From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2EA8C77B7A for ; Fri, 19 May 2023 08:38:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4B7CE900006; Fri, 19 May 2023 04:38:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 44084900004; Fri, 19 May 2023 04:38:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2E1AE900006; Fri, 19 May 2023 04:38:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 18DE6900004 for ; Fri, 19 May 2023 04:38:38 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id D604DC092E for ; Fri, 19 May 2023 08:38:37 +0000 (UTC) X-FDA: 80806353474.11.0B68DC9 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf21.hostedemail.com (Postfix) with ESMTP id 9F53A1C000D for ; Fri, 19 May 2023 08:38:35 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=D561lFda; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf21.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684485515; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=tX9NkuaMfOfCKs1FCdEqGfDAsl8Ds/2jqifxpDMQKog=; b=FyKqNdmTU0yUaJsJDoXi17o9+p9oZI2kgTDv7H9IgC9BqWzvzzT1z/Wnv7LlbkIlSUSGvM 4qmm7Hi6k5PHzu2T3mhWwlZPO2jUJD+kt3S8Vi/OarTWVBbx3/mJ5VTxky6a7j0oB3X+tS ElOUG1eHojU72+13l3SnOBJbE63GOcg= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=D561lFda; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf21.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684485515; a=rsa-sha256; cv=none; b=G/A9jBRhHGvK9tbL7QKoP1vrmRabEZGKaTT7r9AfSpOhrfZnSsEFAE4tIog2qE6CMwp3Uj 6MJ7Pk6tlpWSjiQ/8+yTaCNjVRL/BgULgUwFlE9tNZfS/57clcccFvlvZVTUAhFi+NzmO8 uhB14K5ec/9NIT5RxMgtEeOaAcjLz8g= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684485514; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tX9NkuaMfOfCKs1FCdEqGfDAsl8Ds/2jqifxpDMQKog=; b=D561lFdafay1NhkBb2dY5VSEopkbivV0wVlMjM2FUN4R9i+vG/RKCdF8PIDm4N5dXwrXUM P3MtwE0klO9m6NKPCyPgWWZVqXZX8QU1OaEDXc+29BFc3tnzBZl2U8aahZCoPSHc3z+hdG VSYTgO8h66KyfxhQdysTG8+By1y5z7s= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-428-8n7V0rXGPo6vhorTDwDvGA-1; Fri, 19 May 2023 04:38:33 -0400 X-MC-Unique: 8n7V0rXGPo6vhorTDwDvGA-1 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-3f426ffdbc6so17244585e9.3 for ; Fri, 19 May 2023 01:38:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684485512; x=1687077512; h=content-transfer-encoding:in-reply-to:subject:organization:from :content-language:references:cc:to:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tX9NkuaMfOfCKs1FCdEqGfDAsl8Ds/2jqifxpDMQKog=; b=PO9/oe53o3o2tv+4LXnRyka/inURUnCRMkl8A5omyiO+NeSwbZlQDGrBs1wovdo0DO q5FBn2jBfRfGaxk+t9rMwzm0kTsJ+aSKejb5Q/zMSCIRyK/nNNEsFuzAv9IdNIv5NC4u njRr9mJMv1D1lOAwSMF9QYkCgjJqHdrZ+guju6+tSlYB84NKeuFy4p+gC4ilEOPKkjzW sCoa8Daqyl/qwyq3Iupz2BnWsiKEIjZ1ib+396rJAGWAuAFCrGL+cR+rMEuUoybvRBAC WFL98fkiTWtIBVEXIWnw4WmA++xSzfFEbaUli2nkdkNGC8cPBpmw5JLT5VaPunfZ8iKC OLrw== X-Gm-Message-State: AC+VfDyQbn0gr7C0tRhXFeI8B8XzYqu+RkNndFuyU+f0WskBkP6NKIZO ptB6HANFIuNI5zKb2dG8Dm5FX8rNfEPVzrzipEjKjIsazV15Lx3x0hvH7X4wYIPhbs3DoQg/gyf S3GrCr8Q33KA= X-Received: by 2002:a7b:c39a:0:b0:3f4:2198:dc2b with SMTP id s26-20020a7bc39a000000b003f42198dc2bmr693575wmj.37.1684485511863; Fri, 19 May 2023 01:38:31 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7LtglJFB9R2JhDU+tff4uPwmts/Q/Nk8YQIEhGQ9liamKeS2OKMjiL1/ZjRuXRD48OUaDpuA== X-Received: by 2002:a7b:c39a:0:b0:3f4:2198:dc2b with SMTP id s26-20020a7bc39a000000b003f42198dc2bmr693547wmj.37.1684485511344; Fri, 19 May 2023 01:38:31 -0700 (PDT) Received: from ?IPV6:2003:cb:c722:9d00:7421:54d8:9227:a3e8? (p200300cbc7229d00742154d89227a3e8.dip0.t-ipconnect.de. [2003:cb:c722:9d00:7421:54d8:9227:a3e8]) by smtp.gmail.com with ESMTPSA id q28-20020a056000137c00b003093a412310sm4570816wrz.92.2023.05.19.01.38.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 19 May 2023 01:38:30 -0700 (PDT) Message-ID: <32fdc2c8-b86b-92f3-1d5e-64db6be29126@redhat.com> Date: Fri, 19 May 2023 10:38:29 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 To: Axel Rasmussen , Peter Xu Cc: Jiaqi Yan , James Houghton , Alexander Viro , Andrew Morton , Christian Brauner , Hongchen Zhang , Huang Ying , "Liam R. Howlett" , Miaohe Lin , "Mike Rapoport (IBM)" , Nadav Amit , Naoya Horiguchi , Shuah Khan , ZhangPeng , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, Anish Moorthy References: <20230511182426.1898675-1-axelrasmussen@google.com> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH 1/3] mm: userfaultfd: add new UFFDIO_SIGBUS ioctl In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspam-User: X-Stat-Signature: h58xwo3b7dmzdbgec5o9wd5xqg43ftpq X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 9F53A1C000D X-HE-Tag: 1684485515-217082 X-HE-Meta: U2FsdGVkX1+JdQsDRmE9MehblLoo/ratQKFaJDH5C8txsTY7HZpa1nqkCG2Z6fKDaITr6UOe3Vmp/zcUqahp2To3mExgjJvQCvjGaa/LrUiDWNbaLNQHIfPigiSvAS9XANWpAohaFAVdk4yXS/YIkA4zIjL6/85bm7W0jW1Lp2dV7VuFrGij4zAVppBagyOq7d7/Gw+fu1Zqz8/5w4oXjZE8sRLdOv2YKa2yyI44E292hnk7VtHUIVOaNAGWAlt+5kujzabTfuywmW0wHG75L22oo+4d0igXA9fU6EAwCYMiazIhDVkP+oE89ZGFzI02p3Yu+N6Y3k7U0Q0hPDwZKu08S/hPxl15izn2CWZkuoxMR1uJh0LB6iBYSkU1ShmJdXyghfkQVzIKSst5bW/A7ym2TuJvFys4uRrfAFHxkEpb+Ir1dHGWo562ystKIMIY1kVpvHq3nITdEQCjAvzf25DP8DhySSlRN2YmsPG87ZbAYpnQB+6psTnQnJZdVPLt//WqfEoglcvAo6lMO7kwq9VTWATCIFCWQ2f4QtH+Jd5hTKxU+4B35VnVNYqg/rv/RlDmH9XT2tDi4UroohHpJqTZY+iiQaoWwpTru+b9u06J12ww8p1tjI+KzEuq8JqWx4Tp1BvahDS+W5GWEi6Qc77NHm4aRbQFAUgvVmlO3P1FWbLsDq7/DnkATKoKaM27DbA+ZDDnmlx9WK/TXAO1P9wr4lbR7WCW+Gscjf7kkonQzzWuWjm18OR0sBFUqZcYk5vhcRNG/v98TMWS6Vro482VANMqFFH//xYPt5LQGRtaZne2rHRM8KyEL0veEDxdPWoXMfnN80qysNY2J+vAeXXqlz3Cj0vcoK7/J6+/tt+PiaVqiquVAN37rT/iAMoR027aogI+yoi+bxXtIpgedbZ9kr1I3Q6d7gA7kWpFbZsdMP8Oflcp6DA3EXDWWSVPmZWypMgl3TC2s9lN7z1 qoi77wpR D7dcWoPgCfbyTWq8jx+3ZIAQ79aVjo6VyIxDaeyYxaK4pkvux1g3n5AA3FdXCfTmXSU89S8iNOfmeMObXieTm+rPTVbrz23efKA+h9WLiDmqRd15fKC/0PSjRU1N6WZAonV0FKgcccqbxHOED0Em75xTFwI7C2K4Lxc+p+g4YxwngYYA+MP9kGtQxNqRzoftQhKSOWPGjCrbXcROaSSd7ydY7fGay4KJ7rPWTCivIcXosvmX01M9tVETwD4XGCtWQ7rvNl5zWkXck6uwMq+KFozX2LHhAI65Wie1+YJYehlXoPOSOqHoaLbCkBJeq+wRSnlOGuojZ4tYY9M3U0ohRU1vDMKHDiI84KFkJVBcFm15Epr8vZWK/ECnVwPdI9qmYLkcqeOoopPOgFABZIE1IvEkWXij4aOydNH04lNL3eNXj++OEDhrtthRJDT/7KPkBDr40eMJDbZaeEii1tvwggNyol1oP3kSo87fjL9EFuG8Q0hWcnHTAWvMADCcjwgonk520XnYbJilGnvgionU+xFUsaVbzMjdmhFMI X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 18.05.23 22:38, Axel Rasmussen wrote: > On Thu, May 18, 2023 at 9:05 AM Peter Xu wrote: >> >> On Wed, May 17, 2023 at 05:43:53PM -0700, Jiaqi Yan wrote: >>> On Wed, May 17, 2023 at 3:29 PM Axel Rasmussen wrote: >>>> >>>> On Wed, May 17, 2023 at 3:20 PM Peter Xu wrote: >>>>> >>>>> On Wed, May 17, 2023 at 06:12:33PM -0400, Peter Xu wrote: >>>>>> On Thu, May 11, 2023 at 03:00:09PM -0700, James Houghton wrote: >>>>>>> On Thu, May 11, 2023 at 11:24 AM Axel Rasmussen >>>>>>> wrote: >>>>>>>> >>>>>>>> So the basic way to use this new feature is: >>>>>>>> >>>>>>>> - On the new host, the guest's memory is registered with userfaultfd, in >>>>>>>> either MISSING or MINOR mode (doesn't really matter for this purpose). >>>>>>>> - On any first access, we get a userfaultfd event. At this point we can >>>>>>>> communicate with the old host to find out if the page was poisoned. >>>>>>>> - If so, we can respond with a UFFDIO_SIGBUS - this places a swap marker >>>>>>>> so any future accesses will SIGBUS. Because the pte is now "present", >>>>>>>> future accesses won't generate more userfaultfd events, they'll just >>>>>>>> SIGBUS directly. >>>>>>> >>>>>>> I want to clarify the SIGBUS mechanism here when KVM is involved, >>>>>>> keeping in mind that we need to be able to inject an MCE into the >>>>>>> guest for this to be useful. >>>>>>> >>>>>>> 1. vCPU gets an EPT violation --> KVM attempts GUP. >>>>>>> 2. GUP finds a PTE_MARKER_UFFD_SIGBUS and returns VM_FAULT_SIGBUS. >>>>>>> 3. KVM finds that GUP failed and returns -EFAULT. >>>>>>> >>>>>>> This is different than if GUP found poison, in which case KVM will >>>>>>> actually queue up a SIGBUS *containing the address of the fault*, and >>>>>>> userspace can use it to inject an appropriate MCE into the guest. With >>>>>>> UFFDIO_SIGBUS, we are missing the address! >>>>>>> >>>>>>> I see three options: >>>>>>> 1. Make KVM_RUN queue up a signal for any VM_FAULT_SIGBUS. I think >>>>>>> this is pointless. >>>>>>> 2. Don't have UFFDIO_SIGBUS install a PTE entry, but instead have a >>>>>>> UFFDIO_WAKE_MODE_SIGBUS, where upon waking, we return VM_FAULT_SIGBUS >>>>>>> instead of VM_FAULT_RETRY. We will keep getting userfaults on repeated >>>>>>> accesses, just like how we get repeated signals for real poison. >>>>>>> 3. Use this in conjunction with the additional KVM EFAULT info that >>>>>>> Anish proposed (the first part of [1]). >>>>>>> >>>>>>> I think option 3 is fine. :) >>>>>> >>>>>> Or... option 4) just to use either MADV_HWPOISON or hwpoison-inject? :) >>>>> >>>>> I just remember Axel mentioned this in the commit message, and just in case >>>>> this is why option 4) was ruled out: >>>>> >>>>> They expect that once poisoned, pages can never become >>>>> "un-poisoned". So, when we live migrate the VM, we need to preserve >>>>> the poisoned status of these pages. >>>>> >>>>> Just to supplement on this point: we do have unpoison (echoing to >>>>> "debug/hwpoison/hwpoison_unpoison"), or am I wrong? >>> >>> If I read unpoison_memory() correctly, once there is a real hardware >>> memory corruption (hw_memory_failure will be set), unpoison will stop >>> working and return EOPNOTSUPP. >>> >>> I know some cloud providers evacuating VMs once a single memory error >>> happens, so not supporting unpoison is probably not a big deal for >>> them. BUT others do keep VM running until more errors show up later, >>> which could be long after the 1st error. >> >> We're talking about postcopy migrating a VM has poisoned page on src, >> rather than on dst host, am I right? IOW, the dest hwpoison should be >> fake. >> >> If so, then I would assume that's the case where all the pages on the dest >> host is still all good (so hw_memory_failure not yet set, or I doubt the >> judgement of being a migration target after all)? >> >> The other thing is even if dest host has hw poisoned page, I'm not sure >> whether hw_memory_failure is the only way to solve this. >> >> I saw that this is something got worked on before from Zhenwei, David used >> to have some reasoning on why it was suggested like using a global knob: >> >> https://lore.kernel.org/all/d7927214-e433-c26d-7a9c-a291ced81887@redhat.com/ >> >> Two major issues here afaics: >> >> - Zhenwei's approach only considered x86 hwpoison - it relies on kpte >> having !present in entries but that's x86 specific rather than generic >> to memory_failure.c. >> >> - It is _assumed_ that hwpoison injection is for debugging only. >> >> I'm not sure whether you can fix 1) by some other ways, e.g., what if the >> host just remember all the hardware poisoned pfns (or remember >> soft-poisoned ones, but then here we need to be careful on removing them >> from the list when it's hwpoisoned for real)? It sounds like there's >> opportunity on providing a generic solution rather than relying on >> !pte_present(). >> >> For 2) IMHO that's not a big issue, you can declare it'll be used in !debug >> but production systems so as to boost the feature importance with a real >> use case. >> >> So far I'd say it'll be great to leverage what it's already there in linux >> and make it as generic as possible. The only issue is probably >> CAP_ADMIN... not sure whether we can have some way to provide !ADMIN >> somehow, or you can simply work around this issue. > > As you mention below I think the key distinction is the scope - I > think MADV_HWPOISON affects the whole system, including other > processes. > > For our purposes, we really just want to "poison" this particular > virtual address (the HVA, from the VM's perspective), not even other > mappings of the same shared memory. I think that behavior is different > from MADV_HWPOISON, at least. MADV_HWPOISON really is the wrong interface to use. See "man madvise". We don't want to allow arbitrary users to hwpoison+offline absolutely healthy physical memory, which is what MADV_HWPOISON is all about. As you say, we want to turn an unpopulated (!present) virtual address to mimic like we had a MCE on a page that would have been previously mapped here: install a hwpoison marker without actually poisoning any present page. In fact, we'd even want to fail if there *is* something mapped. Sure, one could teach MADV_HWPOISON to allow unprivileged users to do that for !present PTE entries, and fail for unprivileged users if there is a present PTE entry. I'm not sure if that's the cleanest approach, though, and a new MADV as suggested in this thread would eventually be cleaner. -- Thanks, David / dhildenb