From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A6C7C3ABD9 for ; Wed, 14 May 2025 07:34:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6D8B16B00A2; Wed, 14 May 2025 03:34:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 688FA6B00D2; Wed, 14 May 2025 03:34:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 576596B00D5; Wed, 14 May 2025 03:34:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 3BB246B00A2 for ; Wed, 14 May 2025 03:34:18 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 1FE65120A61 for ; Wed, 14 May 2025 07:34:18 +0000 (UTC) X-FDA: 83440700196.25.C11703F Received: from mail-qt1-f180.google.com (mail-qt1-f180.google.com [209.85.160.180]) by imf15.hostedemail.com (Postfix) with ESMTP id 46966A0007 for ; Wed, 14 May 2025 07:34:16 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=GRTGomST; spf=pass (imf15.hostedemail.com: domain of tabba@google.com designates 209.85.160.180 as permitted sender) smtp.mailfrom=tabba@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747208056; a=rsa-sha256; cv=none; b=Ojwf7kXyThAeRYOPBpgvgC81MEZVY1Pv1wGPkClG+dgCQTN8tY59Nq9ekjZDx7/r9ngS9i 4sd3ngXwl6MUR1H5h1RZsz2UxFq66WBqcCwkaJHYrOuNApXuIIdz/IVLyXJS4wobAYetAg xxBx9uEs7Q578w3iFVt1Q83CpkxIbJo= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=GRTGomST; spf=pass (imf15.hostedemail.com: domain of tabba@google.com designates 209.85.160.180 as permitted sender) smtp.mailfrom=tabba@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747208056; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+K04p3I7lu9J1Ks0C4ES0/2cH0wDYip+VLHtbctoxbA=; b=lKiyMqzJDkD3mjQy8D4DTGlCqpv6j6r5z4Ow4xMHzUU2SUaHoh4IKn+6gerVk2YoQ+Ifsf LBzEkUjaa6/HKej9/LpONAeZwkC9GYzScmwJMV/4lXUr/znnfRq5jCyk/2W7y3vG46o17x iL6rxKi7eRXhlexwzhLq27G6ta3HGO0= Received: by mail-qt1-f180.google.com with SMTP id d75a77b69052e-48b7747f881so172291cf.1 for ; Wed, 14 May 2025 00:34:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1747208055; x=1747812855; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=+K04p3I7lu9J1Ks0C4ES0/2cH0wDYip+VLHtbctoxbA=; b=GRTGomSTwUFjGPJgvHIV7u1C5V5s7QFrm6ZSsG3nE2iYLmIf6ijMbswR3xlOFbEIRt DNuF+ELmBwM37hSZJn0OZwlsYUopMfAL/18/dZ+axl+KjEguWAnVFf3SPBmUQXYD6OuY 6szg2PURvQYrYnWIb8S9vLgirf16rZaBH2Y9kctcagBMDpAofm7QBFY+8JSuXG6Snlp+ 0EhjEUR3GBZPvd+Fp51CxKTL7LM358VSB991Xtb19sE75IKKPx2grsmth1jdvJ+fx2fl 1LMZxCzb17zWN99xhxV1E14QcKgXrlKx8kp+D4PI+ccO54g9SDCifA24p4UfEhmfXGDl F/YQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747208055; x=1747812855; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+K04p3I7lu9J1Ks0C4ES0/2cH0wDYip+VLHtbctoxbA=; b=I1uzMmlv4Z23idba5jrK/ijEd76ACtwRBYfL/H48rQ38Oj99nVDayXcqm8oCnGaXkh Pn+foq1WlzqKjhp7YBbk+z0cT5xMTH/iQHs4fjFsm0wg55iw6Llw0rHwEqP2jk9PWafi TGc/rU5HBZtfcgkUqdBMS0owx1Rqx8qyBijut397rAg1MD6kOKQvppE3uSz7B1p5qFuq 8ptC1F5ha1CxPNy7TatHAqBTRh8vFpLbWC87KTZOkdXrox2Mqrh5q9sBYzvj5YO9wQn3 kCFf612grzYhu6Mn3EXyXRBiXnbtEMVHfOP19SkPf84RCw8N7YKhSdDogmbb8kYdhqO1 Xkug== X-Forwarded-Encrypted: i=1; AJvYcCUomb2nJPWiZQubywhmnIBxCiTNV6sVRJPU86p2Sr6CEzQ3HdTlvC2Xt7ArjSDV1C5N+s2rRgkrcQ==@kvack.org X-Gm-Message-State: AOJu0YwS2bpk756HoDMgWSeCOPhXk23qvf8p5NzvHqqB1oeiBgD2uq0k NMHoD/t4cP5SWedKjhRPMlfwRd/sXczkuCXJdQYoBC+jTRZ3dr+ZTEJQv0tIMu3TBxJKYS2q7MH h0mX99f3AimPdEkmhCgM6i5RemMoN6fs+AXokHatY X-Gm-Gg: ASbGnctuwa6MEnGWH7O93aRCJ5uoEalfBRN1gHw3Z6s++8rRqzEKVRJUyviuKVZXjkn 4FfeRQZI/zjm2gfqN3XynXztF5sfODUaTJKNbVHG3vukxGZYUUlrX8OATM1wd3rpVCbnZ18u7zJ /svERvYe4UMiFVsjHBKxummZQrqGVdJMTImA== X-Google-Smtp-Source: AGHT+IFSOID1ICFA/5WT/TzMHfPgJnDU6FMA0qEBlUg4UzroG9ERy4wAxu21kXkOFoFF7O5R0YHNgip2tFvVC5FLwQQ= X-Received: by 2002:a05:622a:10a:b0:477:1f86:178c with SMTP id d75a77b69052e-49496168dcdmr3009381cf.26.1747208055027; Wed, 14 May 2025 00:34:15 -0700 (PDT) MIME-Version: 1.0 References: <20250513163438.3942405-1-tabba@google.com> <20250513163438.3942405-9-tabba@google.com> In-Reply-To: From: Fuad Tabba Date: Wed, 14 May 2025 08:33:38 +0100 X-Gm-Features: AX0GCFtAIOxW0CKUqlf7YJqpRk8IDw3vPXES_-izSP0Sdin8tzyjcQYf2tlC9j4 Message-ID: Subject: Re: [PATCH v9 08/17] KVM: guest_memfd: Check that userspace_addr and fd+offset refer to same range To: James Houghton Cc: kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mm@kvack.org, pbonzini@redhat.com, chenhuacai@kernel.org, mpe@ellerman.id.au, anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, seanjc@google.com, viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org, akpm@linux-foundation.org, xiaoyao.li@intel.com, yilun.xu@intel.com, chao.p.peng@linux.intel.com, jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com, isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz, vannapurve@google.com, ackerleytng@google.com, mail@maciej.szmigiero.name, david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com, liam.merwick@oracle.com, isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com, steven.price@arm.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com, quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, catalin.marinas@arm.com, james.morse@arm.com, yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org, will@kernel.org, qperret@google.com, keirf@google.com, roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org, jgg@nvidia.com, rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com, hughd@google.com, peterx@redhat.com, pankaj.gupta@amd.com, ira.weiny@intel.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 46966A0007 X-Stat-Signature: w4uafhacq1pimoxkgwnqw93o38umrk7x X-HE-Tag: 1747208056-896360 X-HE-Meta: U2FsdGVkX19WmBOP483nxGkmspet3LcgJhT1wHT8vOskzB2jHvASiPvNjqYDJgOEJMGqu041CpzyGh8wfHqre1LGVUnsZNMMrFJi18gzlbAGBZQ3ax/oa5PYsTFrviVMEbDcJ039sj7eZ55UOwy9IZJXsqXNosCUW2biIwdMJmJH+XTg+WmeDN2U/kqXtQaS7vXIDY5U/WAZ24xqLPHm28X0Jard7nwytWmN+skn8AZHL1mnQwATDH5XBjIMK1lhWRnDtnMFSELYhd3y8vnDooMeWxLlJeM3rqpV1bAKs35eSMgq4q0/0jwv/byvncoML5wH4trhlIcZiilHBkgWjj4cdXChYBGpXY++BEN/UoEJAN1mC52rCZyXtdawv+rVQevMcLYBxn2uy3cxNvdnF/OtN4B3aaFYZ1k9Q3Af7t71DZnsuU1sUx7VF73ux91vYb5amclIOjrfGybQV7Ge/ecnlJaKn1Ce0xAi402OBQgYxVjTDH0m3ux/Ldeu3d79nSUx3iUV3sVzoE3fJlNkXg/sHtnO2vrTXewNB5lRhM6P/jg6C7bv90wJU7jEYxMhHRO2uWat3eHNr8K2o1VoVA8nQ+B+SkBBmuJnmapbuTAjYocsJHJPEHl04eHvtaOrhe3VAXGjaYEIPVjZBAaMOCU1UjHgD6tNycitD38MuoXEeRnXoVSk46/IJUD8h4Qr7Ac3MNtkDYSxGjJ7SyRZMPbOdiGuM1qA8S+p408QPgl12aI+vI7cJX8+FUkrLs4sRswz6T44PE+fjlTpO4EmCSBL1dS1G0b42/UIJFimUSu6Ubw2f3OgwQzoibFn4+SUR0qmP8aAf4fKwn9Kveb+sRLnh2xud3yVhK/fAYbwxB+izR8VeI19l6lOIB/W+mHadB///tuYtQuPajjnN9loZ79EAaDRVVVM82G3nBBkImcZaoNdTmvavGnuY7jFLPso20vPSQ0E+w33tjXUIK5 vpWFfHbO kDl8w1XMWo74D9b4fHCN4qG08v/MyXOCXuuB3IaS+GGUbYh3NmkRReQesTKKgqNtzgaj9ZDU0KKsu7NiZVX5pvNyblkcMmI2dSUpuGFiT+23le7EcGUyMd/1ELQa4B2XYrcQ8ZNjI3XAhFyhPefoCFgj/GhgRQA1itsFnlUtWu0J+NSNlvO7xeDy16I8UuVhmL2PN5e5gue6y1mab3IuDgrhjdp2quNS6e1blrwvbOX2Pq42W55Rd4xJSJQxr6Mf+mlNCkkGUA1N7mRjWmdhCF32bdPTor1+noS73n+lH/9cJDTd5DmmNbwxjC9u9+Bk/VeQRVyqCHtqx6s8mTvaAGjRoxuo9FtZnbPyvlHxH+SRAR2Xsnz2cZwrrZcSElcKOo2KR X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi James, On Tue, 13 May 2025 at 21:31, James Houghton wrote: > > On Tue, May 13, 2025 at 9:34=E2=80=AFAM Fuad Tabba wro= te: > > > > From: Ackerley Tng > > > > On binding of a guest_memfd with a memslot, check that the slot's > > userspace_addr and the requested fd and offset refer to the same memory > > range. > > > > This check is best-effort: nothing prevents userspace from later mappin= g > > other memory to the same provided in slot->userspace_addr and breaking > > guest operation. > > > > Suggested-by: David Hildenbrand > > Suggested-by: Sean Christopherson > > Suggested-by: Yan Zhao > > Signed-off-by: Ackerley Tng > > Signed-off-by: Fuad Tabba > > --- > > virt/kvm/guest_memfd.c | 37 ++++++++++++++++++++++++++++++++++--- > > 1 file changed, 34 insertions(+), 3 deletions(-) > > > > diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c > > index 8e6d1866b55e..2f499021df66 100644 > > --- a/virt/kvm/guest_memfd.c > > +++ b/virt/kvm/guest_memfd.c > > @@ -556,6 +556,32 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm_cr= eate_guest_memfd *args) > > return __kvm_gmem_create(kvm, size, flags); > > } > > > > +static bool kvm_gmem_is_same_range(struct kvm *kvm, > > + struct kvm_memory_slot *slot, > > + struct file *file, loff_t offset) > > +{ > > + struct mm_struct *mm =3D kvm->mm; > > + loff_t userspace_addr_offset; > > + struct vm_area_struct *vma; > > + bool ret =3D false; > > + > > + mmap_read_lock(mm); > > + > > + vma =3D vma_lookup(mm, slot->userspace_addr); > > + if (!vma) > > + goto out; > > + > > + if (vma->vm_file !=3D file) > > + goto out; > > + > > + userspace_addr_offset =3D slot->userspace_addr - vma->vm_start; > > + ret =3D userspace_addr_offset + (vma->vm_pgoff << PAGE_SHIFT) = =3D=3D offset; > > +out: > > + mmap_read_unlock(mm); > > + > > + return ret; > > +} > > + > > int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, > > unsigned int fd, loff_t offset) > > { > > @@ -585,9 +611,14 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memo= ry_slot *slot, > > offset + size > i_size_read(inode)) > > goto err; > > > > - if (kvm_gmem_supports_shared(inode) && > > - !kvm_arch_vm_supports_gmem_shared_mem(kvm)) > > - goto err; > > + if (kvm_gmem_supports_shared(inode)) { > > + if (!kvm_arch_vm_supports_gmem_shared_mem(kvm)) > > + goto err; > > + > > + if (slot->userspace_addr && > > + !kvm_gmem_is_same_range(kvm, slot, file, offset)) > > + goto err; > > This is very nit-picky, but I would rather this not be -EINVAL, maybe > -EIO instead? Or maybe a pr_warn_once() and let the call proceed? > > The userspace_addr we got isn't invalid per se, we're just trying to > give a hint to the user that their VMAs (or the userspace address they > gave us) are messed up. I don't really like lumping this in with truly > invalid arguments. I don't mind changing the return error, but I don't think that we should have a kernel warning (pr_warn_once) for something userspace can trigger. It's not an IO error either. I think that this is an invalid argument (EINVAL). That said, other than opposing the idea of pr_warn, I am happy to change it. Cheers, /fuad > > + } > > > > filemap_invalidate_lock(inode->i_mapping); > > > > -- > > 2.49.0.1045.g170613ef41-goog > >