[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Semantics of XEN_DOMCTL_SHADOW_OP_SET_ALLOCATION
- To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Mon, 27 Sep 2021 22:01:10 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=T9zPLtDbhZa8cqsLzs9J9E7mUk9bKUS79E9/0KA/6kg=; b=iIwGhLZ3mhUTnHl1mr4/sKWgaXRy/uWBTATFhDPC4uuOigU03SpML9Dh0lPh9IEh/TvwMpBQ8o3Ixnw2KsqDwMOLLXHnCrXK3SPlW3dWBuZOSDLwLjBTQw5QISocqPQ0oOcwd+DF+HiD9eSHrLuUevIs9RpIroA5Yt7f0d/MJT/WfOjImqinyHyBz2JmBU3ODnupmAVpE2ru4iZMrMeTV7sDAASY97ZBxxqpWt3Km5uI6nQkv+p9tfoHwHsn8WbtAklc3w5YKHbcG/D8dWH+Q3m5P9K2/QOIUyfgoHHT8OswbIDzRWVAScrIjWG7KBJp3o9k4zwAIFRofkISIbKc7A==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KlLiULX0gt1APS0lRbxARHJFUMUcrW+Ncn88jVSBXWHqGhyUUPrGp4ANu20TM3J2gDciiaD4TnvwnprZlX3KwyLglgSwhXzbeMX1MkzENDtY+0tVcjeiBMom27y2cRj0RTE1AvNvy6LMrGhYuqy7xXGRE3Z0/hH1DjlfxPtIeIddphABdnQBo7wKgYu6hULj6hWDMRwTLucDzytw+bEdXC8yleT8lHiPyc3lTnmn5gzXcxfzOnNRdAWIv2jcj4S7ptwHiHlPIbRVujqIBEIXFkF9ns1t14C1WGog2ohG7GmfgmzLEhTYz5V+9kje+YGVbj/pu5Axm46pz5K4Rh9q6Q==
- Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: Jan Beulich <jbeulich@xxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
- Delivery-date: Mon, 27 Sep 2021 21:01:53 +0000
- Ironport-data: A9a23:uCNQGKDcn+x2oxVW/8Pkw5YqxClBgxIJ4kV8jS/XYbTApDp2gTIEz GtJUT2CPqyJZ2CgfNklPYmw8k1T78PUyYUyQQY4rX1jcSlH+JHPbTi7wuYcHM8wwunrFh8PA xA2M4GYRCwMo/u1Si6FatANl1ElvU2zbue6WLOs1hxZH1c+EX9w0007wYbVv6Yz6TSHK1LV0 T/Ni5W31G+Ng1aY5UpNtspvADs21BjDkGtwUm4WPJinj3eH/5UhN7oNJLnZEpfNatI88thW5 Qr05OrREmvxp3/BAz4++1rxWhVirrX6ZWBihpfKMkQLb9crSiEai84G2PQghUh/jRqykslWm c525I2dFCo5AZyVht0fekwNe81+FfUuFL7vJHG+tYqYzlHccmuqyPJrZK00FdRGoKAtWzgIr KFGbmBWBvyAr7veLLaTY+9gnMk8auLsO5sSoCpIxjDFF/c2B5vERs0m4PcFh2xt3J0WRJ4yY eIHbyAzXS/kTCdUN05KNawMjMKqjWLWJmgwRFW9+vNsvjm7IBZK+LrnPcfRe9eKbd5IhUver WXDl0zpDxdfONGBxD6t9nO3mvSJjS79QJgVFrCz6rhtmlL77nMXIA0bUx28u/bRolK/XvpPJ kpS/TAhxZXe72TyEIO7BUfh5ifZ4FhMALK8DtHW9imL5ZHZ+iHIHVNVXxMcRcwZhZYofD4Dg wrhc8zSORRjt7icSHS4/7iSrC+vNSV9EVLudRPoXiNfvYC88dhbYgbnC4Y7SfHp3rUZDBmqm 1i3QD4Ca6L/ZCLh/4u850yPpzuxqpXTQgcx6207tUr+tVghNeZJi2GygGU3DMqszq7FEjFtX 1BewqByCdzi67nWz0Rhp81XQNmUCw6tamG0vLKWN8BJG86R03CiZ5tMxzp1OV1kNM0JERewP hSJ5l0BvsYJYCLxBUOSX25XI59xpUQHPY65Ps04k/IUOsQhHON51HsGibGsM5DFzxF3zPBX1 WazesewF3cKYZmLPxLsL9rxJYQDn3hkrUuKHMiT503+jdK2OS7EIZ9YYQDmRr1os8u5TPD9r o832z2ikE4EDoUTo0D/rOYuELz9BSJgWM+q+5AJLL7rz8gPMDhJNsI9CIgJIuRNt69Uiv3J7 je6XEpZw0D4nnrJNUOBbXULVV8ldcwXQasTMXN+MFC29WIkZIrzvq4Te4FuJess9fB5zO4yR P4AIp3SDvNKQzXB2jIccZii89AyKEX13VqDb3i/fTwyX598XAiVqNXqSRTiqXsVBS2tuMpg/ 7D5jlHHQYAOThhJBdrNbK791Eu4uHUQwbogX0bBLtRJVl/r9Yxmd374gvMtepleIhTf3DqKk Q2RBE5A9+XKpoY09vjPhLyF8Nj1Q7cvQBICEjCCv7isNCTc8m6y+qN6Ub6FLWLHSWf52KS+f uEJnfvyB+IKwQRRuI1mHrc1ka9nv4nzp6VXxxhPFWnQawj5EatpJ3SL0JUdtqBJwbMF6wK6V ljWp4tfMLSNfsjkDEQQNEwuaeHajaMYnTzb7PIUJkTm5XAooOrbABsKZxTc2jZAKLZVMZ8+x bZzscEb3AWzlx42P4vUlStT7WmNciQNXqhPWkv222M3Zt7HEm1/XKE=
- Ironport-hdrordr: A9a23:9OqVB6oJTi6Ut7rs6mef10UaV5u/L9V00zEX/kB9WHVpm5Oj+f xGzc516farslossREb+expOMG7MBThHO1OkPUs1NCZLXTbUQqTXftfBO7ZogEIdBeOjtK1uZ 0QF5SWa+eAfGSS7/yKmTVQeuxIqLLsndHK9IWuv0uFJTsaFZ2IhD0JbDpzfHcGITWuSaBJb6 Z1saF81kWdkDksH4iG7j5vZZm2m/T70LbdJTIWDR8u7weDyRuu9b7BChCdmjMTSSlGz7sO+X XM11WR3NTsj9iLjjvnk0PD5ZVfn9XsjvNFGcy3k8AQbhHhkByhaohNU6CL+Bo1vOaswlA3l8 SkmWZuA+1Dr1fqOk2lqxrk3AftlB4o9n/Z0FedxUDupMToLQhKQPZptMZ8SF/0+kAgtNZz3O ZgxGSCradaChvGgWDU+8XIfwsCrDv2nVMS1cooy1BPW4oXb7Fc6aYF+llOLZsGFCXmrKg6De hVCt3G7vo+SyLbU5nghBgr/DWQZAV2Iv/fKXJy/fB9kgIm3UyR9nFohvD2xRw7hdQAo5ot3Z WNDk0nrsAWcie6BZgNc9vpevHHeFAldyi8eV56EW6XZ53vBEi93qIfwI9Frt1CK6Z4gafbpv z6ISVlXCgJChrTNfE=
- Ironport-sdr: POfzMSqZQxv3ibjBPQEmvpjMgroqr3ov2YT0WxncigJ1IL6SxRjyr86AFUQtDITMdgXho5P8Pm 2/r0ZawD+aTJCcVC0gvI3h69bAmd135OsKsYc5m2KrFgA4bh2/kdosDHBE1rhLV4nB9UAUE/6Y Lv8h1DDCMQTMLLTVM9USHe+s4yxFSTjBKT9UsB9s1qvrsHV4R7oqPu5LU54UyK09cDA1ckXSyO OM81zBjCNzNUVvLORPGOgKGh4w38hYDZYsw5mdXU+LDQZdzFgw75MEaeXlKnQ642HlQiJrPfyf pf2SX+HvVTaDVSMfpsrTEvjv
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Hello,
A recent ABI change in Xen caused a total breakage under the Xapi
toolstack, and the investigation had lead to this.
First of all, the memory pool really needs renaming, because (not naming
names) multiple developers were fooled into thinking that the bug was
caused by a VM being unexpectedly in shadow mode.
Second, any MB value >= 0x1000000 will truncate to 0 between
{hap,shadow}_domctl() and {hap,shadow}_set_allocation().
But for the main issue, passing 0 in at the hypercall level is broken.
hap_enable() forces a minimum of 256 pages. A subsequent hypercall
trying to set 0 frees {tot 245, free 244, p2m 11} all the way down to
{tot 1, free 0, p2m 11} before failing with -ENOMEM because there are no
more free pages to free. Getting -ENOMEM from this kind of operation
isn't really correct.
Passing 0 cannot possibly function. There are non-zero p2m frames by
the time createdomain completes, as we allocate the top of the p2m, and
they cannot be freed without the teardown logic which releases memory in
the correct order.
In fact, passing anything lower than the current free size is guaranteed
to fail. Continuations also mean that you can't pick a value which is
guaranteed not to fail, because even a well (poorly?) placed foreign map
in dom0 could change the properties of the pool.
The shadow side rejects hypercall attempts using 0 (but can be bypassed
with the above truncation bug), and will try to drop shadows to get down
to the limit. This represents a difference vs HAP, and in practice 1M
granularity is probably enough to ensure that you can't fail to set the
shadow allocation that low. There is also a reachable BUG() somewhere
in this path as reported several times on xen-devel, but I still haven't
figured out how to tickle it.
There is no code or working usecase for reducing the size of the shadow
pool, except on domain destruction. I think we should prohibit the
ability to shrink the shadow pool, and defer most of this mess to anyone
who turns up with a plausible usecase.
~Andrew
|
