[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/include/public: add macro for invalid grant reference

  • To: Juergen Gross <jgross@xxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 21 Feb 2022 16:31:41 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pRZEcBrAC7IGwEmJrmesAv8oAgOCtQTmkNdtX94df0A=; b=QAsET4po73mtZcHX0xJFhuCFSdZKrxxsW5nsn9/6GyJKzMJeRia65g1TCkljDiW6O14nKdrJD4vcNAJqeI8EagiDvRpy5aHxf2dPWX30FfnixK5AVcwm+mrSxYvjZ+oX2DZ4wLDPceuBHNI9UjP1HDRn2mHzijrgCc4JU5D1t9XKlxYCUZlvJCFmP7m+EU/3pKy6O6gC7U+tMRva/gHreMFe8ONUPQLBMX1Uo20kpH4Q8pxJkd94NjBjZ8m5R33+SUR/k7Jd0WF1q09Jv9WjwdNGoda4bVt2RVIdkr2cnBcbYZn1CakqdBZHmYcgN4WfBi0/pKWL41n8pBlinzHmew==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U/BtWwfJmmktCCI8Z25RalB3Tt8Z6mUlhYzLu1dJl7ILcGLwBJ1N6r8JHixuGrrK01nJDS4ilXDBcmc7CR5avSvuTM6LMn++0cw7jo2A3V1rpxa+r/he7bMMLEPlRIY+yW4Jt7JfwAt9fJxHm9qgVpWwrtAtvla2XWwRrOsQeAoI2K/gzBUghincLQL3EASwZTeQhG6fm5S3pGiu+SdJDgsejvxHg4lmD+0Er8hoO8/7fRm9C2VTlvnIq+ALdpRoW4OE3WfI0At/2rAxPOD0OSOtrko/3RFp23i8LjpKlh3LKX8ks+cTEWihCnxF99WqvJP+xJu66JTtpVlBjNRAvA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Mon, 21 Feb 2022 15:32:04 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 21.02.2022 16:05, Juergen Gross wrote:
> On 21.02.22 15:31, Jan Beulich wrote:
>> On 21.02.2022 15:27, Juergen Gross wrote:
>>> On 21.02.22 15:18, Jan Beulich wrote:
>>>> On 21.02.2022 13:42, Juergen Gross wrote:
>>>>> Providing a macro for an invalid grant reference would be beneficial
>>>>> for users, especially as some are using the wrong value "0" for that
>>>>> purpose.
>>>>>
>>>>> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
>>>>
>>>> Over the years I've been considering to add such to the public
>>>> interface, perhaps even more than once. But I'm afraid it's not that
>>>> easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could
>>>
>>> I can change that to use 0xffffffff explicitly.
>>>
>>>> be a valid ref. It is really internal agreement by users of the
>>>> interface to set for themselves that they're not ever going to make
>>>> a valid grant behind that reference.
>>>
>>> As the grant reference is an index into the grant table this would
>>> limit the size of the grant table to "only" UINT_MAX - 1. I don't
>>> think this will be ever a concern (other than an academical one).
>>
>> That wasn't my point. Limiting the table to one less entry is not a
>> big deal indeed. But we have no reason to mandate which gref(s) to
>> consider invalid. A guest could consider gref 0 the invalid one.
> 
> With the gref being an index starting with 0 (gref 0 is valid, as it is
> used for the console ring page), the natural choice for an invalid
> value is the highest one being representable. A gref is of type uint32_t
> resulting in this value being 0xffffffff.
> 
> While in theory a grant table could be that large, in practice this
> will never happen.
> 
>> The hypervisor doesn't care. Imo this simply is an aspect which is
> 
> This isn't true. The hypervisor needs to allocate resources for being
> able to handle the highest possible gref value for a guest. For a v1
> grant table this would mean 32GB of grant table size. Are you really
> concerned we will ever hit this limit? This isn't at the guest's
> choice, after all, as the max grant table size is limited by Xen.

If we're not going to hit that limit, what's wrong with declaring the
entire upper half of uint32_t space "invalid" for use a gref? If we
won't ever go up to 32Gb, we quite certainly also won't ever reach
16Gb. Yes, you probably already guessed it, we can then repeat this
process iteratively until we reach 4kb.

>> not in need of pinning down in the ABI. Yet if it was pinned down
>> like you do, then the hypervisor would need to make sure it refuses
>> to act on this mandated invalid gref.
> 
> This is an easy one. We could just refuse to have a grant table of
> that size. I can add this to the patch if you really think it is
> necessary.

Since grant table size is measured in pages, you'd then have to
refuse use of more than just that single gref. This would still not
be an immediate problem, but demonstrates again that it's unclear
where to draw such a boundary, if one is to be artificially drawn.

> TBH, I think such completely theoretical concerns should not stand
> in the way of additions to the ABI making life easier for consumers.

In case it wasn't clear - my concern isn't that sacrificing this one
entry may cause a problem, or that we'd ever see grant tables grow
this big (albeit for the latter: you never really know). Instead my
concern is that it is conceptually wrong for us to (now) introduce
such a value.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.