[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [RFC 3/4] Add xen superpage splitting support to arm
On Tue, Dec 13, 2022 at 11:07:55PM +0000, Julien Grall wrote: > Hi Demi, > > On 13/12/2022 22:17, Demi Marie Obenour wrote: > > On Tue, Dec 13, 2022 at 09:15:49PM +0000, Julien Grall wrote: [snip] > > > > + > > > > + /* > > > > + * Generate the entry for this new table we created, > > > > + * and write it back in place of the superpage entry. > > > > + */ > > > > > > I am afraid this is not compliant with the Arm Arm. If you want to update > > > valid entry (e.g. shattering a superpage), then you need to follow the > > > break-before-make sequence. This means that: > > > 1. Replace the valid entry with an entry with an invalid one > > > 2. Flush the TLBs > > > 3. Write the new entry > > > > > > Those steps will make your code compliant but it also means that a virtual > > > address will be temporarily invalid so you could take a fault in the > > > middle > > > of your split if your stack or the table was part of the region. The same > > > could happen for the other running CPUs but this is less problematic as > > > they > > > could spin on the page-table lock. > > > > Could this be worked around by writing the critical section in > > assembler? > > Everything is feasible. Is this worth it? I don't think so. There are way we > can avoid the shattering at first by simply not mapping all the RAM. Good point. I do wonder what would go wrong if one replaced one live PTE with another that pointed to the same physical address. Is this merely a case of “spec doesn’t allow it”, or does it actually break on real hardware? > > The assembler code would never access the stack and would > > run with interrupts disabled. There could also be BUG() checks for > > attempting to shatter a PTE that was needed to access the PTE in > > question, though I suspect one can work around this with a temporary > > PTE. That said, shattering large pages requires allocating memory, > > which might fail. What happens if the allocation does fail? > > If this is only done during boot, then I would argue you will want to crash > Xen. Fair! Even NASA’s coding standards for spacecraft allow for dynamic allocation during initialization. After all, initialization is typically deterministic and easy to test. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab Attachment:
signature.asc
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |