Re: [Xen-devel] [PATCH] xen: grant-table: Check truncation when giving access to a frame
From: Julien Grall
Date: Mon Jun 13 2016 - 09:05:53 EST
On 13/06/16 13:45, Paul Durrant wrote:
-----Original Message-----
From: Julien Grall [mailto:julien.grall@xxxxxxx]
Sent: 13 June 2016 13:42
To: Paul Durrant; boris.ostrovsky@xxxxxxxxxx; David Vrabel;
jgross@xxxxxxxx; sstabellini@xxxxxxxxxx; konrad.wilk@xxxxxxxxxx
Cc: Andrew Cooper; xen-devel@xxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
JBeulich@xxxxxxxx; steve.capper@xxxxxxx
Subject: Re: [Xen-devel] [PATCH] xen: grant-table: Check truncation when
giving access to a frame
On 13/06/16 13:41, Julien Grall wrote:
Hello Paul,
On 13/06/16 13:12, Paul Durrant wrote:
-----Original Message-----
From: Xen-devel [mailto:xen-devel-bounces@xxxxxxxxxxxxx] On Behalf
Of
Julien Grall
Sent: 13 June 2016 11:51
To: boris.ostrovsky@xxxxxxxxxx; David Vrabel; jgross@xxxxxxxx;
sstabellini@xxxxxxxxxx; konrad.wilk@xxxxxxxxxx
Cc: steve.capper@xxxxxxx; Andrew Cooper; linux-
kernel@xxxxxxxxxxxxxxx;
xen-devel@xxxxxxxxxxxxx; Julien Grall; JBeulich@xxxxxxxx
Subject: [Xen-devel] [PATCH] xen: grant-table: Check truncation when
giving
access to a frame
The version 1 of the grant-table protocol only supports frame encoded
on
32-bit.
When the platform is supporting 48-bit physical address, the frame will
be encoded on 36-bit which will lead a truncation and give access to
the wrong frame.
On ARM Xen will always allow the guest to use all the physical address,
although today the RAM is always located under 40-bits (see
xen/include/public/arch-arm.h).
Add a truncation check in gnttab_update_entry_v1 to prevent the guest
to
give access to the wrong frame.
Signed-off-by: Julien Grall <julien.grall@xxxxxxx>
---
This is limiting us to a 44-bit address space whilst ARM can
support
up to 48-bit today. This number of bit will increase to 52-bit in
upcoming processors [1].
It might be good to start thinking to extend the version 1 of the
protocol to use 64-bit frame number.
...or simply use version 2 of the protocol.
On another mail [1], you said that "[v2] didn't scale it became
bottle-necked on dom0's grant table size,...".
So it looks like to me that version 2 is the wrong way to go.
The performance should stay the same whether the platform support
40-bit, 44-bit, 48-bit, 52-bit address space.
No, I meant the guest receive-side copy didn't scale, not grant table v2 itself. Ok the table is bigger with v2, but to do guest receive-side copy required a huge table in dom0 if it was going to scale to 100s of VMs and the perf. benefits were never that great (if they were there at all).
Sorry I misunderstood your previous mail. So the only downside is the
size of the table.
Looking at the structure in the header (public/grant_table.h), this is
effectively much bigger. A commit in Linux [1] suggests that grant v2
only supports 256 grants per page rather than 512 for v1.
How would that impact a guest?
Regards,
[1] commit 11c7ff17c9b6dbf3a4e4f36be30ad531a6cf0ec9
Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Date: Mon Jan 6 10:44:39 2014 -0500
xen/grant-table: Force to use v1 of grants.
We have the framework to use v2, but there are no backends that
actually use it. The end result is that on PV we use v2 grants
and on PVHVM v1. The v1 has a capacity of 512 grants per page while
the v2 has 256 grants per page. This means we lose about 50%
capacity - and if we want more than 16 VIFs (each VIF takes
512 grants), then we are hitting the max per guest of 32.
So from my understanding the table is much more bigger.
--
Julien Grall