrote:
>> On 13.12.2017 13:53, Janosch Frank wrote:
>>> A guest can put DAT tables for a lower level guest in the same huge
>>> segment as one of its prefixes or a g3 page. This would make it
>>> necessary for the segment to be unprotected (because of the prefix)
>>> and protected (because of the shadowing) at the same time. This is not
>>> possible in this universe.
>>>
>>> Hence we split the affected huge segment, so we can protect on a
>>> per-page basis. Such gmap segments are special and get a new software
>>> bit, that helps us handling this edge case.
>>>
>>> Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
>>> ---
>>> arch/s390/include/asm/gmap.h | 13 ++
>>> arch/s390/include/asm/pgtable.h | 7 +-
>>> arch/s390/mm/fault.c | 10 +-
>>> arch/s390/mm/gmap.c | 256 ++++++++++++++++++++++++++++++++++++----
>>> arch/s390/mm/pgtable.c | 51 ++++++++
>>> 5 files changed, 313 insertions(+), 24 deletions(-)
>>
>>> @@ -1081,20 +1189,27 @@ static int gmap_protect_range(struct gmap *gmap, unsigned long gaddr,
>>> spinlock_t *ptl;
>>> unsigned long vmaddr, dist;
>>> pmd_t *pmdp, *hpmdp;
>>> - int rc;
>>> + int rc = 0;
>>>
>>> while (len) {
>>> rc = -EAGAIN;
>>> vmaddr = __gmap_translate(gmap, gaddr);
>>> hpmdp = (pmd_t *)huge_pte_offset(gmap->mm, vmaddr, HPAGE_SIZE);
>>> + if (!hpmdp)
>>> + BUG();
>>> /* Do we need tests here? */
>>> ptl = pmd_lock(gmap->mm, hpmdp);
>>>
>>> pmdp = gmap_pmd_op_walk(gmap, gaddr);
>>> if (pmdp) {
>>> if (!pmd_large(*pmdp)) {
>>> - rc = gmap_protect_pte(gmap, gaddr, pmdp, prot,
>>> - bits);
>>> + if (gmap_pmd_is_split(pmdp) &&
>>> + (bits & GMAP_NOTIFY_MPROT)) {
>>> + pmd_val(*pmdp) |= _SEGMENT_ENTRY_GMAP_IN;
>>> + }
>>
>> @David:
>> This currently breaks my brain. There *was* a reason why I put this
>> there and I was quite insistent that we needed it. Something about
>> notification areas on splits, but I absolutely can't remember it. Sigh,
>> should've made a comment.
>>
>> This might be a leftover from earlier versions, but could also keep us
>> from doing mprot notification on pte's.
>>
>
> This is indeed confusing.
>
> Somebody wants to protect are certain memory (e.g. PREFIX) and get
> notified on changes to this subpart.
>
> We have a split pmd
> -> we have huge pages in our user process tables
> -> we have 4k pages in our GMAP tables
>
> Now, we protect a subpart of this huge page via PTEs. My assumption is,
> that your "mirroring code" might reduce access rights to the PMD in the
> user process tables.
Yes, it does at the end of gmap_protect_pte
>
> So e.g. via user space tables -> 1MB write protected
> Via GMAP: only 8K write protected
Yes and if userspace touches the pmd, we end up in pmdp_notify which
will call notify split and do pte notification.
>
>
> In addition, you are setting the _SEGMENT_ENTRY_GMAP_IN on the GMAP PMD.
> This means, that the pmdp_notify_gmap() calls all notifiers
> (gmap_call_notifier) in case the whole PMD is changed (e.g. by write
> protecting for migration)
>
> So if we get a gmap_pmdp_xchg(), we would see _SEGMENT_ENTRY_GMAP_IN and
> trigger a notification. The PTEs remain unchecked (bad!).
Split pmds have own handling functions for setting and clearing RO which
work on pte bases.
ptep_remove_dirty_protection_split
test_and_clear_guest_dirty_split
ptep_notify_gmap
>
>
> Now, If I understand this correctly, what you would have to do:
>
> gmap_pmdp_xchg() (or rather pmdp_notify_gmap()) has to check whether it
> is a real huge page or a split pmd. If split, it has to call the PTE
> invalidators of the page table accordingly.
If I didn't just confuse myself completely, we don't need that. We never
call xchg on a split pmd, except for setting up the split and
pmdp_notify_gmap is never called on a split pmd either as it's not a pmd
anymore (from the gmap sight, for mm we do ptep_notify_gmap_split).
>
> This makes this manual hack unnecessary.
>
> Hope this helps :)
A tiny bit.
Anyway, the change seems to be stable, I'll send the change as a reply
when I come from the next meeting. Also had no postcopy problems.
When we agree on the change I'll do a new version.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2018-01-25 14:55 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-13 12:53 [RFC/PATCH v2 00/22] KVM/s390: Hugetlbfs enablement Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 01/22] s390/mm: make gmap_protect_range more modular Janosch Frank
2018-01-22 11:33 ` David Hildenbrand
2018-01-22 12:31 ` Janosch Frank
2018-01-22 12:50 ` David Hildenbrand
2018-01-22 13:02 ` Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 02/22] s390/mm: Abstract gmap notify bit setting Janosch Frank
2018-01-22 11:34 ` David Hildenbrand
2017-12-13 12:53 ` [RFC/PATCH v2 03/22] s390/mm: add gmap PMD invalidation notification Janosch Frank
2017-12-21 9:24 ` Janosch Frank
2018-01-22 11:46 ` David Hildenbrand
2018-01-22 13:13 ` Janosch Frank
2018-01-22 13:29 ` David Hildenbrand
2018-01-22 14:04 ` Janosch Frank
2018-01-22 11:56 ` David Hildenbrand
2018-01-22 12:09 ` Janosch Frank
2018-01-22 12:12 ` David Hildenbrand
2017-12-13 12:53 ` [RFC/PATCH v2 04/22] s390/mm: Add gmap pmd invalidation and clearing Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 05/22] s390/mm: hugetlb pages within a gmap can not be freed Janosch Frank
2018-01-24 13:45 ` David Hildenbrand
2018-01-24 13:56 ` Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 06/22] s390/mm: Introduce gmap_pmdp_xchg Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 07/22] RFC: s390/mm: Transfer guest pmd protection to host Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 08/22] s390/mm: Add huge page dirty sync support Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 09/22] s390/mm: clear huge page storage keys on enable_skey Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 10/22] s390/mm: Add huge pmd storage key handling Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 11/22] s390/mm: Remove superfluous parameter Janosch Frank
2017-12-21 9:22 ` Janosch Frank
2018-01-16 12:39 ` Janosch Frank
2018-01-16 13:11 ` David Hildenbrand
2018-01-22 13:14 ` Christian Borntraeger
2018-01-22 13:24 ` Martin Schwidefsky
2017-12-13 12:53 ` [RFC/PATCH v2 12/22] s390/mm: Add gmap_protect_large read protection support Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 13/22] s390/mm: Make gmap_read_table EDAT1 compatible Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 14/22] s390/mm: Make protect_rmap " Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 15/22] s390/mm: GMAP read table extensions Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 16/22] s390/mm: Add shadow segment code Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 17/22] s390/mm: Add VSIE reverse fake case Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 18/22] s390/mm: Remove gmap_pte_op_walk Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 19/22] s390/mm: Split huge pages if granular protection is needed Janosch Frank
2018-01-25 7:16 ` Janosch Frank
2018-01-25 14:39 ` David Hildenbrand
2018-01-25 14:55 ` Janosch Frank [this message]
2017-12-13 12:53 ` [RFC/PATCH v2 20/22] s390/mm: Enable gmap huge pmd support Janosch Frank
2017-12-13 12:53 ` [RFC/PATCH v2 21/22] KVM: s390: Add KVM HPAGE capability Janosch Frank
2017-12-20 13:02 ` Cornelia Huck
2017-12-20 13:17 ` Janosch Frank
2017-12-20 13:21 ` Cornelia Huck
2017-12-13 12:53 ` [RFC/PATCH v2 22/22] RFC: s390/mm: Add gmap lock classes Janosch Frank
2017-12-20 12:24 ` Christian Borntraeger
2017-12-20 12:36 ` Janosch Frank
2017-12-20 12:23 ` [RFC/PATCH v2 00/22] KVM/s390: Hugetlbfs enablement Christian Borntraeger
2017-12-21 12:00 ` David Hildenbrand
2017-12-22 9:08 ` Christian Borntraeger
2018-01-02 0:02 ` Janosch Frank
2018-01-22 11:23 ` David Hildenbrand
2018-01-22 11:56 ` Christian Borntraeger
2018-01-23 21:15 ` David Hildenbrand
2018-01-24 9:01 ` Janosch Frank
2018-01-24 9:14 ` David Hildenbrand
2018-01-25 15:33 ` [PATCH 0/2] Huge page pte protection Janosch Frank
2018-01-25 15:33 ` [PATCH 1/2] mm: s390: Only notify on 4k pages Janosch Frank
2018-01-25 16:04 ` David Hildenbrand
2018-01-26 10:31 ` Janosch Frank
2018-01-25 15:33 ` [PATCH 2/2] mm: s390: Rename gmap_pte_op_fixup Janosch Frank
2018-01-26 10:34 ` [PATCH v2] mm: s390: Only notify on 4k pages Janosch Frank
2018-01-30 10:19 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46412d0c-622c-44a3-dff3-48fd6b3ce3ac@linux.vnet.ibm.com \
--to=frankja@linux.vnet.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=david@redhat.com \
--cc=dominik.dingel@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).