Re: [PATCH 1/1] vfio-ccw: Enable transparent CCW IPL from DASD

[Jared Rossi]

On 2020-04-24 08:50, Halil Pasic wrote:
> On Thu, 23 Apr 2020 16:25:39 -0400
> Eric Farman <farman@xxxxxxxxxxxxx> wrote:
>
> > On 4/23/20 11:11 AM, Cornelia Huck wrote:
> > > On Thu, 23 Apr 2020 15:56:20 +0200
> > > Halil Pasic <pasic@xxxxxxxxxxxxx> wrote:
> > >
> > >> On Fri, 17 Apr 2020 14:29:39 -0400
> > >> Jared Rossi <jrossi@xxxxxxxxxxxxx> wrote:
> > >>
> > >>> Remove the explicit prefetch check when using vfio-ccw devices.
> > >>> This check is not needed as all Linux channel programs are intended
> > >>> to use prefetch and will be executed in the same way regardless.
> > >>
> > >> Hm. This is a guest thing or? So you basically say, it is OK to do
> > >> this, because you know that the guest is gonna be Linux and that it
> > >> the channel program is intended to use prefetch -- but the ORB supplied
> > >> by the guest that designates the channel program happens to state the
> > >> opposite.
> > >>
> > >> Or am I missing something?
> > >
> > > I see this as a kind of architecture compliance/ease of administration
> > > tradeoff, as we none of the guests we currently support uses something
> > > that breaks with prefetching outside of IPL (which has a different
> > > workaround).>
>
> And that workaround AFAIR makes sure that we don't issue a CP that is
> self-modifying or otherwise reliant on non-prefetch. So any time we see
> a self-modifying program we know, we have an incompatible setup.
>
> In any case I believe the commit message is inadequate, as it does not
> reflect about the risks.
>
> > > One thing that still concerns me a bit is debuggability if a future
> > > guest indeed does want to dynamically rewrite a channel program: the
> >
> > +1 for some debuggability, just in general
> >
> > > guest thinks it instructed the device to not prefetch, and then
> > > suddenly things do not work as expected. We can log when a guest
> > > submits an orb without prefetch set, but we can't find out if the guest
> > > actually does something that relies on non-prefetch.
> >
> > Without going too far down a non-prefetch rabbit-hole, can we use the
> > cpa_within_range logic to see if the address of the CCW being fetched
> > exists as the CDA of an earlier (non-TIC) CCW in the chain we're
> > processing, and tracing/logging/messaging something about a possible
> > conflict?
> >
> > (Jared, you did some level of this tracing with our real/synthetic 
> > tests
> > some time ago.  Any chance something of it could be polished and made
> > useful, without being overly heavy on the mainline path?)
>
> Back then I believe I made a proposal on how this logic could look 
> like.
> I think all we need is checking for self rewrites (ccw reads to the
> addresses that comprise the  complete original channel program), and 
> for
> status-modifier 'skips'. The latter could be easily done by putting 
> some
> sort of poison at the end of the detected channel program segments.

From what I previously did with the tracing, I don't think that there is 
a
practical way to determine if a cp is actually doing something that 
relies
on non-prefetch.  It seems we would need to examine the CCWs to find 
reads
and also validate the addresses those CCWs access to check if there is a
conflict.  Probably this is too much overhead considering that we expect
it to be a rare occurrence?

Is it too simplistic to print a kernel warning stating that an ORB did 
not
have the p-bit set, but it is being prefetched anyway?

Regards,
Jared Rossi