[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remaining MSR wrinkles

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Thu, 11 Mar 2021 17:54:13 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AjGpfmg6FSHoZxKGbxFAs+ITC+qglhp0If7gHSlolr0=; b=iBoXDRnhUnBqlYEZHspynKhYphfiKP51dvcMZ0qHz81pI9MrpjXm1Uyf0j3UxppFgHkOlrfhK5oj2muqiJM4AmmWYNK6VlAfI2zJ3N1ePYve2WwLTdnSiHxH3E/evAuRspNYvZ3ZqHMXmxPrd0+GGT50IgWjAheIFIje7YzXN+I/FdysE3cUws6IBshuVpSGvg+miO7RgEssQIySpvJnzlxjfB+/lIR+pVU9YQxnlH6WlhSWmAQARoC2oWxal0Ih632jaOxm/lcFcTg3NbyC4LeH3PkmysJsLgWAaVQdNvZdt/0HOnpVbcfPjhBz31rDCmO899aC6wJh9/7L0G06ZQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dhz5sXeCQgbGDYUdwKPCtciMmoy1Fimjc2BFgVM4hwL/+Q99hX3IzyYlNacR7OMZP2i7YsWHCJdeCvFOMws8RIvLaZCXp2CEgU/gw9ZRBR02e9ogXTjCgH4A+E1tuKXmlyiQ4wluSCB2fTVYPR0OVLA2GlFq81g0Xiouwcfo2rMarmFfLJKGvHlCB73cNeImewHjKxFSlb9L5vMO1/gdlrYYnXzm1rYbchSeKOtfRClHjtEJf6I5n12TPWbEARQaPiViB7aSqS9Yug839bdWmozFr7rDoJIDr+p5NfmqHnyt25gTdU0eWJUAqqUDSRjOLo9cqvFCSaFWCIIR7k2yCA==
  • Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Ian Jackson <iwj@xxxxxxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, <committers@xxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 11 Mar 2021 16:55:05 +0000
  • Ironport-hdrordr: A9a23:Hn15Ual2+MMFtnOQPLubArK696/pDfNOimdD5ilNYBxZY6Wkvu qpm+kW0gKxtS0YX2sulcvFFK6LR37d8pAd2+ksFJ2lWxTrv3btEZF64eLZsl7dMgD36+I178 hdWodkDtmYNzRHpOLbxCX9LNo62tmA98mT9IPj5lNgVxtjZa0lzyoRMGemO3Z7TgVHGpY1fa D0jaB6jgCtfnkada2Aa0UtYu6rnbP2vaOjSQIKBwMGxWC15Q+A2frQCBiX3wobWzNLhYo4+W LGnxeR3NTYj9iLjjXy12rP448Tvd3m07J4dbexo/lQBzX3gAOhZIBsVtS5zUgIidDqzHYPvO TWqx0jVv4DjU/5TyWQmz/k2wyl6S0v7WTj1E/wuwqHneXJABYzC89MnutiA3zkwntlhcp91r lKwnLxjes0MTrw2Bnby/flSBluikKorXdKq59rs0Bi
  • Ironport-sdr: uMmMyZKnjSFEwDHlDdlcoMQyyOuufpKkK9FfHZQ0VTV9gtMSwmbLrIT9Ut6kZ5otgzoJRSmAwF EvTlXYV68QEy6d+aoCbUDJ8gEyjxQTJUyP9n6Dy8e4x2VF4U5orO8uiIfWuQdkVbn30gSbZvvE ivcijMdnDn2w/Wl6aDFjoeV6n+BW0twFza+ETWJZavTrl3Zb0THR7jTbU+eSQXXN0sqaW8JQS/ dow+KC1cLmxBRycVzEn9K5dyv0t2+jUdF25CuFWBRK0aWdSI9Zn6WkKK0+PzOka87oKers1t0s xBQ=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Mar 11, 2021 at 08:55:29AM +0100, Jan Beulich wrote:
> On 10.03.2021 20:09, Ian Jackson wrote:
> > (I bounced Roger's original mail to xen-devel.  I hope it made it...)
> > 
> > Roger Pau Monné writes ("Remaining MSR wrinkles"):
> >> 1. MSR behavior for PV guests without a #GP handler set: PV Linux versions 
> >> <
> >>    4.14 will use rdmsr_safe (and likely wrmsr_safe?) without having a #GP
> >>    handler setup, which results in a crash. This bug was hidden in previous
> >>    Xen releases by allowing unlimited read access to the MSR space.
> 
> I've not observed problematic wrmsr_safe() so far.
> 
> >>    Jan has posted several proposals to address this:
> >>
> >>    
> >> https://lore.kernel.org/xen-devel/7e69db81-cee7-3c7b-be64-4f5ff50fbe9c@xxxxxxxx/
> >>    
> >> https://lore.kernel.org/xen-devel/d794bbee-a5e5-6632-3d1f-acd8164b7171@xxxxxxxx/
> >>
> >>    Which all rely on the fact that for PV guests Xen knows whether there's 
> >> a
> >>    #GP handler setup and can hence prevent injection of a #GP fault if no
> >>    handler is present.
> >>
> >>    Andrew opinion is that we should instead try to figure out which MSRs 
> >> the
> >>    buggy Linux versions try to access and special case them. Andrew also 
> >> raised
> >>    the point that continue running with a 'fake' (ie: 0) MSR value might be
> >>    worse than crashing.
> >>
> >>    Part of the discussion has also happened here:
> >>
> >>    
> >> https://lore.kernel.org/xen-devel/4da62f0b-8a08-dd84-2040-fd55d74fd85a@xxxxxxxxxx/
> >>
> >>    Look for the last quote.
> >>
> >>    Another option is to document that PV Linux < 4.14 will require 
> >> msr_relaxed=1
> >>    in order to run. That as Jan pointed out will also imply PV Linux to 
> >> run with
> >>    a faked (0) MSR value instead of crashing.
> > 
> >> For 1. I do agree with Jan than this workaround is likely the best option 
> >> we
> >> have, sort of resorting to request enabling msr_relaxed for all Linux PV 
> >> guests
> >> < 4.14. Whether we want to limit this workaround to the read side only I'm 
> >> not
> >> fully convinced. There's something nice about having symmetry in the read 
> >> and
> >> write paths, but if all the calls we have identified are rdmsr only I 
> >> prefer to
> >> leave the write path unaltered and request users to use msr_relaxed if 
> >> write
> >> issues are found later.
> 
> Especially if Andrew's ambiguous objection was against the write side
> only, I think I'd prefer to go with this latter variant. Considering
> that dealing with the read side alone is sufficient to address the
> observed issue, I'm even inclined to prefer this irrespective of that
> constraint.
> 
> > Thanks.  I find your explanation and arguments convincing.  I have
> > read what Andy says in that link and I find that less convincing.  In
> > particular "I don't think we should legitimise buggy PV behaviour" is
> > not entirely consistent with our previous approach to
> > bug-compatibility and support for old guests.
> > 
> > Accordingly, (with committer tie-breaker hat on) I would prefer to
> > apply the patches from Jan.  I don't have an opinion about the read vs
> > write question, and will probably be happy with whatever you and Jan
> > can agree on.
> > 
> > I don't think I Release-Acked those patches yet so, for those two,
> > 
> > Release-Acked-by: Ian Jackson <iwj@xxxxxxxxxxxxxx>
> 
> You didn't, indeed, but "those two" is slightly confusing, the two
> links Roger did provide are just different versions of the same
> patch. Hence I'd like to double check that it is exactly this one
> patch of mine (of which I need to send another version, at least
> to include Roger's requested documentation of the behavior, and
> possibly also the write side equivalent - still waiting for Andrew
> to come back and clarify the scope of his objection).

I would leave the write side out. Now we have the fallback msr_relaxed
option which should be enough to cover for any write side issue that
might arise later. Also you have not identified any problematic
wrmsr_safe so far.

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.