Xen project Mailing List

[PATCH v3 2/2] x86/ept: limit calls to memory_type_changed()

From: Roger Pau Monne <roger.pau@xxxxxxxxxx>

Date: Wed, 28 Sep 2022 16:11:17 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Rrg6TmkiWke+u14j4kPKExk7sncmIIb6n+HAE1tRCec=; b=URXKDG46zgef/aipTzYUvYzy/ZkI28GN0es8qfjUrOt8rrMf4Bpqhv/0L545Su0Gy4ruBMglI/gU7KlNllH/yBhlCVpivGhGgTrCvOKuR8EQaimq+z3nHspky+WDWQMoUTx8xlzcAOhycY5GSypb5FjhQCSziZrBlHQbrXd/EWQ26K7vrb20PtYMYx3w+I8D1X8ad87NNNafzx7dKU94YaSBdWssXNMQUJ3x1Wzj0CJh9CB5I31LcrqL4yhIx3coXqyBdLEVpfwErhI8OqgxjDa8LAD3GKEXOoHwcjSvR3wdrfoJAxYhwz3KJ66EQo84lTUCnEqHXefNtIXsVa6IJQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S7AzwnHxpmN/KV8N9yvgj9FUdiQ68WAOAvVjMcQrG3XUs6PFtCsOUmQMsxtIMYZi+YIPrXUGgwv/zK+u6Mz66b/Ms7MAkCgNl9pxPuXGZWBMeYVp02pdQwNQ3Jm23pODIPl1RgQAl7Cq/G4RDXASnY7OJ4Xttt9w8SgVAVikuC/dVnutctL8/MGCym6s94HgARCikUF/WRacx/25Y7mGnMhYgFQyYOV2w2pvd5e6TM9ENY2pRo5HJjsCHYuXxuKMc2bh5Hue0s1MVO6ZLWU80hp2XQsJM0ZROhtcm6Hjzrk3ILLolmEZs+1siZ1CB26b9BEzDTSu/nEjQkBFKHbHig==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>

Delivery-date: Wed, 28 Sep 2022 14:11:46 +0000

Ironport-data: A9a23:I90kCarI8QxXXUwAdC0TTIyHKXdeBmLpZBIvgKrLsJaIsI4StFCzt garIBmGM6mPZGXzc4sgaY2+8UpX75CEzIdkQAo5qi02RSNGpJuZCYyVIHmrMnLJJKUvbq7FA +Y2MYCccZ9uHhcwgj/3b9ANeFEljfngqoLUUbKCYGYpLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9VU+55wehBtC5gZkPaER7AeE/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5mx Po1ci00NRy4t+vn8u2lSsJLl+pgI5y+VG8fkikIITDxK98DGMqGb4CUoNhS0XE3m9xEGuvYa 4wBcz1zYR/cYhpJfFAKFJY5m+TujX76G9FagAvN+exrvC6OnUoojumF3Nn9I7RmQe1PmUmVv CTe9nnRCRAGLt2PjzGC9xpAg8efxHKlANxNRdVU8NZopEyomEURFiQ0XGOGjdughkXiR95mf hl8Fi0G6PJaGFaQZsnwWVi0rWCJujYYWsFMCKsq5QeV0K3W7g2FQG8eQVZpatYrqcs3TjwCz UKSkpXiAjkHmKKRYWKQ8PGTtzzaESoIKW4PYwcUQA1D5MPsyKkolQ7GRNtnFK+zj/X2FCv2z jTMqzIx750RkMhN0ay49FLGhjuEp57VQwpz7QLSNkqm4x14Ysi5ZoWuwVnd8ftEao2eSzG8U GMsnsGf6KUCCM+LnSnUGuEVRuj3trCCLSHWhkNpE9857TOx9nW/fIdWpjZjOENuNcVCcjjsC KPOhT5sCFZoFCPCRcdKj0iZUKzGEYCI+QzZa83p

Ironport-hdrordr: A9a23:T1HthaDd5+H+XKTlHeg+sceALOsnbusQ8zAXPh9KJCC9I/bzqy nxpp8mPH/P5wr5lktQ++xoX5PwO080lKQFmrX5WI3PYOCIghrNEGgP1+vfKnjbalTDH41mpN hdmtZFebrN5DFB5K6VgTVQUexQuOVvmJrY+ds2pE0dKD2CBZsQjDuQXW2gYzBLrUR9dNME/N 323Ls1mxOQPVAsKuirDHgMWObO4/XNiZLdeBYDQzoq8hOHgz+E4KPzV0Hw5GZUbxp/hZMZtU TVmQ3w4auu99m91x/nzmfWq7BbgsHoxNdvDNGFzuIVNjLvoAC1Y5kJYczLgBkF5MWUrHo6mt jFpBkte+x19nPqZ2mw5SDg3gHxuQxen0PK+Bu9uz/OsMb5TDU1B45qnoRCaCbU7EImoZVVzL 9L93jxjesZMTrw2ADGo/TYXRBjkUS55VA4l/QIsnBZWYwCLJdMsI0k+l9PGptoJlO31GkeKp guMCjg3ocXTbvDBEqp/VWHgebcE0jbJy32DHTr4aeuonprdHMQ9Tps+CVQpAZEyHsHceg12w 31CNUXqFhwdL5mUUsEPpZmfSKWMB27ffueChPlHX3XUIc6Blnql7nbpJ0I2cDCQu178HJ1ou WKbG9l

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

memory_type_changed() is currently only implemented for Intel EPT, and results in the invalidation of EMT attributes on all the entries in the EPT page tables. Such invalidation causes EPT_MISCONFIG vmexits when the guest tries to access any gfns for the first time, which results in the recalculation of the EMT for the accessed page. The vmexit and the recalculations are expensive, and as such should be avoided when possible. Remove the call to memory_type_changed() from XEN_DOMCTL_memory_mapping: there are no modifications of the iomem_caps ranges anymore that could alter the return of cache_flush_permitted() from that domctl. Encapsulate calls to memory_type_changed() resulting from changes to the domain iomem_caps or ioport_caps ranges in the helpers themselves (io{ports,mem}_{permit,deny}_access()), and add a note in epte_get_entry_emt() to remind that changes to the logic there likely need to be propagaed to the IO capabilities helpers. Note changes to the IO ports or memory ranges are not very common during guest runtime, but Citrix Hypervisor has an use case for them related to device passthrough. Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> --- Changes since v2: - Split the Arm side changes into a pre-patch. Changes since v1: - Place the calls to memory_type_changed() inside the io{ports,mem}_{permit,deny}_access() helpers. --- xen/arch/x86/domctl.c | 4 ---- xen/arch/x86/include/asm/iocap.h | 33 +++++++++++++++++++++++---- xen/arch/x86/mm/p2m-ept.c | 4 ++++ xen/common/domctl.c | 4 ---- xen/include/xen/iocap.h | 38 ++++++++++++++++++++++++++++---- 5 files changed, 67 insertions(+), 16 deletions(-) diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index 020df615bd..e9bfbc57a7 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -232,8 +232,6 @@ long arch_do_domctl( ret = ioports_permit_access(d, fp, fp + np - 1); else ret = ioports_deny_access(d, fp, fp + np - 1); - if ( !ret ) - memory_type_changed(d); break; } @@ -666,8 +664,6 @@ long arch_do_domctl( "ioport_map: error %ld denying dom%d access to [%x,%x]\n", ret, d->domain_id, fmp, fmp + np - 1); } - if ( !ret ) - memory_type_changed(d); break; } diff --git a/xen/arch/x86/include/asm/iocap.h b/xen/arch/x86/include/asm/iocap.h index eee47228d4..ce83c3d8a4 100644 --- a/xen/arch/x86/include/asm/iocap.h +++ b/xen/arch/x86/include/asm/iocap.h @@ -7,10 +7,11 @@ #ifndef __X86_IOCAP_H__ #define __X86_IOCAP_H__ -#define ioports_permit_access(d, s, e) \ - rangeset_add_range((d)->arch.ioport_caps, s, e) -#define ioports_deny_access(d, s, e) \ - rangeset_remove_range((d)->arch.ioport_caps, s, e) +#include <xen/sched.h> +#include <xen/rangeset.h> + +#include <asm/p2m.h> + #define ioports_access_permitted(d, s, e) \ rangeset_contains_range((d)->arch.ioport_caps, s, e) @@ -18,4 +19,28 @@ (!rangeset_is_empty((d)->iomem_caps) || \ !rangeset_is_empty((d)->arch.ioport_caps)) +static inline int ioports_permit_access(struct domain *d, unsigned long s, + unsigned long e) +{ + bool flush = cache_flush_permitted(d); + int ret = rangeset_add_range(d->arch.ioport_caps, s, e); + + if ( !ret && !is_iommu_enabled(d) && !flush ) + /* See comment in iomem_permit_access(). */ + memory_type_changed(d); + + return ret; +} +static inline int ioports_deny_access(struct domain *d, unsigned long s, + unsigned long e) +{ + int ret = rangeset_remove_range(d->arch.ioport_caps, s, e); + + if ( !ret && !is_iommu_enabled(d) && !cache_flush_permitted(d) ) + /* See comment in iomem_deny_access(). */ + memory_type_changed(d); + + return ret; +} + #endif /* __X86_IOCAP_H__ */ diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c index b4919bad51..d61d66c20e 100644 --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -518,6 +518,10 @@ int epte_get_entry_emt(struct domain *d, gfn_t gfn, mfn_t mfn, return MTRR_TYPE_UNCACHABLE; } + /* + * Conditional must be kept in sync with the code in + * {iomem,ioports}_{permit,deny}_access(). + */ if ( type != p2m_mmio_direct && !is_iommu_enabled(d) && !cache_flush_permitted(d) ) { diff --git a/xen/common/domctl.c b/xen/common/domctl.c index 452266710a..69fb9abd34 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -716,8 +716,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1); else ret = iomem_deny_access(d, mfn, mfn + nr_mfns - 1); - if ( !ret ) - memory_type_changed(d); break; } @@ -778,8 +776,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) "memory_map: error %ld removing dom%d access to [%lx,%lx]\n", ret, d->domain_id, mfn, mfn_end); } - /* Do this unconditionally to cover errors on above failure paths. */ - memory_type_changed(d); break; } diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h index 1ca3858fc0..0ca4c9745f 100644 --- a/xen/include/xen/iocap.h +++ b/xen/include/xen/iocap.h @@ -7,13 +7,43 @@ #ifndef __XEN_IOCAP_H__ #define __XEN_IOCAP_H__ +#include <xen/sched.h> #include <xen/rangeset.h> #include <asm/iocap.h> +#include <asm/p2m.h> + +static inline int iomem_permit_access(struct domain *d, unsigned long s, + unsigned long e) +{ + bool flush = cache_flush_permitted(d); + int ret = rangeset_add_range(d->iomem_caps, s, e); + + if ( !ret && !is_iommu_enabled(d) && !flush ) + /* + * Only flush if the range(s) are empty before this addition and + * IOMMU is not enabled for the domain, otherwise it makes no + * difference for effective cache attribute calculation purposes. + */ + memory_type_changed(d); + + return ret; +} +static inline int iomem_deny_access(struct domain *d, unsigned long s, + unsigned long e) +{ + int ret = rangeset_remove_range(d->iomem_caps, s, e); + + if ( !ret && !is_iommu_enabled(d) && !cache_flush_permitted(d) ) + /* + * Only flush if the range(s) are empty after this removal and + * IOMMU is not enabled for the domain, otherwise it makes no + * difference for effective cache attribute calculation purposes. + */ + memory_type_changed(d); + + return ret; +} -#define iomem_permit_access(d, s, e) \ - rangeset_add_range((d)->iomem_caps, s, e) -#define iomem_deny_access(d, s, e) \ - rangeset_remove_range((d)->iomem_caps, s, e) #define iomem_access_permitted(d, s, e) \ rangeset_contains_range((d)->iomem_caps, s, e) -- 2.37.3

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.