Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp258389lqt; Thu, 18 Apr 2024 14:21:37 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV2XaOX5n81igutHvhZDeIRAiUPoOZ292+uEjzUUr3mT0wjFLldLguZN9E2Y8bUQZObapeUYEaCwhwZHq8+Y+IIpFmXu5+dn27DXzqVyA== X-Google-Smtp-Source: AGHT+IFbDF8ldEtjtNu7/7SqQOUdS1garOfvbyW92bosKdqMD/mceVtvy/KKZQLRpaTTOv5F9n6P X-Received: by 2002:a05:690c:6183:b0:61b:3305:e87 with SMTP id hj3-20020a05690c618300b0061b33050e87mr132869ywb.37.1713475297083; Thu, 18 Apr 2024 14:21:37 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713475297; cv=pass; d=google.com; s=arc-20160816; b=Y/719AJEb3M/OURFxeNzPwwPl7aQlDiKzcdAaq46C8gVoR4KdJlNZEwQRD5/pUwtrQ MztHMbkzizE20MshVSSqRc/SJ0iz2ow6rjpe+RgHNsfyta+jk53cKNs43RoT8JOaFZK6 k2PykrZxFf3F8eTqIyUGTnvvLn7N7lBkOLvovxtqG7XEze+bK3dDNto5KLZr5LcDXUFO 0Kt8lVg1M1PV+gdQjFN0d2ZcpKDDwJteS3oN00lnPqEWtAm7aiC3uSyClInpPKP1rzob ZV4fPyas1Q/9egX2Gmblv/63Qj4aBnTs86kjhsMH5KF0X8maw4kMyitu7cIUjg10GLFZ y6Zg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=5sgNP1y4Gb7YIm3QO4qpq0MpsRY6PlbBal0iGG5g8TU=; fh=1CfiShm1P/WxKtwtLzu0snDdfyBYiCXXeUkXV7bQtkk=; b=hNJjf0xuS+/BZ6f60RQr29oL/+1/TJ+mnhSdjm0hkBmxhLp9pXfCuGKJgIJvtYYZwT qlLbjT2uduGDmZx/BVHfGbVAfEm9ofGdm/FWkt77mbWMC0z/6jD3K0kHuu4Z4B+yIYTY 4b4Dq5cI5HsOQa2wysFKSRLgaULV0bEPWnsbTyEJI3SafPX9xyZ2WpY6rsU2PQ4kxjO1 248pyX77zS5w5SdTdnC65c1w+X94nvYshzL/QugBLtb+3dushZp0d7eKDGc35DP0JKQ2 ACkNmCnbmtehS1zOqItgNI+zVKFmer8Swp/5fuR/PsVdn6+RNZLlQKooppZhxM92eolq aXvw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=m0Fe3erW; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-150798-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-150798-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id cb5-20020a05622a1f8500b00437b7f4965csi949050qtb.788.2024.04.18.14.21.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Apr 2024 14:21:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-150798-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=m0Fe3erW; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-150798-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-150798-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id BEF6A1C22755 for ; Thu, 18 Apr 2024 21:21:36 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C54F8194C9D; Thu, 18 Apr 2024 21:21:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="m0Fe3erW" Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CD0D19068D for ; Thu, 18 Apr 2024 21:21:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713475285; cv=none; b=QhMWL7cfi15w0JJDdnIdwqlFT3n9jzoOVs1iN28IIeaMZKP7Grpql16bloIDkKhWlw9L8nZSnhDmOJ8QovemL9/RVq0DAcLsDdBKNKf8cCr6nlMuhzVmtmipnp9gMzEnM1rkpZE2DyLMw4VoYKlcm0nLmmrWoUkD4K7OwX39Dxk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713475285; c=relaxed/simple; bh=y2QgvTIQc5YxNGACMLJ77qipzbYe9QndhuNBBIXYMJ0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=gtq0PXQUeMJCeS84ZPl7o7UPSYJs3eyDG5xHjwdXqGZ50SKFVgkbGJ6gibG3RU3LdiDlizJuvhdaYFarXB6wibojGTeplctgyzAE/5tLaTzqofo+w+UGzsbqsd7oGLse89ZusRJy93HFOh0F6YS7s+AI3uuseli7qeSLBIdgLoc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=m0Fe3erW; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1e3f6f03594so11631805ad.0 for ; Thu, 18 Apr 2024 14:21:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713475284; x=1714080084; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=5sgNP1y4Gb7YIm3QO4qpq0MpsRY6PlbBal0iGG5g8TU=; b=m0Fe3erW80A0CZwax3+DZGtrz17LHgBCbAF3txTrP0Mp+hUTAyi28mDkbR3ZwgTYuu 2zpZJp+DWq9V/9gQS55SPHJtB3d+m3pkATKeQoATbOyqVOrD5CejTJnBRx4au/u0PybW 60r3Mwrohm1pJ15h2nPfR7ZQE4NjnK/PlIO9AD23WqML7lj6fk0Zgcqsw4J/K+eIcUBI JmUvRuFES2nMRnLyMo8lCyQTNb5xv9i+pkUgutzfLj/oji8LN6OEmmZ+MapcGSy7G5GM 5z0GXL3ihzmz7EpK4BnG+whlkQwBaZWnsi1VtlSvqH8nKDyg9VDKOZXczQCvyEnf95qm xmIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713475284; x=1714080084; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5sgNP1y4Gb7YIm3QO4qpq0MpsRY6PlbBal0iGG5g8TU=; b=JwJtMkfXQsFWpRZVt1PXd25IMdP6mmcIlrbeERQl+VKAlXEyIL5APrRxGb1ajrzN2N 63OQeET0yHHQLSonRJqOwUOTqnUMu6QqeVmTv5GDA4XTGNSdqyMTpb6EqjGzzgdUKdqP hfJIHC4lEx1Ku+LYqqbP5FC4Tda2KSO8vyIR9PFzRbUuYnIuD/hF8MMoHjY2EjLv3z1w cNOBFD/SyagEq22XWxof/yKj/3XOvYkqRHqhU4IdytqLFEBtlPpzxKiOhMasPgpIqdce 34v31nUXZFUGaSVkKSsPWyqeyXx/VJgo7r+L+Pe+ud5wtG8sd6Tz77alxweR8MBe091A zgkQ== X-Forwarded-Encrypted: i=1; AJvYcCVXPZNP1n3Hp6zOHBKnWB3jnNWpiNRyuX0nL1hpKQH10fbAAzSC2eIEyViN9b8Hx7aerFhKUld/Cm/rnRUX6TVIomRyRq1oGPLPzAj9 X-Gm-Message-State: AOJu0YxbUMH+6Xe8V7Ta5Af5ZN9q1YyDn45LGGQyfmbuXYEMDCTc6rRY vRfyHIJPGQuPoBtjpM4SAy7lwOLOKZWOv65lbQi7fzuRRKAGP42Dq7O/GhyMBQ== X-Received: by 2002:a17:902:6b42:b0:1e4:4ade:f504 with SMTP id g2-20020a1709026b4200b001e44adef504mr248052plt.46.1713475283392; Thu, 18 Apr 2024 14:21:23 -0700 (PDT) Received: from google.com (176.13.105.34.bc.googleusercontent.com. [34.105.13.176]) by smtp.gmail.com with ESMTPSA id x6-20020a170902a38600b001e79072ee58sm2028346pla.62.2024.04.18.14.21.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Apr 2024 14:21:22 -0700 (PDT) Date: Thu, 18 Apr 2024 21:21:18 +0000 From: Mingwei Zhang To: Sean Christopherson Cc: Dapeng Mi , Xiong Zhang , pbonzini@redhat.com, peterz@infradead.org, kan.liang@intel.com, zhenyuw@linux.intel.com, jmattson@google.com, kvm@vger.kernel.org, linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, zhiyuan.lv@intel.com, eranian@google.com, irogers@google.com, samantha.alt@intel.com, like.xu.linux@gmail.com, chao.gao@intel.com Subject: Re: [RFC PATCH 23/41] KVM: x86/pmu: Implement the save/restore of PMU state for Intel CPU Message-ID: References: <20240126085444.324918-1-xiong.y.zhang@linux.intel.com> <20240126085444.324918-24-xiong.y.zhang@linux.intel.com> <18b19dd4-6d76-4ed8-b784-32436ab93d06@linux.intel.com> <4c47b975-ad30-4be9-a0a9-f0989d1fa395@linux.intel.com> <737f0c66-2237-4ed3-8999-19fe9cca9ecc@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Mon, Apr 15, 2024, Sean Christopherson wrote: > On Mon, Apr 15, 2024, Mingwei Zhang wrote: > > On Mon, Apr 15, 2024 at 3:04 AM Mi, Dapeng wrote: > > > On 4/15/2024 2:06 PM, Mingwei Zhang wrote: > > > > On Fri, Apr 12, 2024 at 9:25 PM Mi, Dapeng wrote: > > > >>>> It's necessary to clear the EVENTSELx MSRs for both GP and fixed counters. > > > >>>> Considering this case, Guest uses GP counter 2, but Host doesn't use it. So > > > >>>> if the EVENTSEL2 MSR is not cleared here, the GP counter 2 would be enabled > > > >>>> unexpectedly on host later since Host perf always enable all validate bits > > > >>>> in PERF_GLOBAL_CTRL MSR. That would cause issues. > > > >>>> > > > >>>> Yeah, the clearing for PMCx MSR should be unnecessary . > > > >>>> > > > >>> Why is clearing for PMCx MSR unnecessary? Do we want to leaking counter > > > >>> values to the host? NO. Not in cloud usage. > > > >> No, this place is clearing the guest counter value instead of host > > > >> counter value. Host always has method to see guest value in a normal VM > > > >> if he want. I don't see its necessity, it's just a overkill and > > > >> introduce extra overhead to write MSRs. > > > >> > > > > I am curious how the perf subsystem solves the problem? Does perf > > > > subsystem in the host only scrubbing the selector but not the counter > > > > value when doing the context switch? > > > > > > When context switch happens, perf code would schedule out the old events > > > and schedule in the new events. When scheduling out, the ENABLE bit of > > > EVENTSELx MSR would be cleared, and when scheduling in, the EVENTSELx > > > and PMCx MSRs would be overwritten with new event's attr.config and > > > sample_period separately. Of course, these is only for the case when > > > there are new events to be programmed on the PMC. If no new events, the > > > PMCx MSR would keep stall value and won't be cleared. > > > > > > Anyway, I don't see any reason that PMCx MSR must be cleared. > > > > > > > I don't have a strong opinion on the upstream version. But since both > > the mediated vPMU and perf are clients of PMU HW, leaving PMC values > > uncleared when transition out of the vPMU boundary is leaking info > > technically. > > I'm not objecting to ensuring guest PMCs can't be read by any entity that's not > in the guest's TCB, which is what I would consider a true leak. I'm objecting > to blindly clearing all PMCs, and more specifically objecting to *KVM* clearing > PMCs when saving guest state without coordinating with perf in any way. Agree. blindly clearing PMCs is the basic implementation. I am thinking about what coordination between perf and KVM as well. > > I am ok if we start with (or default to) a "safe" implementation that zeroes all > PMCs when switching to host context, but I want KVM and perf to work together to > do the context switches, e.g. so that we don't end up with code where KVM writes > to all PMC MSRs and that perf also immediately writes to all PMC MSRs. Sure. Point taken. > > One my biggest complaints with the current vPMU code is that the roles and > responsibilities between KVM and perf are poorly defined, which leads to suboptimal > and hard to maintain code. Right. > > Case in point, I'm pretty sure leaving guest values in PMCs _would_ leak guest > state to userspace processes that have RDPMC permissions, as the PMCs might not > be dirty from perf's perspective (see perf_clear_dirty_counters()). > ah. This is a good point. switch_mm_irqs_off() => cr4_update_pce_mm() => /* * Clear the existing dirty counters to * prevent the leak for an RDPMC task. */ perf_clear_dirty_counters() So perf does clear dirty counter values on process context switch. This is nice to know. perf_clear_dirty_counters() clear the counter values according to cpuc->dirty except for those assigned counters. > Blindly clearing PMCs in KVM "solves" that problem, but in doing so makes the > overall code brittle because it's not clear whether KVM _needs_ to clear PMCs, > or if KVM is just being paranoid. There is a difference between KVM and perf subsystem on PMU context switch. The latter has the notion of "perf_events", while the former currently does not. It is quite hard for KVM to know which counters are really "in use". Another point I want to raise up to you is that, KVM PMU context switch and Perf PMU context switch happens at different timing: - The former is a context switch between guest/host state of the same process, happening at VM-enter/exit boundary. - The latter is a context switch beteen two host-level processes. - The former happens before the latter. - Current design has no PMC partitioning between host/guest due to arch limitation. From the above, I feel that it might be impossible to combine them or to add coordination? Unless we do the KVM PMU context switch at vcpu loop boundary... Thanks. -Mingwei