[RFC,03/15] KVM: Add build-time error check on kvm_run size

Message ID	20191129213505.18472-4-peterx@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=D48H=ZV=vger.kernel.org=kvm-owner@kernel.org> From: Peter Xu <peterx@redhat.com> To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Sean Christopherson <sean.j.christopherson@intel.com>, Paolo Bonzini <pbonzini@redhat.com>, "Dr . David Alan Gilbert" <dgilbert@redhat.com>, peterx@redhat.com, Vitaly Kuznetsov <vkuznets@redhat.com> Subject: [PATCH RFC 03/15] KVM: Add build-time error check on kvm_run size Date: Fri, 29 Nov 2019 16:34:53 -0500 Message-Id: <20191129213505.18472-4-peterx@redhat.com> In-Reply-To: <20191129213505.18472-1-peterx@redhat.com> References: <20191129213505.18472-1-peterx@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Sender: kvm-owner@vger.kernel.org Precedence: bulk
Series	KVM: Dirty ring interface \| expand [RFC,00/15] KVM: Dirty ring interface [RFC,01/15] KVM: Move running VCPU from ARM to common code [RFC,02/15] KVM: Add kvm/vcpu argument to mark_dirty_page_in_slot [RFC,03/15] KVM: Add build-time error check on kvm_run size [RFC,04/15] KVM: Implement ring-based dirty memory tracking [RFC,05/15] KVM: Make dirty ring exclusive to dirty bitmap log [RFC,06/15] KVM: Introduce dirty ring wait queue [RFC,07/15] KVM: X86: Implement ring-based dirty memory tracking [RFC,08/15] KVM: selftests: Always clear dirty bitmap after iteration [RFC,09/15] KVM: selftests: Sync uapi/linux/kvm.h to tools/ [RFC,10/15] KVM: selftests: Use a single binary for dirty/clear log test [RFC,11/15] KVM: selftests: Introduce after_vcpu_run hook for dirty log test [RFC,12/15] KVM: selftests: Add dirty ring buffer test [RFC,13/15] KVM: selftests: Let dirty_log_test async for dirty ring test [RFC,14/15] KVM: selftests: Add "-c" parameter to dirty log test [RFC,15/15] KVM: selftests: Test dirty ring waitqueue

Peter Xu Nov. 29, 2019, 9:34 p.m. UTC

It's already going to reach 2400 Bytes (which is over half of page
size on 4K page archs), so maybe it's good to have this build-time
check in case it overflows when adding new fields.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 virt/kvm/kvm_main.c | 2 ++
 1 file changed, 2 insertions(+)

Sean Christopherson Dec. 2, 2019, 7:30 p.m. UTC | #1

On Fri, Nov 29, 2019 at 04:34:53PM -0500, Peter Xu wrote:
> It's already going to reach 2400 Bytes (which is over half of page
> size on 4K page archs), so maybe it's good to have this build-time
> check in case it overflows when adding new fields.

Please explain why exceeding PAGE_SIZE is a bad thing.  I realize it's
almost absurdly obvious when looking at the code, but a) the patch itself
does not provide that context and b) the changelog should hold up on its
own, e.g. in a mostly hypothetical case where the allocation of vcpu->run
were changed to something else.

> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
>  virt/kvm/kvm_main.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 8f8940cc4b84..681452d288cd 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -352,6 +352,8 @@ int kvm_vcpu_init(struct kvm_vcpu *vcpu, struct kvm *kvm, unsigned id)
>  	}
>  	vcpu->run = page_address(page);
>  
> +	BUILD_BUG_ON(sizeof(struct kvm_run) > PAGE_SIZE);
> +
>  	kvm_vcpu_set_in_spin_loop(vcpu, false);
>  	kvm_vcpu_set_dy_eligible(vcpu, false);
>  	vcpu->preempted = false;
> -- 
> 2.21.0
>

Peter Xu Dec. 2, 2019, 8:53 p.m. UTC | #2

On Mon, Dec 02, 2019 at 11:30:27AM -0800, Sean Christopherson wrote:
> On Fri, Nov 29, 2019 at 04:34:53PM -0500, Peter Xu wrote:
> > It's already going to reach 2400 Bytes (which is over half of page
> > size on 4K page archs), so maybe it's good to have this build-time
> > check in case it overflows when adding new fields.
> 
> Please explain why exceeding PAGE_SIZE is a bad thing.  I realize it's
> almost absurdly obvious when looking at the code, but a) the patch itself
> does not provide that context and b) the changelog should hold up on its
> own,

Right, I'll enhance the commit message.

> e.g. in a mostly hypothetical case where the allocation of vcpu->run
> were changed to something else.

And that's why I added BUILD_BUG_ON right beneath that allocation. :)

It's just a helper for developers when adding new kvm_run fields, not
a risk for anyone who wants to start allocating more pages for it.

Thanks,

> 
> > Signed-off-by: Peter Xu <peterx@redhat.com>
> > ---
> >  virt/kvm/kvm_main.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> > index 8f8940cc4b84..681452d288cd 100644
> > --- a/virt/kvm/kvm_main.c
> > +++ b/virt/kvm/kvm_main.c
> > @@ -352,6 +352,8 @@ int kvm_vcpu_init(struct kvm_vcpu *vcpu, struct kvm *kvm, unsigned id)
> >  	}
> >  	vcpu->run = page_address(page);
> >  
> > +	BUILD_BUG_ON(sizeof(struct kvm_run) > PAGE_SIZE);
> > +
> >  	kvm_vcpu_set_in_spin_loop(vcpu, false);
> >  	kvm_vcpu_set_dy_eligible(vcpu, false);
> >  	vcpu->preempted = false;
> > -- 
> > 2.21.0
> > 
>

Sean Christopherson Dec. 2, 2019, 10:19 p.m. UTC | #3

On Mon, Dec 02, 2019 at 03:53:15PM -0500, Peter Xu wrote:
> On Mon, Dec 02, 2019 at 11:30:27AM -0800, Sean Christopherson wrote:
> > On Fri, Nov 29, 2019 at 04:34:53PM -0500, Peter Xu wrote:
> > > It's already going to reach 2400 Bytes (which is over half of page
> > > size on 4K page archs), so maybe it's good to have this build-time
> > > check in case it overflows when adding new fields.
> > 
> > Please explain why exceeding PAGE_SIZE is a bad thing.  I realize it's
> > almost absurdly obvious when looking at the code, but a) the patch itself
> > does not provide that context and b) the changelog should hold up on its
> > own,
> 
> Right, I'll enhance the commit message.
> 
> > e.g. in a mostly hypothetical case where the allocation of vcpu->run
> > were changed to something else.
> 
> And that's why I added BUILD_BUG_ON right beneath that allocation. :)

My point is that if the allocation were changed to no longer be a
straightforward alloc_page() then someone reading the combined code would
have no idea why the BUILD_BUG_ON() exists.  It's a bit ridiculous for
this case because the specific constraints of vcpu->run make it highly
unlikely to use anything else, but that's beside the point.

> It's just a helper for developers when adding new kvm_run fields, not
> a risk for anyone who wants to start allocating more pages for it.

But by adding a BUILD_BUG_ON without explaining *why*, you're placing an
extra burden on someone that wants to increase the size of kvm->run, e.g.
it's not at all obvious from the changelog whether this patch is adding
the BUILD_BUG_ON purely because the code allocates memory for vcpu->run
via alloc_page(), or if there is some fundamental aspect of vcpu->run that
requires it to never span multiple pages.

Peter Xu Dec. 2, 2019, 10:40 p.m. UTC | #4

On Mon, Dec 02, 2019 at 02:19:49PM -0800, Sean Christopherson wrote:
> On Mon, Dec 02, 2019 at 03:53:15PM -0500, Peter Xu wrote:
> > On Mon, Dec 02, 2019 at 11:30:27AM -0800, Sean Christopherson wrote:
> > > On Fri, Nov 29, 2019 at 04:34:53PM -0500, Peter Xu wrote:
> > > > It's already going to reach 2400 Bytes (which is over half of page
> > > > size on 4K page archs), so maybe it's good to have this build-time
> > > > check in case it overflows when adding new fields.
> > > 
> > > Please explain why exceeding PAGE_SIZE is a bad thing.  I realize it's
> > > almost absurdly obvious when looking at the code, but a) the patch itself
> > > does not provide that context and b) the changelog should hold up on its
> > > own,
> > 
> > Right, I'll enhance the commit message.
> > 
> > > e.g. in a mostly hypothetical case where the allocation of vcpu->run
> > > were changed to something else.
> > 
> > And that's why I added BUILD_BUG_ON right beneath that allocation. :)
> 
> My point is that if the allocation were changed to no longer be a
> straightforward alloc_page() then someone reading the combined code would
> have no idea why the BUILD_BUG_ON() exists.  It's a bit ridiculous for
> this case because the specific constraints of vcpu->run make it highly
> unlikely to use anything else, but that's beside the point.
> 
> > It's just a helper for developers when adding new kvm_run fields, not
> > a risk for anyone who wants to start allocating more pages for it.
> 
> But by adding a BUILD_BUG_ON without explaining *why*, you're placing an
> extra burden on someone that wants to increase the size of kvm->run, e.g.
> it's not at all obvious from the changelog whether this patch is adding
> the BUILD_BUG_ON purely because the code allocates memory for vcpu->run
> via alloc_page(), or if there is some fundamental aspect of vcpu->run that
> requires it to never span multiple pages.

How about I add a comment above it?

  /*
   * Currently kvm_run only uses one physical page.  Warn the develper
   * if kvm_run accidentaly grows more than that.
   */
  BUILD_BUG_ON(...);

Thanks,

Sean Christopherson Dec. 3, 2019, 5:50 a.m. UTC | #5

On Mon, Dec 02, 2019 at 05:40:34PM -0500, Peter Xu wrote:
> On Mon, Dec 02, 2019 at 02:19:49PM -0800, Sean Christopherson wrote:
> > On Mon, Dec 02, 2019 at 03:53:15PM -0500, Peter Xu wrote:
> > > On Mon, Dec 02, 2019 at 11:30:27AM -0800, Sean Christopherson wrote:
> > > > On Fri, Nov 29, 2019 at 04:34:53PM -0500, Peter Xu wrote:
> > > > > It's already going to reach 2400 Bytes (which is over half of page
> > > > > size on 4K page archs), so maybe it's good to have this build-time
> > > > > check in case it overflows when adding new fields.
> > > > 
> > > > Please explain why exceeding PAGE_SIZE is a bad thing.  I realize it's
> > > > almost absurdly obvious when looking at the code, but a) the patch itself
> > > > does not provide that context and b) the changelog should hold up on its
> > > > own,
> > > 
> > > Right, I'll enhance the commit message.
> > > 
> > > > e.g. in a mostly hypothetical case where the allocation of vcpu->run
> > > > were changed to something else.
> > > 
> > > And that's why I added BUILD_BUG_ON right beneath that allocation. :)
> > 
> > My point is that if the allocation were changed to no longer be a
> > straightforward alloc_page() then someone reading the combined code would
> > have no idea why the BUILD_BUG_ON() exists.  It's a bit ridiculous for
> > this case because the specific constraints of vcpu->run make it highly
> > unlikely to use anything else, but that's beside the point.
> > 
> > > It's just a helper for developers when adding new kvm_run fields, not
> > > a risk for anyone who wants to start allocating more pages for it.
> > 
> > But by adding a BUILD_BUG_ON without explaining *why*, you're placing an
> > extra burden on someone that wants to increase the size of kvm->run, e.g.
> > it's not at all obvious from the changelog whether this patch is adding
> > the BUILD_BUG_ON purely because the code allocates memory for vcpu->run
> > via alloc_page(), or if there is some fundamental aspect of vcpu->run that
> > requires it to never span multiple pages.
> 
> How about I add a comment above it?
> 
>   /*
>    * Currently kvm_run only uses one physical page.  Warn the develper
>    * if kvm_run accidentaly grows more than that.
>    */
>   BUILD_BUG_ON(...);

No need for a comment, adding a blurb in the changelog is sufficient.

The lengthy response was just trying to explain why it's helpful to
explicitly justify a change that may seem obvious in the current codebase.
Apologies if it only confused things.

Paolo Bonzini Dec. 3, 2019, 1:41 p.m. UTC | #6

On 02/12/19 23:19, Sean Christopherson wrote:
>>> e.g. in a mostly hypothetical case where the allocation of vcpu->run
>>> were changed to something else.
>> And that's why I added BUILD_BUG_ON right beneath that allocation. :)

It's not exactly beneath it (it's out of the patch context at least).  I
think a comment is not strictly necessary, but a better commit message
is and, since you are at it, I would put the BUILD_BUG_ON *before* the
allocation.  That makes it more obvious that you are checking the
invariant before allocating.

Paolo

Peter Xu Dec. 3, 2019, 5:04 p.m. UTC | #7

On Tue, Dec 03, 2019 at 02:41:58PM +0100, Paolo Bonzini wrote:
> On 02/12/19 23:19, Sean Christopherson wrote:
> >>> e.g. in a mostly hypothetical case where the allocation of vcpu->run
> >>> were changed to something else.
> >> And that's why I added BUILD_BUG_ON right beneath that allocation. :)
> 
> It's not exactly beneath it (it's out of the patch context at least).  I
> think a comment is not strictly necessary, but a better commit message
> is and, since you are at it, I would put the BUILD_BUG_ON *before* the
> allocation.  That makes it more obvious that you are checking the
> invariant before allocating.

Makes sense, will do.  Thanks for both of your reviews.

[RFC,03/15] KVM: Add build-time error check on kvm_run size

Commit Message

Comments

Patch