Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2792019pxj; Mon, 10 May 2021 10:48:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxx1R70C7cyji7l1MsyJ5D+JFmi6al3hl83R9lX6JSh64t44BbxKxlASoj15gN6nr7qw4YQ X-Received: by 2002:a6b:7c0b:: with SMTP id m11mr19129389iok.9.1620668934728; Mon, 10 May 2021 10:48:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620668934; cv=none; d=google.com; s=arc-20160816; b=vXOXKIvrOTTxXlWq/8fYovjnozJB2yIYYM7UKW7iOT38w5HhjiZTXur49PznmKo7iv +H4VSMc35ENQePPOlABcc+UdTsaRIx+hMXkVtpWrfVHxUkUqhohssLxsuXwn2z33BAMt grUF8Ia9uWSi233JeiuRT6e9FMLNgtsJlAP0J2Kf+jdscFQ+KXmocsc/0Y1m9SdzhUOh Yk7RbHC5bgGdA/oRsHXAbv/aGpMTHQfEgBw0Pd26grz//A5ahDoGdukdUtD2FFI3ZFsa UE644pI/nPjUDOlF5Mg4Z/uyoZk9ta2yz48ybIT9r/AsoWejfrZjv9pPnw2C6RqHqgoc usDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=LDoI2UalAlpzMx1MJ5YgvrfSa+Lr0EXSwAv1GVcujSA=; b=rC2/hVD5OJc+/ra3INL28+P21ZJcqBRkUJ1Q/ye9IazxN/1Hqdl9XBqjZOiHrQzefs Eo8BwHQlt+u2Dq17FI/4uJCuzetx8+yU5bbW/xC41kRaEGkvPStcohaP297khMksuqH5 zKk7DIywOhBahFv0u0Yq+m8Mdh+IJuLvsda4b/fkJME9Gh1YQ2julERPAAYKysLfSyCq nUl5nBbe7N/Yo94k6s5u9YS5juWR3YyrVRfvAvD69Ehg9eYKCL3t87wOF0+EdgYP4Mph X1F6VOfwWhWSdFBqvXGvEjDrPF0X5UTt+uY48fNphrTJB2THYD64w4TJNVsTyeEXlC6x ttow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EGcYvgla; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b1si16165868ioh.94.2021.05.10.10.48.41; Mon, 10 May 2021 10:48:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EGcYvgla; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233199AbhEJRrR (ORCPT + 99 others); Mon, 10 May 2021 13:47:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233000AbhEJRqu (ORCPT ); Mon, 10 May 2021 13:46:50 -0400 Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3E8CC06175F for ; Mon, 10 May 2021 10:45:42 -0700 (PDT) Received: by mail-pg1-x531.google.com with SMTP id k15so1070447pgb.10 for ; Mon, 10 May 2021 10:45:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=LDoI2UalAlpzMx1MJ5YgvrfSa+Lr0EXSwAv1GVcujSA=; b=EGcYvglaEIinKcy4974XzdhpdOdcIeeSlM6NNicCm8aUuu2M2z0AvqCqxl6dDbsCtJ 3HKTRlgNYIr59QD5I13Y0o3AzCZrZ5XChwUrh6zAAsgYnX5pqtT2N0dEoM2t8rmXNzGZ CjDT15xetRNeEdtxnKmaReAH2qAGxHKdSPwXloTuPKekEeOUwo2nAY/zRseH2nGGVH8V bc1OKqMNkO+Mn7exVIjzximSdkQ0Z40sObFtURklEwJVnCqgYEtrVEUPnqjrEQRxnSIF J2CXZTaEfDj0lnbn/PGvobKT6yus2cwI+/Zeajm9P+0skcnQQNGa5oT1zsrgsub3AkDR jhNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=LDoI2UalAlpzMx1MJ5YgvrfSa+Lr0EXSwAv1GVcujSA=; b=RN9zZsPRLTL7VcpbW3OpTxl6TtdsvMysVpUPvEClEPmNjMrzdR1lvv5S4JX0oNuPCV 7UMi7mqEjxiXe0D4ho0ZDRAfhUS9bRUcvTtxxIuDGr1K14eD6MXMclNOqnhB9xBfMHyE OMLlRpUPicpNtXp3L1fzF5j4MkJBWD1V5J5dBOYERjl10q731mhzywF06qP1dl5mTdIv OkhHYeWXZ6hR28dx08UqQl+S5XE4PArdfW0ycPmIjkGe6HMJYfx+lFuxW09KsgR+Iroe gnipSbnRGl4CPoIjO2sgNU32s3M4DROMaeYvgn2/eZ4MjIYt4FNWeCl2foaGhQRlnXVV G9bg== X-Gm-Message-State: AOAM531lUfhPDf91Y1RRC5mU/T7yx5M9h7ZGFDevhIpExpM7dHjV5gZ3 GIVASgJwrSiyTjcQxRDKik5+2w== X-Received: by 2002:a63:ed4d:: with SMTP id m13mr26369865pgk.433.1620668742283; Mon, 10 May 2021 10:45:42 -0700 (PDT) Received: from google.com (240.111.247.35.bc.googleusercontent.com. [35.247.111.240]) by smtp.gmail.com with ESMTPSA id i14sm11971640pgk.77.2021.05.10.10.45.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:45:41 -0700 (PDT) Date: Mon, 10 May 2021 17:45:37 +0000 From: Sean Christopherson To: Paolo Bonzini Cc: Ben Gardon , linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Peter Xu , Peter Shier , Yulei Zhang , Wanpeng Li , Xiao Guangrong , Kai Huang , Keqian Zhu Subject: Re: [PATCH v3 7/8] KVM: x86/mmu: Protect rmaps independently with SRCU Message-ID: References: <20210506184241.618958-1-bgardon@google.com> <20210506184241.618958-8-bgardon@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 07, 2021, Paolo Bonzini wrote: > On 06/05/21 20:42, Ben Gardon wrote: > > In preparation for lazily allocating the rmaps when the TDP MMU is in > > use, protect the rmaps with SRCU. Unfortunately, this requires > > propagating a pointer to struct kvm around to several functions. > > Thinking more about it, this is not needed because all reads of the rmap > array are guarded by the load-acquire of kvm->arch.memslots_have_rmaps. > That is, the pattern is always > > if (!load-acquire(memslot_have_rmaps)) > return; > ... = __gfn_to_rmap(...) > > slots->arch.rmap[x] = ... > store-release(memslot_have_rmaps, true) > > where the load-acquire/store-release have the same role that > srcu_dereference/rcu_assign_pointer had before this patch. > > We also know that any read that misses the check has the potential for a > NULL pointer dereference, so it *has* to be like that. > > That said, srcu_dereference has zero cost unless debugging options are > enabled, and it *is* true that the rmap can disappear if kvm->srcu is not > held, so I lean towards keeping this change and just changing the commit > message like this: > > --------- > Currently, rmaps are always allocated and published together with a new > memslot, so the srcu_dereference for the memslots array already ensures that > the memory pointed to by slots->arch.rmap is zero at the time > slots->arch.rmap. However, they still need to be accessed in an SRCU > read-side critical section, as the whole memslot can be deleted outside > SRCU. > -------- I disagree, sprinkling random and unnecessary __rcu/SRCU annotations does more harm than good. Adding the unnecessary tag could be quite misleading as it would imply the rmap pointers can _change_ independent of the memslots. Similary, adding rcu_assign_pointer() in alloc_memslot_rmap() implies that its safe to access the rmap after its pointer is assigned, and that's simply not true since an rmap array can be freed if rmap allocation for a different memslot fails. Accessing the rmap is safe if and only if all rmaps are allocated, i.e. if arch.memslots_have_rmaps is true, as you pointed out. Furthermore, to actually gain any protection from SRCU, there would have to be an synchronize_srcu() call after assigning the pointers, and that _does_ have an associated. Not to mention that to truly respect the __rcu annotation, deleting the rmaps would also have to be done "independently" with the correct rcu_assign_pointer() and synchronize_srcu() logic.