[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 for-4.14] x86/monitor: revert default behavior when monitoring register write events

  • To: Jan Beulich <jbeulich@xxxxxxxx>, Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>, Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>
  • From: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>
  • Date: Mon, 8 Jun 2020 21:58:15 +0300
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qCUYPl0W15gXDPHhXLwNxUU5qzU7SCq5Q486mwyIsNE=; b=KtlVPXHC7mGGIVDA54MLXZl9C60e/HEmKyFNACER4+I1aMziTRrJfsMjZB7ldfwoh4IkIzpFAEppyEsldvdA1acCReQIgMNMlRUolWAgYkKGZawRLuvM2hy1pMugIMEtCsD/Avz6b+D1rG0GhH+nD0a6nEHCeNZeq3TbSr3HzWrfGE4GSRJl8ksCNy9xP8v8Wphr7JGrgIYcAM+35xy0T3m0HPOk9OHpnn0eivmtm6xKjTSZTi5kO+ZCJYteUjDtZLHiFQ9sacnuRnARsqBBsfwYel3j9aeIWfwHVGmQFcczD9QiTHSj8fZSS7s89Aao3eEuYoiCJ/sI39Pt91uklQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h8MXqTkqnikbHf0FX1cA9r7b0WqohBhhzPtX9E8K66TjybXkbUILfqgV4QtZdltJuy2Fs2JIQMNoB/wb96nCZtpmSr7u9I4+6g0i65TUhyFfh+wYWOpeR+kR79I77wiOabrAx1tkkDapE8eIMQhaPAZZ+5baYwfZT/RsJIaKwttGPcwZxmAiLjfJ81LAk8ZI/6KJJuQr/XRruKd8QH1SqO3s7Gfz3aVwWLAQtQ+PzsRRw3CQuQ8wduEsiodmdQAEobQazuD8lJP0gK4es4aAhb+KBMmXq7Wu4CjwzuhGUp6sYM2st3aHdibidbpoACUh2oG7Y59lK6A282XbSMj1KQ==
  • Authentication-results: bitdefender.com; dkim=none (message not signed) header.d=none;bitdefender.com; dmarc=none action=none header.from=bitdefender.com;
  • Cc: Andrei LUTAS <vlutas@xxxxxxxxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Mihai Donțu <mdontu@xxxxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Tue, 09 Jun 2020 04:17:03 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 6/8/20 6:55 PM, Jan Beulich wrote:
> On 03.06.2020 17:07, Roger Pau Monné wrote:
>> On Wed, Jun 03, 2020 at 06:52:37AM -0600, Tamas K Lengyel wrote:
>>> For the last couple years we have received numerous reports from users of
>>> monitor vm_events of spurious guest crashes when using events. In 
>>> particular,
>>> it has observed that the problem occurs when vm_events are being disabled. 
>>> The
>>> nature of the guest crash varied widely and has only occured occasionally. 
>>> This
>>> made debugging the issue particularly hard. We had discussions about this 
>>> issue
>>> even here on the xen-devel mailinglist with no luck figuring it out.
>>>
>>> The bug has now been identified as a race-condition between register event
>>> handling and disabling the monitor vm_event interface. The default behavior
>>> regarding emulation of register write events is changed so that they get
>>> postponed until the corresponding vm_event handler decides whether to allow 
>>> such
>>> write to take place. Unfortunately this can only be implemented by 
>>> performing the
>>> deny/allow step when the vCPU gets scheduled.
>>>
>>> Due to that postponed emulation of the event if the user decides to pause 
>>> the
>>> VM in the vm_event handler and then disable events, the entire emulation 
>>> step
>>> is skipped the next time the vCPU is resumed. Even if the user doesn't pause
>>> during the vm_event handling but exits immediately and disables vm_event, 
>>> the
>>> situation becomes racey as disabling vm_event may succeed before the guest's
>>> vCPUs get scheduled with the pending emulation task. This has been 
>>> particularly
>>> the case with VMS that have several vCPUs as after the VM is unpaused it may
>>> actually take a long time before all vCPUs get scheduled.
>>>
>>> In this patch we are reverting the default behavior to always perform 
>>> emulation
>>> of register write events when the event occurs. To postpone them can be 
>>> turned
>>> on as an option. In that case the user of the interface still has to take 
>>> care
>>> of only disabling the interface when its safe as it remains buggy.
>>>
>>> Fixes: 96760e2fba10 ('vm_event: deny register writes if refused by vm_event
>>> reply').
>>>
>>> Signed-off-by: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
>>
>> Thanks!
>>
>> Reviewed-by: Roger Pau Monné <rogerpau@xxxxxxxxxx>
>>
>> I would like to get some input from Bitdefender really, and whether
>> they are fine with this approach.

Hello,

Not really my call to make anymore, but I do have a few notes.

First, IIRC the problem stems from the initial choice to have the
vm_event data allocated on-demand when first subscribing to events. The
proper solution (since this patch doesn't actually fix the problem),
IMHO, would be for the vm_event data to _always_ exist, and instead of
relying on the value of its pointer to check if there are event
subscribers, we could just check the emulation flags individually and
never miss a pending emulated something again. I did try to go that way
in the beginning, but it has reasonably been objected that we should cut
back on using hypervisor memory unnecessarily, hence we got at this point.

Secondly, I see no reason why we couldn't adapt to the new default
behaviour provided that the old behaviour continues to work _exactly_ as
before.

And last but not least, the proper sequence is: 1. unsubscribe from
register write events, 2. process all events "still in the chamber"
(keep checking the ring buffer for a while), 3. detach from the guest
(disable the vm_event subsystem). Not ideal perhaps (in that it's not
guaranteed that a VCPU won't resume after a longer period than our
timeout), but if the sequence is followed there should be no guest hangs
or crashes (at least none that we or our clients have observed so far).

So in short, I think there's a better fix for this by simply not
allocating the vm_event memory on-demand anymore and never having to
deal with lost pending emulations again. It should also decrease code
complexity by a tiny bit. Then again, as stated at the beginning of this
message, that's just a recommendation.


HTH,
Razvan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.