[v2,06/54] perf: Support get/put passthrough PMU interfaces

Message ID	20240506053020.3911940-7-mizhang@google.com (mailing list archive)
State	New, archived
Headers	show Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 406E44F218 for <kvm@vger.kernel.org>; Mon, 6 May 2024 05:30:39 +0000 (UTC) Reply-To: Mingwei Zhang <mizhang@google.com> Date: Mon, 6 May 2024 05:29:31 +0000 In-Reply-To: <20240506053020.3911940-1-mizhang@google.com> Precedence: bulk Mime-Version: 1.0 References: <20240506053020.3911940-1-mizhang@google.com> Message-ID: <20240506053020.3911940-7-mizhang@google.com> Subject: [PATCH v2 06/54] perf: Support get/put passthrough PMU interfaces From: Mingwei Zhang <mizhang@google.com> To: Sean Christopherson <seanjc@google.com>, Paolo Bonzini <pbonzini@redhat.com>, Xiong Zhang <xiong.y.zhang@intel.com>, Dapeng Mi <dapeng1.mi@linux.intel.com>, Kan Liang <kan.liang@intel.com>, Zhenyu Wang <zhenyuw@linux.intel.com>, Manali Shukla <manali.shukla@amd.com>, Sandipan Das <sandipan.das@amd.com> Cc: Jim Mattson <jmattson@google.com>, Stephane Eranian <eranian@google.com>, Ian Rogers <irogers@google.com>, Namhyung Kim <namhyung@kernel.org>, Mingwei Zhang <mizhang@google.com>, gce-passthrou-pmu-dev@google.com, Samantha Alt <samantha.alt@intel.com>, Zhiyuan Lv <zhiyuan.lv@intel.com>, Yanfei Xu <yanfei.xu@intel.com>, maobibo <maobibo@loongson.cn>, Like Xu <like.xu.linux@gmail.com>, Peter Zijlstra <peterz@infradead.org>, kvm@vger.kernel.org, linux-perf-users@vger.kernel.org Content-Type: text/plain; charset="UTF-8"
Series	Mediated Passthrough vPMU 2.0 for x86 \| expand [v2,00/54] Mediated Passthrough vPMU 2.0 for x86 [v2,01/54] KVM: x86/pmu: Set enable bits for GP counters in PERF_GLOBAL_CTRL at "RESET" [v2,02/54] KVM: x86: Snapshot if a vCPU's vendor model is AMD vs. Intel compatible [v2,03/54] KVM: x86/pmu: Do not mask LVTPC when handling a PMI on AMD platforms [v2,04/54] x86/msr: Define PerfCntrGlobalStatusSet register [v2,05/54] x86/msr: Introduce MSR_CORE_PERF_GLOBAL_STATUS_SET [v2,06/54] perf: Support get/put passthrough PMU interfaces [v2,07/54] perf: Add generic exclude_guest support [v2,08/54] perf/x86/intel: Support PERF_PMU_CAP_PASSTHROUGH_VPMU [v2,09/54] perf: core/x86: Register a new vector for KVM GUEST PMI [v2,10/54] KVM: x86: Extract x86_set_kvm_irq_handler() function [v2,11/54] KVM: x86/pmu: Register guest pmi handler for emulated PMU [v2,12/54] perf: x86: Add x86 function to switch PMI handler [v2,13/54] perf: core/x86: Forbid PMI handler when guest own PMU [v2,14/54] perf: core/x86: Plumb passthrough PMU capability from x86_pmu to x86_pmu_cap [v2,15/54] KVM: x86/pmu: Introduce enable_passthrough_pmu module parameter [v2,16/54] KVM: x86/pmu: Plumb through pass-through PMU to vcpu for Intel CPUs [v2,17/54] KVM: x86/pmu: Always set global enable bits in passthrough mode [v2,18/54] KVM: x86/pmu: Add a helper to check if passthrough PMU is enabled [v2,19/54] KVM: x86/pmu: Add host_perf_cap and initialize it in kvm_x86_vendor_init() [v2,20/54] KVM: x86/pmu: Allow RDPMC pass through when all counters exposed to guest [v2,21/54] KVM: x86/pmu: Introduce macro PMU_CAP_PERF_METRICS [v2,22/54] KVM: x86/pmu: Introduce PMU operator to check if rdpmc passthrough allowed [v2,23/54] KVM: x86/pmu: Manage MSR interception for IA32_PERF_GLOBAL_CTRL [v2,24/54] KVM: x86/pmu: Create a function prototype to disable MSR interception [v2,25/54] KVM: x86/pmu: Add intel_passthrough_pmu_msrs() to pass-through PMU MSRs [v2,26/54] KVM: x86/pmu: Avoid legacy vPMU code when accessing global_ctrl in passthrough vPMU [v2,27/54] KVM: x86/pmu: Exclude PMU MSRs in vmx_get_passthrough_msr_slot() [v2,28/54] KVM: x86/pmu: Add counter MSR and selector MSR index into struct kvm_pmc [v2,29/54] KVM: x86/pmu: Introduce PMU operation prototypes for save/restore PMU context [v2,30/54] KVM: x86/pmu: Implement the save/restore of PMU state for Intel CPU [v2,31/54] KVM: x86/pmu: Make check_pmu_event_filter() an exported function [v2,32/54] KVM: x86/pmu: Allow writing to event selector for GP counters if event is allowed [v2,33/54] KVM: x86/pmu: Allow writing to fixed counter selector if counter is exposed [v2,34/54] KVM: x86/pmu: Switch IA32_PERF_GLOBAL_CTRL at VM boundary [v2,35/54] KVM: x86/pmu: Exclude existing vLBR logic from the passthrough PMU [v2,36/54] KVM: x86/pmu: Switch PMI handler at KVM context switch boundary [v2,37/54] KVM: x86/pmu: Grab x86 core PMU for passthrough PMU VM [v2,38/54] KVM: x86/pmu: Call perf_guest_enter() at PMU context switch [v2,39/54] KVM: x86/pmu: Add support for PMU context switch at VM-exit/enter [v2,40/54] KVM: x86/pmu: Introduce PMU operator to increment counter [v2,41/54] KVM: x86/pmu: Introduce PMU operator for setting counter overflow [v2,42/54] KVM: x86/pmu: Implement emulated counter increment for passthrough PMU [v2,43/54] KVM: x86/pmu: Update pmc_{read,write}_counter() to disconnect perf API [v2,44/54] KVM: x86/pmu: Disconnect counter reprogram logic from passthrough PMU [v2,45/54] KVM: nVMX: Add nested virtualization support for passthrough PMU [v2,46/54] perf/x86/amd/core: Set passthrough capability for host [v2,47/54] KVM: x86/pmu/svm: Set passthrough capability for vcpus [v2,48/54] KVM: x86/pmu/svm: Set enable_passthrough_pmu module parameter [v2,49/54] KVM: x86/pmu/svm: Allow RDPMC pass through when all counters exposed to guest [v2,50/54] KVM: x86/pmu/svm: Implement callback to disable MSR interception [v2,51/54] KVM: x86/pmu/svm: Set GuestOnly bit and clear HostOnly bit when guest write to event sel… [v2,52/54] KVM: x86/pmu/svm: Add registers to direct access list [v2,53/54] KVM: x86/pmu/svm: Implement handlers to save and restore context [v2,54/54] KVM: x86/pmu/svm: Wire up PMU filtering functionality for passthrough PMU

Mingwei Zhang May 6, 2024, 5:29 a.m. UTC

From: Kan Liang <kan.liang@linux.intel.com>

Currently, the guest and host share the PMU resources when a guest is
running. KVM has to create an extra virtual event to simulate the
guest's event, which brings several issues, e.g., high overhead, not
accuracy and etc.

A new passthrough PMU method is proposed to address the issue. It requires
that the PMU resources can be fully occupied by the guest while it's
running. Two new interfaces are implemented to fulfill the requirement.
The hypervisor should invoke the interface while creating a guest which
wants the passthrough PMU capability.

The PMU resources should only be temporarily occupied as a whole when a
guest is running. When the guest is out, the PMU resources are still
shared among different users.

The exclude_guest event modifier is used to guarantee the exclusive
occupation of the PMU resources. When creating a guest, the hypervisor
should check whether there are !exclude_guest events in the system.
If yes, the creation should fail. Because some PMU resources have been
occupied by other users.
If no, the PMU resources can be safely accessed by the guest directly.
Perf guarantees that no new !exclude_guest events are created when a
guest is running.

Only the passthrough PMU is affected, but not for other PMU e.g., uncore
and SW PMU. The behavior of those PMUs are not changed. The guest
enter/exit interfaces should only impact the supported PMUs.
Add a new PERF_PMU_CAP_PASSTHROUGH_VPMU flag to indicate the PMUs that
support the feature.

Add nr_include_guest_events to track the !exclude_guest system-wide
event of PMU with PERF_PMU_CAP_PASSTHROUGH_VPMU.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
---
 include/linux/perf_event.h |  9 +++++
 kernel/events/core.c       | 67 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)

Peter Zijlstra May 7, 2024, 8:31 a.m. UTC | #1

On Mon, May 06, 2024 at 05:29:31AM +0000, Mingwei Zhang wrote:


> +int perf_get_mediated_pmu(void)
> +{
> +	int ret = 0;
> +
> +	mutex_lock(&perf_mediated_pmu_mutex);
> +	if (refcount_inc_not_zero(&nr_mediated_pmu_vms))
> +		goto end;
> +
> +	if (atomic_read(&nr_include_guest_events)) {
> +		ret = -EBUSY;
> +		goto end;
> +	}
> +	refcount_set(&nr_mediated_pmu_vms, 1);
> +end:
> +	mutex_unlock(&perf_mediated_pmu_mutex);
> +	return ret;
> +}
> +EXPORT_SYMBOL_GPL(perf_get_mediated_pmu);

Blergh... it seems I never got my perf guard patches merged :/, but
could we please write this like:

int perf_get_mediated_pmu(void)
{
	guard(mutex)(&perf_mediated_pmu_mutex);
	if (refcount_inc_not_zero(&nr_mediated_pmu_vms))
		return 0;

	if (atomic_read(&nr_include_guest_events))
		return -EBUSY;

	refcount_set(&nr_mediated_pmu_vms, 1);
	return 0;
}

And avoid adding more unlock goto thingies?

Peter Zijlstra May 7, 2024, 8:41 a.m. UTC | #2

On Mon, May 06, 2024 at 05:29:31AM +0000, Mingwei Zhang wrote:

> +int perf_get_mediated_pmu(void)
> +{
> +	int ret = 0;
> +
> +	mutex_lock(&perf_mediated_pmu_mutex);
> +	if (refcount_inc_not_zero(&nr_mediated_pmu_vms))
> +		goto end;
> +
> +	if (atomic_read(&nr_include_guest_events)) {
> +		ret = -EBUSY;
> +		goto end;
> +	}
> +	refcount_set(&nr_mediated_pmu_vms, 1);
> +end:
> +	mutex_unlock(&perf_mediated_pmu_mutex);
> +	return ret;
> +}
> +EXPORT_SYMBOL_GPL(perf_get_mediated_pmu);
> +
> +void perf_put_mediated_pmu(void)
> +{
> +	if (!refcount_dec_not_one(&nr_mediated_pmu_vms))
> +		refcount_set(&nr_mediated_pmu_vms, 0);

I'm sorry, but this made the WTF'o'meter go 'ding'.

Isn't that simply refcount_dec() ?

> +}
> +EXPORT_SYMBOL_GPL(perf_put_mediated_pmu);
> +
>  /*
>   * Holding the top-level event's child_mutex means that any
>   * descendant process that has inherited this event will block
> @@ -12086,11 +12140,24 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
>  	if (err)
>  		goto err_callchain_buffer;
>  
> +	if (is_include_guest_event(event)) {
> +		mutex_lock(&perf_mediated_pmu_mutex);
> +		if (refcount_read(&nr_mediated_pmu_vms)) {
> +			mutex_unlock(&perf_mediated_pmu_mutex);
> +			err = -EACCES;
> +			goto err_security_alloc;
> +		}
> +		atomic_inc(&nr_include_guest_events);
> +		mutex_unlock(&perf_mediated_pmu_mutex);
> +	}

Wouldn't all that be nicer with a helper function?

	if (is_include_guest_event() && !perf_get_guest_event())
		goto err_security_alloc;

> +
>  	/* symmetric to unaccount_event() in _free_event() */
>  	account_event(event);
>  
>  	return event;
>  
> +err_security_alloc:
> +	security_perf_event_free(event);
>  err_callchain_buffer:
>  	if (!event->parent) {
>  		if (event->attr.sample_type & PERF_SAMPLE_CALLCHAIN)
> -- 
> 2.45.0.rc1.225.g2a3ae87e7f-goog
>

Xiong Zhang May 8, 2024, 4:13 a.m. UTC | #3

On 5/7/2024 4:31 PM, Peter Zijlstra wrote:
> On Mon, May 06, 2024 at 05:29:31AM +0000, Mingwei Zhang wrote:
> 
> 
>> +int perf_get_mediated_pmu(void)
>> +{
>> +	int ret = 0;
>> +
>> +	mutex_lock(&perf_mediated_pmu_mutex);
>> +	if (refcount_inc_not_zero(&nr_mediated_pmu_vms))
>> +		goto end;
>> +
>> +	if (atomic_read(&nr_include_guest_events)) {
>> +		ret = -EBUSY;
>> +		goto end;
>> +	}
>> +	refcount_set(&nr_mediated_pmu_vms, 1);
>> +end:
>> +	mutex_unlock(&perf_mediated_pmu_mutex);
>> +	return ret;
>> +}
>> +EXPORT_SYMBOL_GPL(perf_get_mediated_pmu);
> 
> Blergh... it seems I never got my perf guard patches merged :/, but
> could we please write this like:
> 
> int perf_get_mediated_pmu(void)
> {
> 	guard(mutex)(&perf_mediated_pmu_mutex);
> 	if (refcount_inc_not_zero(&nr_mediated_pmu_vms))
> 		return 0;
> 
> 	if (atomic_read(&nr_include_guest_events))
> 		return -EBUSY;
> 
> 	refcount_set(&nr_mediated_pmu_vms, 1);
> 	return 0;
> }
> 
> And avoid adding more unlock goto thingies?
>yes, this works. And code is cleaner.

thanks

Xiong Zhang May 8, 2024, 4:54 a.m. UTC | #4

On 5/7/2024 4:41 PM, Peter Zijlstra wrote:
> On Mon, May 06, 2024 at 05:29:31AM +0000, Mingwei Zhang wrote:
> 
>> +int perf_get_mediated_pmu(void)
>> +{
>> +	int ret = 0;
>> +
>> +	mutex_lock(&perf_mediated_pmu_mutex);
>> +	if (refcount_inc_not_zero(&nr_mediated_pmu_vms))
>> +		goto end;
>> +
>> +	if (atomic_read(&nr_include_guest_events)) {
>> +		ret = -EBUSY;
>> +		goto end;
>> +	}
>> +	refcount_set(&nr_mediated_pmu_vms, 1);
>> +end:
>> +	mutex_unlock(&perf_mediated_pmu_mutex);
>> +	return ret;
>> +}
>> +EXPORT_SYMBOL_GPL(perf_get_mediated_pmu);
>> +
>> +void perf_put_mediated_pmu(void)
>> +{
>> +	if (!refcount_dec_not_one(&nr_mediated_pmu_vms))
>> +		refcount_set(&nr_mediated_pmu_vms, 0);
> 
> I'm sorry, but this made the WTF'o'meter go 'ding'.
> 
> Isn't that simply refcount_dec() ?
when nr_mediated_pmu_vms is 1, refcount_dec(&nr_mediated_pmu_vms) has an
error and call trace: refcount_t: decrement hit 0; leaking memory.

Similar when nr_mediated_pmu_vms is 0, refcount_inc(&nr_mediated_pmu_vms)
has an error and call trace also: refcount_t: addition on 0; use_after_free.

it seems refcount_set() should be used to set 1 or 0 to refcount_t.
> 
>> +}
>> +EXPORT_SYMBOL_GPL(perf_put_mediated_pmu);
>> +
>>  /*
>>   * Holding the top-level event's child_mutex means that any
>>   * descendant process that has inherited this event will block
>> @@ -12086,11 +12140,24 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
>>  	if (err)
>>  		goto err_callchain_buffer;
>>  
>> +	if (is_include_guest_event(event)) {
>> +		mutex_lock(&perf_mediated_pmu_mutex);
>> +		if (refcount_read(&nr_mediated_pmu_vms)) {
>> +			mutex_unlock(&perf_mediated_pmu_mutex);
>> +			err = -EACCES;
>> +			goto err_security_alloc;
>> +		}
>> +		atomic_inc(&nr_include_guest_events);
>> +		mutex_unlock(&perf_mediated_pmu_mutex);
>> +	}
> 
> Wouldn't all that be nicer with a helper function?
yes, it is nicer.

thanks
> 
> 	if (is_include_guest_event() && !perf_get_guest_event())
> 		goto err_security_alloc;
> 
>> +
>>  	/* symmetric to unaccount_event() in _free_event() */
>>  	account_event(event);
>>  
>>  	return event;
>>  
>> +err_security_alloc:
>> +	security_perf_event_free(event);
>>  err_callchain_buffer:
>>  	if (!event->parent) {
>>  		if (event->attr.sample_type & PERF_SAMPLE_CALLCHAIN)
>> -- 
>> 2.45.0.rc1.225.g2a3ae87e7f-goog
>>
>

Peter Zijlstra May 8, 2024, 8:32 a.m. UTC | #5

On Wed, May 08, 2024 at 12:54:31PM +0800, Zhang, Xiong Y wrote:
> On 5/7/2024 4:41 PM, Peter Zijlstra wrote:
> > On Mon, May 06, 2024 at 05:29:31AM +0000, Mingwei Zhang wrote:

> >> +void perf_put_mediated_pmu(void)
> >> +{
> >> +	if (!refcount_dec_not_one(&nr_mediated_pmu_vms))
> >> +		refcount_set(&nr_mediated_pmu_vms, 0);
> > 
> > I'm sorry, but this made the WTF'o'meter go 'ding'.
> > 
> > Isn't that simply refcount_dec() ?
> when nr_mediated_pmu_vms is 1, refcount_dec(&nr_mediated_pmu_vms) has an
> error and call trace: refcount_t: decrement hit 0; leaking memory.
> 
> Similar when nr_mediated_pmu_vms is 0, refcount_inc(&nr_mediated_pmu_vms)
> has an error and call trace also: refcount_t: addition on 0; use_after_free.
> 
> it seems refcount_set() should be used to set 1 or 0 to refcount_t.

Ah, yes, you need refcount_dec_and_test() in order to free. But if this
is the case, then you simply shouldn't be using refcount.

[v2,06/54] perf: Support get/put passthrough PMU interfaces

Commit Message

Comments

Patch