Xen project Mailing List

Re: [PATCH] x86/pv: Flush TLB in response to paging structure changes

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Tue, 20 Oct 2020 16:44:36 +0100

Authentication-results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Tue, 20 Oct 2020 15:44:47 +0000

Ironport-sdr: W3gz1SiEe/rT6/AP9VZUGD/Dr42dHiP5xIRBWoSZYRR/sa9C6ZXygAUA8GGL4qLOXtCaICoeZG SWC1+1SpHjHAMA3mNjFjeETiT7vKjLNUEgSG1Qx+PQ88U4EyuLVtdjre0onRHB/1AC5agYMHc+ 7gyJOMYHPDQ/RalylnUDMUjKAtfy88OVEDTrUOeDXdIfkQC7M6hnKkOQnmqhGXnhls/mT/ZxIU ZiZyHd41kfNvQ0dFD3vNAux1jGk15Re+u3koldGxrsngvFUU79qjbeKHCQlj0sbLXx+fABj6g3 JN0=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 20/10/2020 16:24, Andrew Cooper wrote: > With MMU_UPDATE, a PV guest can make changes to higher level pagetables. This > is from Xen's point of view (as the update only affects guest mappings), and > the guest is required to flush suitably after making updates. > > However, Xen's use of linear pagetables (UPDATE_VA_MAPPING, GNTTABOP_map, > writeable pagetables, etc.) is an implementation detail outside of the > API/ABI. > > Changes in the paging structure require invalidations in the linear pagetable > range for subsequent accesses into the linear pagetables to access non-stale > mappings. Xen must provide suitable flushing to prevent intermixed guest > actions from accidentally accessing/modifying the wrong pagetable. > > For all L2 and higher modifications, flush the full TLB. (This could in > principle be an order 39 flush starting at LINEAR_PT_VIRT_START, but no such > mechanism exists in practice.) > > As this combines with sync_guest for XPTI L4 "shadowing", replace the > sync_guest boolean with flush_flags and accumulate flags. The sync_guest case > now always needs to flush, there is no point trying to exclude the current CPU > from the flush mask. Use pt_owner->dirty_cpumask directly. > > This is XSA-286. > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > --- > CC: Jan Beulich <JBeulich@xxxxxxxx> > CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> > CC: Wei Liu <wl@xxxxxxx> > > A couple of minor points. > > * PV guests can create global mappings. I can't reason any safe way to relax > FLUSH_TLB_GLOBAL to just FLUSH_TLB. Sorry - forgot one of the points here. We could in principle relax the flush entirely if we know that we're editing from a not-present to present entry, but plumbing this up through mod_l?_entry() isn't trivial, and its also not not obvious how much of an optimisation it would be in practice. ~Andrew > * Performance tests are still ongoing, but so far is fairing better than the > embargoed alternative. > --- > xen/arch/x86/mm.c | 31 +++++++++++++++---------------- > 1 file changed, 15 insertions(+), 16 deletions(-) > > diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c > index 918ee2bbe3..a6a7fcb56c 100644 > --- a/xen/arch/x86/mm.c > +++ b/xen/arch/x86/mm.c > @@ -3883,11 +3883,10 @@ long do_mmu_update( > void *va = NULL; > unsigned long gpfn, gmfn; > struct page_info *page; > - unsigned int cmd, i = 0, done = 0, pt_dom; > + unsigned int cmd, i = 0, done = 0, pt_dom, flush_flags = 0; > struct vcpu *curr = current, *v = curr; > struct domain *d = v->domain, *pt_owner = d, *pg_owner; > mfn_t map_mfn = INVALID_MFN, mfn; > - bool sync_guest = false; > uint32_t xsm_needed = 0; > uint32_t xsm_checked = 0; > int rc = put_old_guest_table(curr); > @@ -4037,6 +4036,8 @@ long do_mmu_update( > break; > rc = mod_l2_entry(va, l2e_from_intpte(req.val), mfn, > cmd == MMU_PT_UPDATE_PRESERVE_AD, v); > + if ( !rc ) > + flush_flags |= FLUSH_TLB_GLOBAL; > break; > > case PGT_l3_page_table: > @@ -4044,6 +4045,8 @@ long do_mmu_update( > break; > rc = mod_l3_entry(va, l3e_from_intpte(req.val), mfn, > cmd == MMU_PT_UPDATE_PRESERVE_AD, v); > + if ( !rc ) > + flush_flags |= FLUSH_TLB_GLOBAL; > break; > > case PGT_l4_page_table: > @@ -4051,6 +4054,8 @@ long do_mmu_update( > break; > rc = mod_l4_entry(va, l4e_from_intpte(req.val), mfn, > cmd == MMU_PT_UPDATE_PRESERVE_AD, v); > + if ( !rc ) > + flush_flags |= FLUSH_TLB_GLOBAL; > if ( !rc && pt_owner->arch.pv.xpti ) > { > bool local_in_use = false; > @@ -4071,7 +4076,7 @@ long do_mmu_update( > (1 + !!(page->u.inuse.type_info & PGT_pinned) + > > mfn_eq(pagetable_get_mfn(curr->arch.guest_table_user), > mfn) + local_in_use) ) > - sync_guest = true; > + flush_flags |= FLUSH_ROOT_PGTBL; > } > break; > > @@ -4173,19 +4178,13 @@ long do_mmu_update( > if ( va ) > unmap_domain_page(va); > > - if ( sync_guest ) > - { > - /* > - * Force other vCPU-s of the affected guest to pick up L4 entry > - * changes (if any). > - */ > - unsigned int cpu = smp_processor_id(); > - cpumask_t *mask = per_cpu(scratch_cpumask, cpu); > - > - cpumask_andnot(mask, pt_owner->dirty_cpumask, cpumask_of(cpu)); > - if ( !cpumask_empty(mask) ) > - flush_mask(mask, FLUSH_TLB_GLOBAL | FLUSH_ROOT_PGTBL); > - } > + /* > + * Flush TLBs if an L2 or higher was changed (invalidates the structure > of > + * the linear pagetables), or an L4 in use by other CPUs was made (needs > + * to resync the XPTI copy of the table). > + */ > + if ( flush_flags ) > + flush_mask(pt_owner->dirty_cpumask, flush_flags); > > perfc_add(num_page_updates, i); >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.