| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Jan 2021 14:02:25 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: Ben Gardon <bgardon@...gle.com>, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org, Peter Xu <peterx@...hat.com>,
Peter Shier <pshier@...gle.com>,
Peter Feiner <pfeiner@...gle.com>,
Junaid Shahid <junaids@...gle.com>,
Jim Mattson <jmattson@...gle.com>,
Yulei Zhang <yulei.kernel@...il.com>,
Wanpeng Li <kernellwp@...il.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Xiao Guangrong <xiaoguangrong.eric@...il.com>
Subject: Re: [PATCH 19/24] kvm: x86/mmu: Protect tdp_mmu_pages with a lock
On Tue, Jan 26, 2021, Paolo Bonzini wrote:
> On 21/01/21 22:32, Sean Christopherson wrote:
> > Coming back to this series, I wonder if the RCU approach is truly necessary to
> > get the desired scalability. If both zap_collapsible_sptes() and NX huge page
> > recovery zap_only_ leaf SPTEs, then the only path that can actually unlink a
> > shadow page while holding the lock for read is the page fault path that installs
> > a huge page over an existing shadow page.
> >
> > Assuming the above analysis is correct, I think it's worth exploring alternatives
> > to using RCU to defer freeing the SP memory, e.g. promoting to a write lock in
> > the specific case of overwriting a SP (though that may not exist for rwlocks),
> > or maybe something entirely different?
>
> You can do the deferred freeing with a short write-side critical section to
> ensure all readers have terminated.
Hmm, the most obvious downside I see is that the zap_collapsible_sptes() case
will not scale as well as the RCU approach. E.g. the lock may be heavily
contested when refaulting all of guest memory to (re)install huge pages after a
failed migration.
Though I wonder, could we do something even more clever for that particular
case? And I suppose it would apply to NX huge pages as well. Instead of
zapping the leaf PTEs and letting the fault handler install the huge page, do an
in-place promotion when dirty logging is disabled. That could all be done under
the read lock, and with Paolo's method for deferred free on the back end. That
way only the thread doing the memslot update would take mmu_lock for write, and
only once per memslot update.
> If the bool argument to handle_disconnected_tdp_mmu_page is true(*), the
> pages would be added to an llist, instead of being freed immediately. At the
> end of a shared critical section you would do
>
> if (!llist_empty(&kvm->arch.tdp_mmu_disconnected_pages)) {
> struct llist_node *first;
> kvm_mmu_lock(kvm);
> first = __list_del_all(&kvm->arch.tdp_mmu_disconnected_pages);
> kvm_mmu_unlock(kvm);
>
> /*
> * All vCPUs have already stopped using the pages when
> * their TLBs were flushed. The exclusive critical
> * section above means that there can be no readers
> * either.
> */
> tdp_mmu_free_disconnected_pages(first);
> }
>
> So this is still deferred reclamation, but it's done by one of the vCPUs
> rather than a worker RCU thread. This would replace patches 11/12/13 and
> probably would be implemented after patch 18.
>
> Paolo
>
> (*) this idea is what prompted the comment about s/atomic/shared/
>
Powered by blists - more mailing lists