[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.16 v4] gnttab: allow setting max version per-domain

  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Tue, 2 Nov 2021 14:34:03 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UaIzeyu+kLBhuCcTqcHDkZrfoofYpBkvSxGOooWlK/Q=; b=FwEiDOcULQWSSeuDSRRr4Of+72DPeVnSaqCuB4bqgv5Fg19YqsaCugMmBaWn3FLNlx6LgLKOraTd2PzYdCnrd/kDV8RfmZONmUSTHgEDt/Rbmxoqkb7kNyH2Im0AxTNbFiyYcXWaZhiJ2tMp5VkGFlaHMpBQ6rmdOvCoF8VtG0XOWr7x5dG1EZ3XpZy0A1xAF7/7USmxgwrtI4zncECiigLUwJtYAfYQODVd117vSSVSQpexpCMhwMVN/fMa6ri5UeGUK/k1/mz3piXjJA2ZV9H/QAoovb2IiLowAEN6eRgLFbgJ2PaaJmz1Znq0nmZBqU8EpqzVvF+V6e7hG27W9w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nwyQqLcQAud0M31EwGrVJP1g0yhFEaNBNcFNEiLLf756f549aShu5f7nF2+upkxm4imn8FScQpBxSpzMYVh6s7k8wxS+3DTL5dE1ATgPyrt1nu5S5fmGE5mFwsMNQFV7pWC8bkHDkvoqcK8sa2sgA4FoqNDph47qujo0Il6zRIbspu6DiVwCnfHoYC2pFTpGMeIXPB3FQ1Xj+75iP+yVdSePyw/QPUBmRlcZeBdzJqU1ftC31iwtgO4lvKa4eksq94nEehjbgD+hOwJJS96MOwSb58HsWNbZUxj8xxwyXVJlbZm1iUzI51aI2H2VnhrLZXY1Ij9Do3bmUf6k+pTCpg==
  • Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, "Christian Lindig" <christian.lindig@xxxxxxxxxx>, David Scott <dave@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>
  • Delivery-date: Tue, 02 Nov 2021 14:34:30 +0000
  • Ironport-data: A9a23:EuVWEaIj6Wj3ofdJFE+RjZMlxSXFcZb7ZxGr2PjKsXjdYENSg2FUm GAaWTuHbKrZamL9KY1+O4u3oE1VsJbSzt5mQARlqX01Q3x08seUXt7xwmUcns+xwm8vaGo9s q3yv/GZdJhcokcxIn5BC5C5xZVG/fjgqoHUVaiUZUideSc+EH140Es7wbZj6mJVqYPR7z2l6 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyB94KYkDbOwNxPFrrx8RYZWc QphIIaRpQs19z91Yj+sfy2SnkciGtY+NiDW4pZatjTLbrGvaUXe345iXMfwZ3u7hB2ltd1z9 NtcuqWRWEQJIurOpeYZSwJHRnQW0a1uoNcrIFC6uM2XiUbHb2Ht07NlC0Re0Y8wo7gtRzsUr LpBdW5LPkvra+GemdpXTsFFgMg5IdatF4QYonx6lhnSDOo8QICFSKLPjTNd9Gpu1p4UTKaCD yYfQRNuUjTPRUBNBk9US5kXlru0mV7eVzIN/Tp5ooJoujOOnWSdyoPFMtDYZ9iLTsV9hVuDq yTN+GGRKhMHMN2SzxKV/3TqgfXA9QvrVYRXGLCm+/pChFyI2ndVGBAQTUG8o/Sylgi5Qd03A 1MQ0jojq+417kPDZsLmQxSyrXqAvxgdc9ldCes37EeK0KW8yzieAm8IXztQcusMvcU9RSEp/ lKRltavDjtq2JWUVnC15rqStSm1OyUeMSkFfyBsZQkK+d74u6kokwnCCN1kFcadgtTrFBnqz juNrSx4gK8c5fPnzI3iowqB2Wj14MGUEEhlvW07Q15J8CtVToOnW4K55mH6/LVgMMGbc1uFp GMbzp32AP81MbmBkymEQeMoFb6v5uqYPDC0vWODD6XN5Bz2pSf9INk4DCVWYR4wb51aIWOBj Fr74FsJvPdu0G2Wgbibim5bI+Aj1uDeGNvsTZg4hfIeM8EqJGdrEMyDDHN8PlwBcmBwwcnT2 r/BKK5A6Er274w9lVJaoM9GidcWKtgWnz+7eHwC503PPUCiTHCUU6wZF1CFc/o06qiJyC2Mr Y0CaJrQk0oFCrSiCsUyzWL1BQpTRZTcLcuuw/G7i8bZelY2cI3fI6aJqV/eR2CVt/sMzbqZl p1MckRZ1ED+lRX6xfaiMRhehEfUdc8n9xoTZHV0VX7xgiRLSdv/vc83KspsFZF6pbML8BKBZ 6RcEyl2Kq8UEWqvFvV0RcSVkbGOgzzy3l/TZHX5OGBXklwJb1Whx+IItzDHrUEmJiG2qdE/s /un0AbaSoAEXANsEIDdb/fH8r97lSF1dDtaUxSaL99NVl/r9YQ2eSX9guVue5MHKAnZxyvc3 AGTWE9Kqe7Iqo4z0d/ImaHb8Nv5T7ogRhJXTzvB8LK7FSjG5W7/k4VOZ/mFIGLGX2Tu9aT8O egMl6PgMOcKlUphupZnF+o51ro34tbi/ucIzgltEHjRQU6sD7dsfiuP0cVV7/Ufzb5FowqmH EmI/4ACa7mOPcrkFn8XJRYkMbvfha1FxGGK4K1sckvg5SJx8L6WamloPkGB2H5HMb94EII52 uN96sQY3BOy10gxOdGcgyEKq2nVdi4cU78qv40xCZPwjlZ50UlLZJHRB3Ok4JyLbNkQYEAmL iXN2fjHjrVYgEHDb2AyBT7G2u8E3cYCvxVDzVkjIVWVm4Wa2q9rjUMJqTlnHB5Iyhhn0v5oP jk5PkJ4EqyC4jN0iZURRGurAQxAWEWU90GZJ4HlT4EFo51EjlDwEVA=
  • Ironport-hdrordr: A9a23:44jaNqm6M6zPTGbDCrH0kEIurmrpDfO+imdD5ihNYBxZY6Wkfp +V8sjzhCWatN9OYh0dcLC7WJVpQRvnhPpICPoqTMmftW7dyRSVxeBZnPffKljbehEWmdQtrp uIH5IObuEYSGIK8PoSgzPIYOrIouP3iJxA7N22pxwGIHAIGsMQnTuRSDzrdXGeLDM2dabRf6 Dsn/avyQDQHEj/Iv7LfEXsCIP41qz2fd/dEFI7Li9izDPLoSKj6bb8HRTd9hACUwlXybNn1W TeiQT26oiqrvn+k3bnpiHuxqUTvOGk5spIBcSKhMRQAjLwijywbIAkf7GZpjg6rMym9V5vut jRpBULOdh19hrqDy6IiCqo/zOl/Ccl6nfkx1PdqXz/ofbhTDZ/MMZFjZIxSGqT12MQ+PVHlI 5b1WOQsJRaSTnamj7m2tTOXxZ20mKpvHsLi4co/j9ieLpbTIUUgZ0U/UtTHptFNjn98pobHO 5nC9yZzOpKcGmdc2vSsgBUsZyRt0wIb1K7q3U5y4ioO2A8pgE/86JY/r1fop44zuN+d3EejN 60dJiBl9l1P4crhOxGdb48qPCMexjwqCT3QSuvyGTcZdQ60k322unKCZUOlauXkc8zvdYPcK qoaiIviYd1QTO3NfGz
  • Ironport-sdr: pdSWqZbmATiU1DTXYQ6r0DnkSl+j9duvBdLKBC2ImZ2DE46vaehsWVfKardIeXxwrWJBZ8dCVX 6vYmBjiDNVvoQqRFUw+4GzRYNM/nEvQJ97ZXkG/7MBq0K+bLZYnYoxfqSH7B57HVfEDEGd8FwO O4zKTnIsjGijn1xBTKG3ABlduf0Ie8kvHfoFq2N4SDdvFWAhGFiUkilpeIBminVV2NHV6h7Yx6 K1SwnS/uzcPW4ZaLvQMHhIW54mnUYuPLc467m92ysXASFdVkzG9PkRTrxwiDNC5GuO80rcXbx9 3c6xGOoJv15D8WbHysohNLXc
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 30/10/2021 08:53, Roger Pau Monné wrote:
> On Fri, Oct 29, 2021 at 05:39:52PM +0100, Andrew Cooper wrote:
>> On 29/10/2021 08:59, Roger Pau Monne wrote:
>>> diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
>>> index e510395d08..f94f0f272c 100644
>>> --- a/xen/common/grant_table.c
>>> +++ b/xen/common/grant_table.c
>>> @@ -1917,11 +1918,33 @@ active_alloc_failed:
>>>  }
>>>  
>>>  int grant_table_init(struct domain *d, int max_grant_frames,
>>> -                     int max_maptrack_frames)
>>> +                     int max_maptrack_frames, unsigned int options)
>>>  {
>>>      struct grant_table *gt;
>>> +    unsigned int max_grant_version = options & 
>>> XEN_DOMCTL_GRANT_version_mask;
>>>      int ret = -ENOMEM;
>>>  
>>> +    if ( max_grant_version == XEN_DOMCTL_GRANT_version_default )
>>> +        max_grant_version = opt_gnttab_max_version;
>>> +    if ( !max_grant_version )
>>> +    {
>>> +        dprintk(XENLOG_INFO, "%pd: invalid grant table version 0 
>>> requested\n",
>>> +                d);
>>> +        return -EINVAL;
>>> +    }
>>> +    if ( max_grant_version > opt_gnttab_max_version )
>>> +    {
>>> +        dprintk(XENLOG_INFO,
>>> +                "%pd: requested grant version (%u) greater than supported 
>>> (%u)\n",
>>> +                d, max_grant_version, opt_gnttab_max_version);
>>> +        return -EINVAL;
>>> +    }
>> I think this wants to live in sanitise_domain_config() along with all
>> the other auditing of flags and settings.
> The reason to place those there is that the sanity checks for the
> other grant table related parameters (max_grant_frames and
> max_maptrack_frames) are performed in this function also. I think it's
> better to keep the checks together.
>
> We should consider exporting the relevant values from grant table
> code and then moving all the checks to sanitise_domain_config, but
> likely a follow up work given the current point in the release.
>
>> Also, it can be simplified:
>>
>> if ( max_grant_version < 1 ||
>>     max_grant_version > opt_gnttab_max_version )
>> {
>>     dprintk(XENLOG_INFO, "Requested gnttab max version %u outside of
>> supported range [%u, %u]\n", ...);
>> }
> It was originally done this way so that the first check
> (!max_grant_version) could be adjusted when support for
> max_grant_version == 0 was introduced [0] in order to signal the
> disabling of grant tables altogether.
>
>>
>>> +    if ( unlikely(max_page >= PFN_DOWN(TB(16))) && is_pv_domain(d) &&
>>> +         max_grant_version < 2 )
>>> +        dprintk(XENLOG_INFO,
>>> +                "%pd: host memory above 16Tb and grant table v2 
>>> disabled\n",
>>> +                d);
>> This is rather more complicated.
>>
>> For PV, this going wrong in the first place is conditional on CONFIG_BIGMEM.
>> For HVM, it the guest address size, not the host.
>> For ARM, I don't even know, because I've lost track of which bits of the
>> ABI are directmap in an otherwise translated domain.
> This was only aiming to cover the PV case, which I think it's the more
> likely one. It's possible there's people attempting to create PV
> guests on a 16TB machine, but I think it's more unlikely that the
> guest itself will have 16TB of RAM.
>
>> I think it is probably useful to do something about it, but probably not
>> in this patch.
> I'm fine with this, we had no warning at all before, so I don't think
> it should be a hard requirement to add one now. It would be nice if
> there's consensus, but otherwise let's just skip it.
>
>> Perhaps modify domain_set_alloc_bitsize() to impose an upper limit for
>> the "host memory size matters" cases?
>>
>> For the guest address size cases, this possibly wants to feed in to the
>> max policy calculations in the same way that shadow kinda does.
> So grant table version will basically clamp the amount of memory a
> guest can use?
>
> What about guests that doesn't use grant tables at all, do we expect
> those to set the future max_grant_version to 0 in order to avoid the
> clamping without having to expose grant v2?
>
>>> diff --git a/xen/include/public/domctl.h b/xen/include/public/domctl.h
>>> index 51017b47bc..0ec57614bd 100644
>>> --- a/xen/include/public/domctl.h
>>> +++ b/xen/include/public/domctl.h
>>> @@ -89,14 +89,20 @@ struct xen_domctl_createdomain {
>>>      /*
>>>       * Various domain limits, which impact the quantity of resources
>>>       * (global mapping space, xenheap, etc) a guest may consume.  For
>>> -     * max_grant_frames and max_maptrack_frames, < 0 means "use the
>>> -     * default maximum value in the hypervisor".
>>> +     * max_grant_frames, max_maptrack_frames and max_gnttab_version < 0
>>> +     * means "use the default maximum value in the hypervisor".
>>>       */
>>>      uint32_t max_vcpus;
>>>      uint32_t max_evtchn_port;
>>>      int32_t max_grant_frames;
>>>      int32_t max_maptrack_frames;
>>>  
>>> +/* Grant version, use low 4 bits. */
>>> +#define XEN_DOMCTL_GRANT_version_mask    0xf
>>> +#define XEN_DOMCTL_GRANT_version_default 0xf
>> This needs to be a toolstack decision, not something in Xen.  This
>> doesn't fix the case where VMs can't cope with change underfoot.
>>
>> It is fine for the user say "use the default", but this must be turned
>> into an explicit 1 or 2 by the toolstack, so that the version(s) visible
>> to the guest remains invariant while it is booted.
> Please bear with me, as I'm afraid I don't understand why this is
> relevant. Allowed max grant version can only change as a result of a
> migration

No.  Allowed max grant version is (well - needs to be) a fixed property
of the VM, even across migration.

It was a fundamentally mistake to ever have gnttab v2 active by default,
without an enumeration, and with no way of turning it off.  Same too for
evtchn, but we've already taken a patch to knobble fifo support.


The toolstack needs to explicitly select v1 or v2.  It's fine to pick a
default on behalf a user which doesn't care, but what moves in the
migrate stream must an explicit, unambiguous value, so the destination
Xen and toolstack can reconstruct the VM exactly.

"default" is ambiguous, and cannot be recovered after the fact.  In
particular, a vm with no explicit configuration, when booted on a Xen
with gnttab limited to v1 on the command line, should not have v2 become
accessible by migrating to a second Xen with no command line limit.  It
is fine, if that VM subsequently reboots, to find that v2 is now available.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.