WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

RE: [Xen-devel] Re: [PATCH] Add a new p2m type for broken memory

To: Tim Deegan <Tim.Deegan@xxxxxxxxxx>
Subject: RE: [Xen-devel] Re: [PATCH] Add a new p2m type for broken memory
From: "Jiang, Yunhong" <yunhong.jiang@xxxxxxxxx>
Date: Wed, 14 Jul 2010 21:41:38 +0800
Accept-language: en-US
Acceptlanguage: en-US
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>, Keir Fraser <Keir.Fraser@xxxxxxxxxxxxx>
Delivery-date: Wed, 14 Jul 2010 06:45:23 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20100714091857.GA13291@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <789F9655DD1B8F43B48D77C5D30659731F57135D@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20100714091857.GA13291@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcsjNaUjcuGtCGW8Qw6D2JOsbOxGfAAIUDeA
Thread-topic: [Xen-devel] Re: [PATCH] Add a new p2m type for broken memory

>-----Original Message-----
>From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
>[mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Tim Deegan
>Sent: Wednesday, July 14, 2010 5:19 PM
>To: Jiang, Yunhong
>Cc: xen-devel; Keir Fraser
>Subject: [Xen-devel] Re: [PATCH] Add a new p2m type for broken memory
>
>Hi,
>
>At 08:39 +0100 on 14 Jul (1279096791), Jiang, Yunhong wrote:
>> Add a new p2m type for broken memory.
>>
>> Currently, this is used only for EPT guest. When memory assigned to guest is
>poisoned, we will mark it as broken in p2m table, the corresponding EPT entry 
>is set
>as not present. Later, if guest try to access the affected memory, EPT 
>violation will
>happen and Xen hypervisor can trap this access.
>>
>> Signed-off-by: Jiang, Yunhong <yunhong.jiang@xxxxxxxxx>
>>
>> diff -r 29f0479830cd xen/arch/x86/hvm/hvm.c
>> --- a/xen/arch/x86/hvm/hvm.c Mon Jul 12 13:12:31 2010 +0800
>> +++ b/xen/arch/x86/hvm/hvm.c Mon Jul 12 13:58:55 2010 +0800
>> @@ -971,6 +971,12 @@ bool_t hvm_hap_nested_page_fault(unsigne
>>
>>      mfn = gfn_to_mfn_type_current(gfn, &p2mt, p2m_guest);
>>
>> +    if ( unlikely(p2mt == p2m_ram_broken) )
>> +    {
>> +        domain_crash(current->domain);
>> +        return 1;
>> +    }
>> +
>
>You should probably do this in more places, even if you don't care
>about shadow pagetables -- MMIO emulation should behave the same as
>normal accesses.

What do you mean of " the same as normal access"? 
MMIO will not be poisoned and will not be marked as p2m_ram_broken. We only 
need track guest's access to poison RAM.

There are some case need considered, like hypervisor emulate instruction for 
guest. For example, considering "movs (*rsi), (*rdi)", where rdi points to MMIO 
or APIC, while rsi points to poison memory. However, In such situation, it will 
trigger EPT fault firstly and cause the guest be crashed (I tested movs from 
poison memory to apic range). As there is no prefetch in EPT situation if I 
understand correctly, I assume it should be ok at least for EPT guest.

>
>What behaviour would you like when qemu tries to DMA to a broken page?
>Or when a backend driver grant-copies to it?

Yes, we need consider this also, but that is more like unmap for PV guest.

I do have internal patch to handle more situation, like following. But I didn't 
find method to test it for EPT guest, I delay it to future work.

@@ -94,6 +94,12 @@ static inline void *map_domain_gfn(struc
 {
     /* Translate the gfn, unsharing if shared */
     *mfn = gfn_to_mfn_unshare(d, gfn_x(gfn), p2mt, 0);
+
+    if ( p2m_is_broken(*p2mt) )
+    {
+        *rc = _PAGE_BROKEN;
+        return NULL;
+    }
     if ( p2m_is_paging(*p2mt) )
     {
         p2m_mem_paging_populate(d, gfn_x(gfn));

BTW, I think we need try our best to unmap, but maybe we can't cover every 
scenerio. For example, this patch will cover the access from EPT guest. But 
maybe we will not unmap for grant map, if the implementation is too intrusive, 
or maintainer will not accept it if too complex :-).

>
>Is there a case for just having the P2M lookups (at least the _query()
>kind) call domain_crash when they hit a poisoned page?

I'm not sure that will be over-killed. Will caller of p2m lookup can tolerate 
failure?

Thanks
--jyh

>
>Cheers,
>
>Tim.
>
>>      /*
>>       * If this GFN is emulated MMIO or marked as read-only, pass the fault
>>       * to the mmio handler.
>> diff -r 29f0479830cd xen/include/asm-x86/p2m.h
>> --- a/xen/include/asm-x86/p2m.h      Mon Jul 12 13:12:31 2010 +0800
>> +++ b/xen/include/asm-x86/p2m.h      Mon Jul 12 13:56:02 2010 +0800
>> @@ -85,6 +85,7 @@ typedef enum {
>>      p2m_ram_paging_in = 11,       /* Memory that is being paged in */
>>      p2m_ram_paging_in_start = 12, /* Memory that is being paged in */
>>      p2m_ram_shared = 13,          /* Shared or sharable memory */
>> +    p2m_ram_broken  = 14,        /* broken page, access cause domain
>crash*/
>>  } p2m_type_t;
>>
>>  typedef enum {
>> @@ -132,6 +133,8 @@ typedef enum {
>>                            | p2m_to_mask(p2m_ram_paging_in))
>>
>>  #define P2M_PAGED_TYPES (p2m_to_mask(p2m_ram_paged))
>> +
>> +#define P2M_BROKEN_TYPES (p2m_to_mask(p2m_ram_broken))
>>
>>  /* Shared types */
>>  /* XXX: Sharable types could include p2m_ram_ro too, but we would need to
>> @@ -155,6 +158,7 @@ typedef enum {
>>  #define p2m_is_paged(_t)    (p2m_to_mask(_t) & P2M_PAGED_TYPES)
>>  #define p2m_is_sharable(_t) (p2m_to_mask(_t) & P2M_SHARABLE_TYPES)
>>  #define p2m_is_shared(_t)   (p2m_to_mask(_t) & P2M_SHARED_TYPES)
>> +#define p2m_is_broken(_t)   (p2m_to_mask(_t) & P2M_BROKEN_TYPES)
>>
>>
>>  /* Populate-on-demand */
>> diff -r 29f0479830cd xen/include/asm-x86/page.h
>> --- a/xen/include/asm-x86/page.h     Mon Jul 12 13:12:31 2010 +0800
>> +++ b/xen/include/asm-x86/page.h     Mon Jul 12 13:56:21 2010 +0800
>> @@ -323,6 +323,7 @@ void setup_idle_pagetable(void);
>>  #define _PAGE_PSE_PAT 0x1000U
>>  #define _PAGE_PAGED   0x2000U
>>  #define _PAGE_SHARED  0x4000U
>> +#define _PAGE_BROKEN  0x8000U
>>
>>  /*
>>   * Debug option: Ensure that granted mappings are not implicitly unmapped.
>>
>>
>
>
>
>--
>Tim Deegan <Tim.Deegan@xxxxxxxxxx>
>Principal Software Engineer, XenServer Engineering
>Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)
>
>_______________________________________________
>Xen-devel mailing list
>Xen-devel@xxxxxxxxxxxxxxxxxxx
>http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel