Xen project Mailing List

Re: [PATCH 1/3] mm: introduce xvmalloc() et al and use for grant table allocations

Date: Thu, 19 Nov 2020 15:40:43 +0100

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 19 Nov 2020 14:40:49 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 19.11.2020 14:19, Julien Grall wrote: > On 19/11/2020 12:33, Jan Beulich wrote: >> It's certainly against the "Xen malloc/free-style interface" comment >> at the top of the header. > > ... if you consider it as a mistaken, then why did you introduce > xvalloc() rather than modifying the implementation of xmalloc()? (a) it didn't occur to me as an option and (b) even if it did, I wouldn't have wanted to go audit all use sites. >> It was my understanding so far that with the removal of the direct- >> map this property would go away anyway. > > Direct-map is going to disappear on x86, but there are no plan for that > on Arm so far. > > I am not saying I don't want to remove it, I just want to point out that > decision should not be made solely based on what x86 is doing (see more > below). I didn't mean to imply anything like this. I was merely tryin to point out that there may be a point in time, not too far in the future, when any such assumption may turn out broken. You said there are a number of such uses; I don't think I'm aware of any. Is what you're aware of all in Arm code? >>>> Where the inefficiencies you mention would imo matter is in >>>> (future) decisions whether to use vmalloc() et al vs xvmalloc() >>>> et al: If the size _may_ be no more than a page, the latter may >>>> want preferring. >>> I am not sure to understand this... why would we want to keep vmalloc() >>> extern when xvalloc() will be calling it for allocation over a PAGE_SIZE? >> >> Why force callers knowing they'll allocate more than a page to go >> through the extra layer? If that was the plan, then we wouldn't >> need a set of new functions, but could instead tweak vmalloc() etc. > > Two reasons: > 1) There are too many ways to allocate memory in Xen. This adds > extra-confusion to use. Maybe; I wouldn't have thought so. > 2) The impact of the extra check is going to be insignificant compare > to the cost of the function. Feel free to prove me otherwise with numbers. My point wasn't primarily (if at all) about performance, but about call layering in general. >>>>>> --- a/xen/common/vmap.c >>>>>> +++ b/xen/common/vmap.c >>>>>> @@ -7,6 +7,7 @@ >>>>>> #include <xen/spinlock.h> >>>>>> #include <xen/types.h> >>>>>> #include <xen/vmap.h> >>>>>> +#include <xen/xvmalloc.h> >>>>>> #include <asm/page.h> >>>>>> >>>>>> static DEFINE_SPINLOCK(vm_lock); >>>>>> @@ -299,11 +300,29 @@ void *vzalloc(size_t size) >>>>>> return p; >>>>>> } >>>>>> >>>>>> -void vfree(void *va) >>>>>> +static void _vfree(const void *va, unsigned int pages, enum vmap_region >>>>>> type) >>>>> >>>>> I don't think "unsigned int" is sufficient to cover big size. AFAICT, >>>>> this is not in a new problem in this code and seems to be a latent issue >>>>> so far. >>>>> >>>>> However, I feel that it is wrong to introduce a new set of allocation >>>>> helpers that contained a flaw fixed in xm*alloc() recently (see commit >>>>> cf38b4926e2b "xmalloc: guard against integer overflow"). >>>> >>>> For _xmalloc() we're talking about bytes (and the guarding you >>>> refer to is actually orthogonal to the limiting done by the >>>> page allocator, as follows from the description of that change). >>>> Here we're talking about pages. I hope it will be decades until we >>>> have to consider allocating 16Tb all in one chunk (and we'd need >>>> to have large enough vmap virtual address space set aside first). >>> >>> I think you misunderstood my point here. I am not suggesting that a >>> normal user would ask to allocate 16TB but that a caller may pass by >>> mistake an unsanitized value to xv*() functions. >>> >>> IIRC, the overflow check in xm*() were added after we discovered that >>> some callers where passing unsanitized values. >>> >>> I would expect xv*() functions to be more used in the future, so I think >>> it would be unwise to not guard against overflow. >>> >>> I would be happy with just checking that nr always fit in a 32-bit value. >> >> The two callers of the function obtain the value from vm_size(), >> which returns unsigned int. > > I can't see a use of vm_size() in vmalloc_type(). I can only see a > implicit downcast. My "the function" was still referring to your initial comment, which was about _vfree()'s parameter type. >>>> Also note that >>>> - the entire vmap.c right now uses unsigned int for page counts, >>>> so it would be outright inconsistent to use unsigned long here, >>> >>> I didn't suggest this would be the only place (note that "new problem"). >>> This was the best place I could find to mention an existing problem that >>> is widened with the introduction of xv*() helpers. >> >> Oh, so you're talking of a separate and entirely unrelated patch >> making sure the existing vmalloc() won't suffer such a problem. >> Yes, vmalloc_type() could be fixed to this effect. But do you >> realize we'd have a security issue much earlier if any guest >> action could lead to such a gigantic vmalloc(), as the time to >> both allocate and then map 4 billion pages is going to be way >> longer than what we may tolerate without preempting? > > Yes I missed that point. But I am not sure where you are trying to infer... > > If it wasn't clear enough, I didn't suggest to fix in this patch. Okay, this hadn't become clear to me at all. It was my understanding that you're requesting changes to be made in this patch. > I am > only pointed out that we hardened _xmalloc() and this looks like going > backwards. I'm not seeing any step backwards. If there's an issue with vmalloc() that we think needs addressing, let's address it. The patch here only layers around existing xmalloc() / vmalloc(); I haven't managed to spot any overflow or truncation issue in it, and I don't think I've seen you point out any. Quite the contrary, I think I could relax the checking in _xv{m,z}alloc_array() (but I guess I won't for now). >> And no, there's no overflowing calculation anywhere afaics which >> would resemble the ones in xmalloc() you refer to. > > "overflow" was probably the wrong word. It would be more a downcast when > computing the number of pages. > > __vmap() is taking an "unsigned int", yet the number of pages is > computed using size_t. Yes, that's what I assume you referred to further up as implicit downcast. And that's also the one place I spotted when trying to understand your earlier comments. >>> But, I am really surprised this is a concern to you when all the >>> functions in this code will modify the pages tables. You dismissed this >>> overhead in the same e-mail... >> >> Entirely different considerations: The goal of limiting variable >> (and parameter) types to 32 bits where possible is a generic one. > > At the cost of introducing multiple implicit downcast that one day or > another is going to bite us. > >> Which is, if for nothing else, to avoid introducing bad precedent. > > I am ok with 32-bit internal value, but please at least check the > downcasting is going to be harmless. So here things get confusing again: Further up you've just said "I didn't suggest to fix in this patch". Here it sounds again as if you were expecting this to be fixed here and now. So I guess you may have meant to ask that I add a prereq patch addressing this? Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.