Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Tue, 23 Aug 2022 23:47:03 +0100
Message-ID: <878rnewpaw.wl-maz@kernel.org>
From:   Marc Zyngier <maz@kernel.org>
To:     Peter Xu <peterx@redhat.com>
Cc:     Gavin Shan <gshan@redhat.com>, kvmarm@lists.cs.columbia.edu,
        linux-arm-kernel@lists.infradead.org, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
        linux-kselftest@vger.kernel.org, pbonzini@redhat.com,
        corbet@lwn.net, james.morse@arm.com, alexandru.elisei@arm.com,
        suzuki.poulose@arm.com, oliver.upton@linux.dev,
        catalin.marinas@arm.com, will@kernel.org, shuah@kernel.org,
        seanjc@google.com, dmatlack@google.com, bgardon@google.com,
        ricarkol@google.com, zhenyzha@redhat.com, shan.gavin@gmail.com
Subject: Re: [PATCH v1 1/5] KVM: arm64: Enable ring-based dirty memory tracking
In-Reply-To: <YwVEoM1pj2MPCELp@xz-m1.local>
References: <20220819005601.198436-1-gshan@redhat.com>
        <20220819005601.198436-2-gshan@redhat.com>
        <87lerkwtm5.wl-maz@kernel.org>
        <41fb5a1f-29a9-e6bb-9fab-4c83a2a8fce5@redhat.com>
        <87fshovtu0.wl-maz@kernel.org>
        <171d0159-4698-354b-8b2f-49d920d03b1b@redhat.com>
        <YwTc++Lz6lh3aR4F@xz-m1.local>
        <87bksawz0w.wl-maz@kernel.org>
        <YwVEoM1pj2MPCELp@xz-m1.local>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1
 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk

On Tue, 23 Aug 2022 22:20:32 +0100,
Peter Xu <peterx@redhat.com> wrote:
> 
> On Tue, Aug 23, 2022 at 08:17:03PM +0100, Marc Zyngier wrote:
> > I don't think we really need this check on the hot path. All we need
> > is to make the request sticky until userspace gets their act together
> > and consumes elements in the ring. Something like:
> > 
> > diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> > index 986cee6fbc7f..e8ed5e1af159 100644
> > --- a/arch/arm64/kvm/arm.c
> > +++ b/arch/arm64/kvm/arm.c
> > @@ -747,6 +747,14 @@ static int check_vcpu_requests(struct kvm_vcpu *vcpu)
> >  
> >  		if (kvm_check_request(KVM_REQ_SUSPEND, vcpu))
> >  			return kvm_vcpu_suspend(vcpu);
> > +
> > +		if (kvm_check_request(KVM_REQ_RING_SOFT_FULL, vcpu) &&
> > +		    kvm_dirty_ring_soft_full(vcpu)) {
> > +			kvm_make_request(KVM_REQ_RING_SOFT_FULL, vcpu);
> > +			vcpu->run->exit_reason = KVM_EXIT_DIRTY_RING_FULL;
> > +			trace_kvm_dirty_ring_exit(vcpu);
> > +			return 0;
> > +		}
> >  	}
> >  
> >  	return 1;
> 
> Right, this seems working.  We can also use kvm_test_request() here.
> 
> > 
> > 
> > However, I'm a bit concerned by the reset side of things. It iterates
> > over the vcpus and expects the view of each ring to be consistent,
> > even if userspace is hacking at it from another CPU. For example, I
> > can't see what guarantees that the kernel observes the writes from
> > userspace in the order they are being performed (the documentation
> > provides no requirements other than "it must collect the dirty GFNs in
> > sequence", which doesn't mean much from an ordering perspective).
> > 
> > I can see that working on a strongly ordered architecture, but on
> > something as relaxed as ARM, the CPUs may^Wwill aggressively reorder
> > stuff that isn't explicitly ordered. I have the feeling that a CAS
> > operation on both sides would be enough, but someone who actually
> > understands how this works should have a look...
> 
> I definitely don't think I 100% understand all the ordering things since
> they're complicated.. but my understanding is that the reset procedure
> didn't need memory barrier (unlike pushing, where we have explicit wmb),
> because we assumed the userapp is not hostile so logically it should only
> modify the flags which is a 32bit field, assuming atomicity guaranteed.

Atomicity doesn't guarantee ordering, unfortunately. Take the
following example: CPU0 is changing a bunch of flags for GFNs A, B, C,
D that exist in the ring in that order, and CPU1 performs an ioctl to
reset the page state.

CPU0:
    write_flag(A, KVM_DIRTY_GFN_F_RESET)
    write_flag(B, KVM_DIRTY_GFN_F_RESET)
    write_flag(C, KVM_DIRTY_GFN_F_RESET)
    write_flag(D, KVM_DIRTY_GFN_F_RESET)
    [...]

CPU1:
   ioctl(KVM_RESET_DIRTY_RINGS)

Since CPU0 writes do not have any ordering, CPU1 can observe the
writes in a sequence that have nothing to do with program order, and
could for example observe that GFN A and D have been reset, but not B
and C. This in turn breaks the logic in the reset code (B, C, and D
don't get reset), despite userspace having followed the spec to the
letter. If each was a store-release (which is the case on x86), it
wouldn't be a problem, but nothing calls it in the documentation.

Maybe that's not a big deal if it is expected that each CPU will issue
a KVM_RESET_DIRTY_RINGS itself, ensuring that it observe its own
writes. But expecting this to work across CPUs without any barrier is
wishful thinking.

> IIRC we used to discuss similar questions on "what if the user is hostile
> and wants to hack the process by messing up with the ring", and our
> conclusion was as long as the process wouldn't mess up anything outside
> itself it should be okay. E.g. It should not be able to either cause the
> host to misfunction, or trigger kernel warnings in dmesg, etc..

I'm not even discussing safety here. I'm purely discussing the
interactions between userspace and kernel based on the documentation
and the existing kernel code.

Thanks,

	M.

-- 
Without deviation from the norm, progress is not possible.