From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A29D8C5B549 for ; Fri, 30 May 2025 08:54:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2DA486B0093; Fri, 30 May 2025 04:54:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 28AF46B0095; Fri, 30 May 2025 04:54:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 17BB96B0096; Fri, 30 May 2025 04:54:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id EC8496B0093 for ; Fri, 30 May 2025 04:53:59 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id B202916292C for ; Fri, 30 May 2025 08:53:59 +0000 (UTC) X-FDA: 83498961798.03.F76B4A7 Received: from mail-qt1-f173.google.com (mail-qt1-f173.google.com [209.85.160.173]) by imf09.hostedemail.com (Postfix) with ESMTP id E082014000C for ; Fri, 30 May 2025 08:53:57 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=gyZJO3uu; spf=pass (imf09.hostedemail.com: domain of tabba@google.com designates 209.85.160.173 as permitted sender) smtp.mailfrom=tabba@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1748595237; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=z8u647ndNYzdA27OG8TNeuQiC3z4GVpVKrED4QXwYPU=; b=2e679Lr1EZDZPdAcN8RI4fKlYNqHaCcIlhwuxhNrgPOK8LY4LM2TqI3sta2PfzSDScMAAV 5EmRd/xZ3VPIp5byR3AF6txUTDdXqo6np8oDuuqKXTzLRVMDOpegyIVm0Eabmg4gUasnw5 t5vf8vUefY6qS1dUMa25I4+n0UefBKg= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=gyZJO3uu; spf=pass (imf09.hostedemail.com: domain of tabba@google.com designates 209.85.160.173 as permitted sender) smtp.mailfrom=tabba@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748595237; a=rsa-sha256; cv=none; b=YSWCP83OibiwaI7bidlV551z51qKKQKprOBTF9xBVPwRISOiGsjRAWy86u7V3+MB4+6q5g fddFd1DYoa3oBfB9wyadyh9QKdUehbOJ7esZIB/lJ2DwPtP4XtbKLX8EcFT7KGO8zjiYbB zLuhVUo818wcckLtgEUFTdrpFLUwbH8= Received: by mail-qt1-f173.google.com with SMTP id d75a77b69052e-4774611d40bso197351cf.0 for ; Fri, 30 May 2025 01:53:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1748595237; x=1749200037; darn=kvack.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=z8u647ndNYzdA27OG8TNeuQiC3z4GVpVKrED4QXwYPU=; b=gyZJO3uu+w0Flk3qKxlDMkBF+qnn96e7Jj3Gx0qCtsM1DjEXnHLHERkiXTVGv1bXk/ p7O4AIQ0WhxkxdxHyo/Pmjo1Me8ecko7Ipr9We/akyf6JyqLUIRYWZVVjpbMsCquyXyk tvJlAXu40X2qC1YGQh46v1pSGFgNwFC7lJ8e6EzM7IBovkFcs3A1fr/KKU25xiqCXS3b oUZO09rJ3F9Ea4v4emg0Hi7zn4K0XINwbqK5ZV+tRJm3xgfsT7iO+WmgCkfmRmR3BuB9 zt56G+rZlWh5cFBXAMWjH/wKLyOJMnCnVuBL3ObtoLZEC/qfS0N6SY5wqzqOP25GIZzo 78SA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748595237; x=1749200037; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=z8u647ndNYzdA27OG8TNeuQiC3z4GVpVKrED4QXwYPU=; b=I1vauEw/fBxG8m5g+iTUUOVA4y4rsEvpvVDcEnCxRHaPWPWLiNTiABdsRFw7KHyN8d cPvmvrnI5XQDkADGKR4B9rNCWOOb+ZrHFao/YtQGMXUKjRmydZuvDfYrptq1pZ3bjTFy M5afaJzdhpcI9Wr/F4aVtpXePBwu7JfrwApFFApjeTIU0SiUNbL8wcIDW6/zu2i1FXt3 TbRu34WDEjaDjhbhdOHpggLWNFISL1PqMp/Fh0BfjFing5macX7fVHVBmF2SienXC1eG RmdkAcFDsnh8fAjSyDIEiqVl1TyCHiJa2EXroSZyoIK/K6ptG4o5kY/lpFRXbqz8RN++ ayLw== X-Forwarded-Encrypted: i=1; AJvYcCWVKB7wjuBzH+aaX0yPhIJc2CJ2KOxSZQIV5TAMnk//h3A628S01gjIBIIPEVHa1ENOxa2eJo/YLw==@kvack.org X-Gm-Message-State: AOJu0YyQuGlEXoqEHSCIwOCqpUyUc3J2oKb6VcKmj+mWwVGsrLlvv7UD kkYn9GdJQRMrabIZ/QcVNLhh0gsD0UYYmMuawzJi9IA2JCbMz/xz/QNFTihgwXoO8vK83JG7DXM AnEutRd1YLheYbtuttp9BoAaPMf6IJfVGXuGzqPGu X-Gm-Gg: ASbGnctR8YD/5ADNHfGfr/NIo23datI6ORnf6KIzGoLA7J4tF8q69ealuh+zzrOxBr3 pCyM2hCwmZ97v5/NNeEz583YsedoYhHiAM1JfwlDA0jXL8gZUdBAN79eglswnfYOGxGwzdcqoRS ibgX1R93Zy4MMbDtmKcLF9kA/mGETWejIRY2RkrZ6tWlI= X-Google-Smtp-Source: AGHT+IFLqefnLn1v8keLkqAr4fPJAQHT//B+kwFb1ekkisV3CdeatG99dSsPZYAGw8By1B8I2vAaTr2y3/hbj85CkGA= X-Received: by 2002:a05:622a:1a97:b0:494:b4dd:befd with SMTP id d75a77b69052e-4a441022360mr2905721cf.8.1748595236277; Fri, 30 May 2025 01:53:56 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Fuad Tabba Date: Fri, 30 May 2025 09:53:19 +0100 X-Gm-Features: AX0GCFtqJXvp3p__kKdA5QDGvH461bYPNLmsSSbQFbO1K64Y28pB97ucjguB0DU Message-ID: Subject: Re: [RFC PATCH v2 02/51] KVM: guest_memfd: Introduce and use shareability to guard faulting To: Yan Zhao Cc: Ackerley Tng , kvm@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, x86@kernel.org, linux-fsdevel@vger.kernel.org, aik@amd.com, ajones@ventanamicro.com, akpm@linux-foundation.org, amoorthy@google.com, anthony.yznaga@oracle.com, anup@brainfault.org, aou@eecs.berkeley.edu, bfoster@redhat.com, binbin.wu@linux.intel.com, brauner@kernel.org, catalin.marinas@arm.com, chao.p.peng@intel.com, chenhuacai@kernel.org, dave.hansen@intel.com, david@redhat.com, dmatlack@google.com, dwmw@amazon.co.uk, erdemaktas@google.com, fan.du@intel.com, fvdl@google.com, graf@amazon.com, haibo1.xu@intel.com, hch@infradead.org, hughd@google.com, ira.weiny@intel.com, isaku.yamahata@intel.com, jack@suse.cz, james.morse@arm.com, jarkko@kernel.org, jgg@ziepe.ca, jgowans@amazon.com, jhubbard@nvidia.com, jroedel@suse.de, jthoughton@google.com, jun.miao@intel.com, kai.huang@intel.com, keirf@google.com, kent.overstreet@linux.dev, kirill.shutemov@intel.com, liam.merwick@oracle.com, maciej.wieczor-retman@intel.com, mail@maciej.szmigiero.name, maz@kernel.org, mic@digikod.net, michael.roth@amd.com, mpe@ellerman.id.au, muchun.song@linux.dev, nikunj@amd.com, nsaenz@amazon.es, oliver.upton@linux.dev, palmer@dabbelt.com, pankaj.gupta@amd.com, paul.walmsley@sifive.com, pbonzini@redhat.com, pdurrant@amazon.co.uk, peterx@redhat.com, pgonda@google.com, pvorel@suse.cz, qperret@google.com, quic_cvanscha@quicinc.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, quic_svaddagi@quicinc.com, quic_tsoni@quicinc.com, richard.weiyang@gmail.com, rick.p.edgecombe@intel.com, rientjes@google.com, roypat@amazon.co.uk, rppt@kernel.org, seanjc@google.com, shuah@kernel.org, steven.price@arm.com, steven.sistare@oracle.com, suzuki.poulose@arm.com, thomas.lendacky@amd.com, usama.arif@bytedance.com, vannapurve@google.com, vbabka@suse.cz, viro@zeniv.linux.org.uk, vkuznets@redhat.com, wei.w.wang@intel.com, will@kernel.org, willy@infradead.org, xiaoyao.li@intel.com, yilun.xu@intel.com, yuzenghui@huawei.com, zhiquan1.li@intel.com Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: akr5xduoqix9iojtwcbxgg4xitqr31nh X-Rspamd-Queue-Id: E082014000C X-Rspam-User: X-Rspamd-Server: rspam02 X-HE-Tag: 1748595237-221866 X-HE-Meta: U2FsdGVkX1+flx8lgJGocPWWx3+3u9dohHEYl0Imp6X4VZfU5NR//MKJAzxVfSxdEOFNLzQYvCwoc4N5dafWOpieCRZvhkbzj7pDpjS1JmA/cXR5HLFvVtLT7NRZiPma23GDeXLMS4rRYK7tKMIQSHIxk2KyGYhdz8E7DXffs4LgBIXOQjT09GKLxnT1AT1YVc2mLtcR2VlHmTSgtouqGY2GNvreX7YHZ8Ztm0CxxZFPQqfCgKXthpgx4s8gw7VvKyIMgcX7OzoxN4SX1Z89+mEqgPRFESGtzlS+3phJ/CQwIe9Au/OzkfrYXpeOaWwBNbpktYVyFH+7MqYzlwBS8PIDTlsVbMWPIAVWXF2Y3spNaJxQJS6Gaao6z9TrXJQYfVrXzGsjxgl5EeoIKNcZ4NbSfI++mS5WHmXr+4tcCX75GY0GFh9oDqIbeMjahxWfw1Pbw85RlRjxt6r6tu6q0M0At0g/1st8cmDkR9Q8ApeyQLjr8hMpVTcjH0fVLqT7b3SvOPlmD8z2RZT7Nd9cYWrSZbwq5QL9MQ9AKI6fHqhKWjNJs7UKoYEXPGrGFXABODjk59w7hjRw9HNvfRgVYUc1FllpR8lPloEM8SLU94Mj+R0O/g3WVIuiY84FAe2zYOagcJfBJpt5BPcVty62CGEbnQMPUcG3bVnY4/wQzgJfotvALnJmvT9EAm27bnoZnC+qe2mp8fAz25LXSOuBjfmUJ4D+5Px4S9SyhsrRmm0iXm2wqzLcg/gEHIiAHryNIzka0RVlLHzuvywhRA6lV/GVAicRrg6NzGjZy1XjgJ0mRmXiBOZXdzUZGqcGrNsGeMApL3+3G1ACMF2MhqUM7fd21GzjI4EDJsHzSivaDBkUouhIIXH+LAWcnjUBnN6DTYrwGbsZ9IhTNqlzxgJ71VJjsqHA7llSH5zn/FjscEYL9+qz3M5b1BFvf0V7mrLWa18d72n2kFOTVdl/2ut E5QeZCJi CnWnph2PhFBzAdeKVQccxJ9fE3/BjuWPTtTtRD5P6QML0fU5ArRX+XlZMINcvAhg/VwvjDu9/lnH2r6iKQndGpOhVBrGA8VmCcgA0PUlnVBq+0kk5MZTs6vzXDdUnQxs2AULeFIi4Ek04Wu2h8geKj0oS5XnZwkouprSDplxde/IcpD0pzqJ1qVGp+zSwLmVVXdL6ax3OuBQ1uPiAtGz97QRKvTHnzYLpi0NTZMBbl/+gwc9f80mF+/2LVeV+S2yTRBDpT13IA/sKEF4k8VXQ+ID95sraLjjoix5oLYuXNUCHEE+WVIciFm/WS/3I0Do/DDWTRpQSI3MXzycFCzy+cCWcb4uUT7nnQFJ4VnJ9u6Ht19k= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, .. snip.. > I noticed that in [1], the kvm_gmem_mmap() does not check the range. > So, the WARN() here can be hit when userspace mmap() an area larger than the > inode size and accesses the out of band HVA. > > Maybe limit the mmap() range? > > @@ -1609,6 +1620,10 @@ static int kvm_gmem_mmap(struct file *file, struct vm_area_struct *vma) > if (!kvm_gmem_supports_shared(file_inode(file))) > return -ENODEV; > > + if (vma->vm_end - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT) > i_size_read(file_inode(file))) > + return -EINVAL; > + > if ((vma->vm_flags & (VM_SHARED | VM_MAYSHARE)) != > (VM_SHARED | VM_MAYSHARE)) { > return -EINVAL; > > [1] https://lore.kernel.org/all/20250513163438.3942405-8-tabba@google.com/ I don't think we want to do that for a couple of reasons. We catch such invalid accesses on faulting, and, by analogy, afaikt, neither secretmem nor memfd perform a similar check on mmap (nor do memory-mapped files in general). There are also valid reasons why a user would want to deliberately mmap more memory than the backing store, knowing that it's only going to fault what it's going to use, e.g., alignment. Cheers, /fuad > > + return xa_to_value(entry); > > +} > > + > > +static struct folio *kvm_gmem_get_shared_folio(struct inode *inode, pgoff_t index) > > +{ > > + if (kvm_gmem_shareability_get(inode, index) != SHAREABILITY_ALL) > > + return ERR_PTR(-EACCES); > > + > > + return kvm_gmem_get_folio(inode, index); > > +} > > + > > +#else > > + > > +static int kvm_gmem_shareability_setup(struct maple_tree *mt, loff_t size, u64 flags) > > +{ > > + return 0; > > +} > > + > > +static inline struct folio *kvm_gmem_get_shared_folio(struct inode *inode, pgoff_t index) > > +{ > > + WARN_ONCE("Unexpected call to get shared folio.") > > + return NULL; > > +} > > + > > +#endif /* CONFIG_KVM_GMEM_SHARED_MEM */ > > + > > static int __kvm_gmem_prepare_folio(struct kvm *kvm, struct kvm_memory_slot *slot, > > pgoff_t index, struct folio *folio) > > { > > @@ -333,7 +404,7 @@ static vm_fault_t kvm_gmem_fault_shared(struct vm_fault *vmf) > > > > filemap_invalidate_lock_shared(inode->i_mapping); > > > > - folio = kvm_gmem_get_folio(inode, vmf->pgoff); > > + folio = kvm_gmem_get_shared_folio(inode, vmf->pgoff); > > if (IS_ERR(folio)) { > > int err = PTR_ERR(folio); > > > > @@ -420,8 +491,33 @@ static struct file_operations kvm_gmem_fops = { > > .fallocate = kvm_gmem_fallocate, > > }; > > > > +static void kvm_gmem_free_inode(struct inode *inode) > > +{ > > + struct kvm_gmem_inode_private *private = kvm_gmem_private(inode); > > + > > + kfree(private); > > + > > + free_inode_nonrcu(inode); > > +} > > + > > +static void kvm_gmem_destroy_inode(struct inode *inode) > > +{ > > + struct kvm_gmem_inode_private *private = kvm_gmem_private(inode); > > + > > +#ifdef CONFIG_KVM_GMEM_SHARED_MEM > > + /* > > + * mtree_destroy() can't be used within rcu callback, hence can't be > > + * done in ->free_inode(). > > + */ > > + if (private) > > + mtree_destroy(&private->shareability); > > +#endif > > +} > > + > > static const struct super_operations kvm_gmem_super_operations = { > > .statfs = simple_statfs, > > + .destroy_inode = kvm_gmem_destroy_inode, > > + .free_inode = kvm_gmem_free_inode, > > }; > > > > static int kvm_gmem_init_fs_context(struct fs_context *fc) > > @@ -549,12 +645,26 @@ static const struct inode_operations kvm_gmem_iops = { > > static struct inode *kvm_gmem_inode_make_secure_inode(const char *name, > > loff_t size, u64 flags) > > { > > + struct kvm_gmem_inode_private *private; > > struct inode *inode; > > + int err; > > > > inode = alloc_anon_secure_inode(kvm_gmem_mnt->mnt_sb, name); > > if (IS_ERR(inode)) > > return inode; > > > > + err = -ENOMEM; > > + private = kzalloc(sizeof(*private), GFP_KERNEL); > > + if (!private) > > + goto out; > > + > > + mt_init(&private->shareability); > Wrap the mt_init() inside "#ifdef CONFIG_KVM_GMEM_SHARED_MEM" ? > > > + inode->i_mapping->i_private_data = private; > > + > > + err = kvm_gmem_shareability_setup(private, size, flags); > > + if (err) > > + goto out; > > + > > inode->i_private = (void *)(unsigned long)flags; > > inode->i_op = &kvm_gmem_iops; > > inode->i_mapping->a_ops = &kvm_gmem_aops; > > @@ -566,6 +676,11 @@ static struct inode *kvm_gmem_inode_make_secure_inode(const char *name, > > WARN_ON_ONCE(!mapping_unevictable(inode->i_mapping)); > > > > return inode; > > + > > +out: > > + iput(inode); > > + > > + return ERR_PTR(err); > > } > > > > static struct file *kvm_gmem_inode_create_getfile(void *priv, loff_t size, > > @@ -654,6 +769,9 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm_create_guest_memfd *args) > > if (kvm_arch_vm_supports_gmem_shared_mem(kvm)) > > valid_flags |= GUEST_MEMFD_FLAG_SUPPORT_SHARED; > > > > + if (flags & GUEST_MEMFD_FLAG_SUPPORT_SHARED) > > + valid_flags |= GUEST_MEMFD_FLAG_INIT_PRIVATE; > > + > > if (flags & ~valid_flags) > > return -EINVAL; > > > > @@ -842,6 +960,8 @@ int kvm_gmem_get_pfn(struct kvm *kvm, struct kvm_memory_slot *slot, > > if (!file) > > return -EFAULT; > > > > + filemap_invalidate_lock_shared(file_inode(file)->i_mapping); > > + > > folio = __kvm_gmem_get_pfn(file, slot, index, pfn, &is_prepared, max_order); > > if (IS_ERR(folio)) { > > r = PTR_ERR(folio); > > @@ -857,8 +977,8 @@ int kvm_gmem_get_pfn(struct kvm *kvm, struct kvm_memory_slot *slot, > > *page = folio_file_page(folio, index); > > else > > folio_put(folio); > > - > > out: > > + filemap_invalidate_unlock_shared(file_inode(file)->i_mapping); > > fput(file); > > return r; > > } > > -- > > 2.49.0.1045.g170613ef41-goog > > > >