[v5,1/7] x86/hvm: allow ASID flush when v != current

Message ID	20200219174354.84726-2-roger.pau@citrix.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <SRS0=lRzm=4H=lists.xenproject.org=xen-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 72813206DB Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of roger.pau@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="roger.pau@citrix.com"; x-sender="roger.pau@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa3.hc3370-68.iphmx.com: domain of roger.pau@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="roger.pau@citrix.com"; x-sender="roger.pau@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="roger.pau@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: dPxeC9t3nd09ayyDXKYiX1EB0P1wj7ZdW0qvnXOJZzs8hJeRTPkpJzZt+/5Sqn2TjpsFZOh0+I r15ZaU26jyABlJb9eDyr3LPHg0gExe/0hSvmnz11ugxB1B/J1MVEspIxbudMPP8nIfL+WUutf4 LsiVvNxnzRJQxY3oxGYGClyyxKT/PSj/QykC1OISH3/9a/bhrkM2xE06mF6vOwIiQApBAzAzXm iMxZ2ecapx8woG/073D5nFDXYxJy4lYo0BxVd7L5svmMc63L8PGfUWIroMarvLXbvVbL0Y5Loo lI0= From: Roger Pau Monne <roger.pau@citrix.com> To: <xen-devel@lists.xenproject.org> Date: Wed, 19 Feb 2020 18:43:48 +0100 Message-ID: <20200219174354.84726-2-roger.pau@citrix.com> In-Reply-To: <20200219174354.84726-1-roger.pau@citrix.com> References: <20200219174354.84726-1-roger.pau@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v5 1/7] x86/hvm: allow ASID flush when v != current Precedence: list Cc: Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>, Jan Beulich <jbeulich@suse.com>, Roger Pau Monne <roger.pau@citrix.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Series	x86: improve assisted tlb flush and use it in guest mode \| expand [v5,0/7] x86: improve assisted tlb flush and use it in guest mode [v5,1/7] x86/hvm: allow ASID flush when v != current [v5,2/7] x86/paging: add TLB flush hooks [v5,3/7] x86/hap: improve hypervisor assisted guest TLB flush [v5,4/7] x86/tlb: introduce a flush guests TLB flag [v5,5/7] x86/tlb: allow disabling the TLB clock [v5,6/7] xen/guest: prepare hypervisor ops to use alternative calls [v5,7/7] x86/tlb: use Xen L0 assisted TLB flush when available

Message ID

20200219174354.84726-2-roger.pau@citrix.com (mailing list archive)

State

Superseded

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 72813206DB
Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender
 authenticity information available from domain of
 roger.pau@citrix.com) identity=pra; client-ip=162.221.158.21;
 receiver=esa3.hc3370-68.iphmx.com;
 envelope-from="roger.pau@citrix.com";
 x-sender="roger.pau@citrix.com"; x-conformance=sidf_compatible
Received-SPF: Pass (esa3.hc3370-68.iphmx.com: domain of
 roger.pau@citrix.com designates 162.221.158.21 as permitted
 sender) identity=mailfrom; client-ip=162.221.158.21;
 receiver=esa3.hc3370-68.iphmx.com;
 envelope-from="roger.pau@citrix.com";
 x-sender="roger.pau@citrix.com";
 x-conformance=sidf_compatible; x-record-type="v=spf1";
 x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133
 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4
 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88
 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83
 ip4:168.245.78.127 ~all"
Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender
 authenticity information available from domain of
 postmaster@mail.citrix.com) identity=helo;
 client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com;
 envelope-from="roger.pau@citrix.com";
 x-sender="postmaster@mail.citrix.com";
 x-conformance=sidf_compatible
IronPort-SDR: 
 dPxeC9t3nd09ayyDXKYiX1EB0P1wj7ZdW0qvnXOJZzs8hJeRTPkpJzZt+/5Sqn2TjpsFZOh0+I
 r15ZaU26jyABlJb9eDyr3LPHg0gExe/0hSvmnz11ugxB1B/J1MVEspIxbudMPP8nIfL+WUutf4
 LsiVvNxnzRJQxY3oxGYGClyyxKT/PSj/QykC1OISH3/9a/bhrkM2xE06mF6vOwIiQApBAzAzXm
 iMxZ2ecapx8woG/073D5nFDXYxJy4lYo0BxVd7L5svmMc63L8PGfUWIroMarvLXbvVbL0Y5Loo
 lI0=
From: Roger Pau Monne <roger.pau@citrix.com>
To: <xen-devel@lists.xenproject.org>
Date: Wed, 19 Feb 2020 18:43:48 +0100
Message-ID: <20200219174354.84726-2-roger.pau@citrix.com>
In-Reply-To: <20200219174354.84726-1-roger.pau@citrix.com>
References: <20200219174354.84726-1-roger.pau@citrix.com>
MIME-Version: 1.0
Subject: [Xen-devel] [PATCH v5 1/7] x86/hvm: allow ASID flush when v !=
 current
Precedence: list
Cc: Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>,
 Jan Beulich <jbeulich@suse.com>, Roger Pau Monne <roger.pau@citrix.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

Series

x86: improve assisted tlb flush and use it in guest mode | expand

Commit Message

Roger Pau Monné Feb. 19, 2020, 5:43 p.m. UTC

Current implementation of hvm_asid_flush_vcpu is not safe to use
unless the target vCPU is either paused or the currently running one,
as it modifies the generation without any locking.

Fix this by using atomic operations when accessing the generation
field, both in hvm_asid_flush_vcpu_asid and other ASID functions. This
allows to safely flush the current ASID generation. Note that for the
flush to take effect if the vCPU is currently running a vmexit is
required.

Note the same could be achieved by introducing an extra field to
hvm_vcpu_asid that signals hvm_asid_handle_vmenter the need to call
hvm_asid_flush_vcpu on the given vCPU before vmentry, this however
seems unnecessary as hvm_asid_flush_vcpu itself only sets two vCPU
fields to 0, so there's no need to delay this to the vmentry ASID
helper.

This is not a bugfix as no callers that would violate the assumptions
listed in the first paragraph have been found, but a preparatory
change in order to allow remote flushing of HVM vCPUs.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Wei Liu <wl@xen.org>
---
 xen/arch/x86/hvm/asid.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Jan Beulich Feb. 28, 2020, 1:29 p.m. UTC | #1

On 19.02.2020 18:43, Roger Pau Monne wrote:
> Current implementation of hvm_asid_flush_vcpu is not safe to use
> unless the target vCPU is either paused or the currently running one,
> as it modifies the generation without any locking.

Indeed, but the issue you're taking care of is highly theoretical:
I don't think any sane compiler will split writes of the fields
to multiple insns. It would be nice if this was made clear here.

> Fix this by using atomic operations when accessing the generation
> field, both in hvm_asid_flush_vcpu_asid and other ASID functions. This
> allows to safely flush the current ASID generation. Note that for the
> flush to take effect if the vCPU is currently running a vmexit is
> required.
> 
> Note the same could be achieved by introducing an extra field to
> hvm_vcpu_asid that signals hvm_asid_handle_vmenter the need to call
> hvm_asid_flush_vcpu on the given vCPU before vmentry, this however
> seems unnecessary as hvm_asid_flush_vcpu itself only sets two vCPU
> fields to 0, so there's no need to delay this to the vmentry ASID
> helper.
> 
> This is not a bugfix as no callers that would violate the assumptions
> listed in the first paragraph have been found, but a preparatory
> change in order to allow remote flushing of HVM vCPUs.
> 
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> Reviewed-by: Wei Liu <wl@xen.org>

With a suitable clarification added
Acked-by: Jan Beulich <jbeulich@suse.com>

Jan

Roger Pau Monné Feb. 28, 2020, 3:27 p.m. UTC | #2

On Fri, Feb 28, 2020 at 02:29:09PM +0100, Jan Beulich wrote:
> On 19.02.2020 18:43, Roger Pau Monne wrote:
> > Current implementation of hvm_asid_flush_vcpu is not safe to use
> > unless the target vCPU is either paused or the currently running one,
> > as it modifies the generation without any locking.
> 
> Indeed, but the issue you're taking care of is highly theoretical:
> I don't think any sane compiler will split writes of the fields
> to multiple insns. It would be nice if this was made clear here.

What about adding:

> > Fix this by using atomic operations when accessing the generation
> > field, both in hvm_asid_flush_vcpu_asid and other ASID functions. This
> > allows to safely flush the current ASID generation. Note that for the
> > flush to take effect if the vCPU is currently running a vmexit is
> > required.

"Most compilers will already do such writes and reads as a single
instruction, so the usage of atomic operations is mostly used as a
safety measure."

Here?

> > Note the same could be achieved by introducing an extra field to
> > hvm_vcpu_asid that signals hvm_asid_handle_vmenter the need to call
> > hvm_asid_flush_vcpu on the given vCPU before vmentry, this however
> > seems unnecessary as hvm_asid_flush_vcpu itself only sets two vCPU
> > fields to 0, so there's no need to delay this to the vmentry ASID
> > helper.
> > 
> > This is not a bugfix as no callers that would violate the assumptions
> > listed in the first paragraph have been found, but a preparatory
> > change in order to allow remote flushing of HVM vCPUs.
> > 
> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> > Reviewed-by: Wei Liu <wl@xen.org>
> 
> With a suitable clarification added
> Acked-by: Jan Beulich <jbeulich@suse.com>

Thanks, Roger.

Jan Beulich Feb. 28, 2020, 3:47 p.m. UTC | #3

On 28.02.2020 16:27, Roger Pau Monné wrote:
> On Fri, Feb 28, 2020 at 02:29:09PM +0100, Jan Beulich wrote:
>> On 19.02.2020 18:43, Roger Pau Monne wrote:
>>> Current implementation of hvm_asid_flush_vcpu is not safe to use
>>> unless the target vCPU is either paused or the currently running one,
>>> as it modifies the generation without any locking.
>>
>> Indeed, but the issue you're taking care of is highly theoretical:
>> I don't think any sane compiler will split writes of the fields
>> to multiple insns. It would be nice if this was made clear here.
> 
> What about adding:
> 
>>> Fix this by using atomic operations when accessing the generation
>>> field, both in hvm_asid_flush_vcpu_asid and other ASID functions. This
>>> allows to safely flush the current ASID generation. Note that for the
>>> flush to take effect if the vCPU is currently running a vmexit is
>>> required.
> 
> "Most compilers will already do such writes and reads as a single
> instruction, so the usage of atomic operations is mostly used as a
> safety measure."
> 
> Here?

Could you perhaps start with "Compilers will normally ..." I'm fine
with the rest, it's just that "most compilers" still feels like
an understatement.

Jan

Roger Pau Monné Feb. 28, 2020, 4:20 p.m. UTC | #4

On Fri, Feb 28, 2020 at 04:47:57PM +0100, Jan Beulich wrote:
> On 28.02.2020 16:27, Roger Pau Monné wrote:
> > On Fri, Feb 28, 2020 at 02:29:09PM +0100, Jan Beulich wrote:
> >> On 19.02.2020 18:43, Roger Pau Monne wrote:
> >>> Current implementation of hvm_asid_flush_vcpu is not safe to use
> >>> unless the target vCPU is either paused or the currently running one,
> >>> as it modifies the generation without any locking.
> >>
> >> Indeed, but the issue you're taking care of is highly theoretical:
> >> I don't think any sane compiler will split writes of the fields
> >> to multiple insns. It would be nice if this was made clear here.
> > 
> > What about adding:
> > 
> >>> Fix this by using atomic operations when accessing the generation
> >>> field, both in hvm_asid_flush_vcpu_asid and other ASID functions. This
> >>> allows to safely flush the current ASID generation. Note that for the
> >>> flush to take effect if the vCPU is currently running a vmexit is
> >>> required.
> > 
> > "Most compilers will already do such writes and reads as a single
> > instruction, so the usage of atomic operations is mostly used as a
> > safety measure."
> > 
> > Here?
> 
> Could you perhaps start with "Compilers will normally ..." I'm fine
> with the rest, it's just that "most compilers" still feels like
> an understatement.

Sure, that's fine.

Thanks, Roger.

diff --git a/xen/arch/x86/hvm/asid.c b/xen/arch/x86/hvm/asid.c
index 8e00a28443..63ce462d56 100644
--- a/xen/arch/x86/hvm/asid.c
+++ b/xen/arch/x86/hvm/asid.c
@@ -83,7 +83,7 @@  void hvm_asid_init(int nasids)
 
 void hvm_asid_flush_vcpu_asid(struct hvm_vcpu_asid *asid)
 {
-    asid->generation = 0;
+    write_atomic(&asid->generation, 0);
 }
 
 void hvm_asid_flush_vcpu(struct vcpu *v)
@@ -121,7 +121,7 @@  bool_t hvm_asid_handle_vmenter(struct hvm_vcpu_asid *asid)
         goto disabled;
 
     /* Test if VCPU has valid ASID. */
-    if ( asid->generation == data->core_asid_generation )
+    if ( read_atomic(&asid->generation) == data->core_asid_generation )
         return 0;
 
     /* If there are no free ASIDs, need to go to a new generation */
@@ -135,7 +135,7 @@  bool_t hvm_asid_handle_vmenter(struct hvm_vcpu_asid *asid)
 
     /* Now guaranteed to be a free ASID. */
     asid->asid = data->next_asid++;
-    asid->generation = data->core_asid_generation;
+    write_atomic(&asid->generation, data->core_asid_generation);
 
     /*
      * When we assign ASID 1, flush all TLB entries as we are starting a new

[v5,1/7] x86/hvm: allow ASID flush when v != current

Commit Message

Comments

Patch