Re: [PATCH v7 11/11] KVM: xen: allow vcpu_info content to be 'safely' copied

From: David Woodhouse
Date: Wed Nov 08 2023 - 10:15:32 EST

Next message: Steven Rostedt: "Re: [RFC PATCH 00/86] Make the kernel preemptible"
Previous message: Juri Lelli: "Re: [PATCH v5 6/7] sched/deadline: Deferrable dl server"
Next in thread: Sean Christopherson: "Re: [PATCH v7 11/11] KVM: xen: allow vcpu_info content to be 'safely' copied"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2023-10-31 at 16:58 -0700, Sean Christopherson wrote:
>
> > diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
> > index aafc794940e4..e645066217bb 100644
> > --- a/arch/x86/kvm/xen.c
> > +++ b/arch/x86/kvm/xen.c
> > @@ -1606,9 +1606,6 @@ int kvm_xen_set_evtchn_fast(struct kvm_xen_evtchn *xe, struct kvm *kvm)
> >                 WRITE_ONCE(xe->vcpu_idx, vcpu->vcpu_idx);
> >         }
> >
> > -       if (!vcpu->arch.xen.vcpu_info_cache.active)
> > -               return -EINVAL;
> > -
>
> Hmm, maybe move this check after the "hard" error checks and explicitly do:
>
>                 return -EWOULDBLOCK
>
> That way it's much more obvious that this patch is safe. Alternatively, briefly
> explain what happens if the cache is invalid in the changelog.

Hm, I thought we dropped that? It doesn't want to return -EWOULDBLOCK.
That would cause a "fast" irqfd delivery to defer to the slow
(workqueue) path, but then the same thing would happen on that path
*too*.

I actually think this check needs to be dropped completely. The
evtchn_pending_sel bit will get set in the *shadow* copy in vcpu-
>arch.xen.evtchn_pending_sel, and will subsequently be set in the real
vcpu_info when that is configured again. We do already handle that case
correctly, I believe:

if (!kvm_gpc_check(gpc, sizeof(struct vcpu_info))) {
/*
* Could not access the vcpu_info. Set the bit in-kernel
* and prod the vCPU to deliver it for itself.
*/
if (!test_and_set_bit(port_word_bit, &vcpu->arch.xen.evtchn_pending_sel))
kick_vcpu = true;
goto out_rcu;
}

If we leave this check in place as it is, I think we're going to lose
incoming events (and IPIs) directed at a vCPU while it has its
vcpu_info temporarily removed.

(We do want to "temporarily" remove the vcpu_info so that we can adjust
memslots, because there's no way to atomically break apart a large
memslot and overlay a single page in the middle of it. And also when a
guest is paused for migration, it's nice to be sure that no changes
will happen to the guest memory and trigger sanity checks that the
memory on the destination precisely matches the source.)

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Next message: Steven Rostedt: "Re: [RFC PATCH 00/86] Make the kernel preemptible"
Previous message: Juri Lelli: "Re: [PATCH v5 6/7] sched/deadline: Deferrable dl server"
Next in thread: Sean Christopherson: "Re: [PATCH v7 11/11] KVM: xen: allow vcpu_info content to be 'safely' copied"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]