From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7403EC531DC for ; Fri, 16 Aug 2024 11:19:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id ED9EB8D0070; Fri, 16 Aug 2024 07:19:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E87E06B00F8; Fri, 16 Aug 2024 07:19:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D01EA8D0070; Fri, 16 Aug 2024 07:19:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id A8E9D6B00CA for ; Fri, 16 Aug 2024 07:19:51 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 661D5A1A88 for ; Fri, 16 Aug 2024 11:19:51 +0000 (UTC) X-FDA: 82457863782.17.DBA5CA5 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by imf14.hostedemail.com (Postfix) with ESMTP id 9EC0710001F for ; Fri, 16 Aug 2024 11:19:48 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=J+rk1Bmn; spf=pass (imf14.hostedemail.com: domain of tabba@google.com designates 209.85.221.42 as permitted sender) smtp.mailfrom=tabba@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723807114; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=rZ/Girz08IZmHtZsrVU+idIVHnjPppCsG5oXI3Hdtsc=; b=sESqCVUKmkhDAuLKRb2fPedtVL/H353uwOoRfAdAX7ne+THx93tHOpFdFzb6IrX8J2zPHn ikgVi/2O7cpL/Mh1rfjxsZxv0bwNw+p9I0DuxyuXeQj7VhN8wXNzIZzxS8yRaM3AaP8Uf9 loTNDcViVm45+p/Yhe/qGqzxRMhOouc= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723807114; a=rsa-sha256; cv=none; b=gsJQhuNKXbDl90w7KktjglHt4DUy7nudQaLDwdoRtLOpHH++j56DpS44N+j/TqCSp+Ixzb LjT4pUlwY9rYlnHAaYJlH+glZ9JgVtFHr3Pp86YnM6zZ0XH8Iin+GY0vE1JJMGuPKUiWlL 8yEiL4MdL0L86+vNaJwnUZJTtvv2az8= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=J+rk1Bmn; spf=pass (imf14.hostedemail.com: domain of tabba@google.com designates 209.85.221.42 as permitted sender) smtp.mailfrom=tabba@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-371893dd249so871720f8f.2 for ; Fri, 16 Aug 2024 04:19:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1723807187; x=1724411987; darn=kvack.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rZ/Girz08IZmHtZsrVU+idIVHnjPppCsG5oXI3Hdtsc=; b=J+rk1BmnpKC0ZJQJOhXVKOgT4/DvNkCYVT97lg0H4gGIWgKjo2hR+mKR8cZap7F8PC mvdLNZGiJg70FWUN+iSwyUFX1YJ2qXvXjQYr4+DAIJ1hwBF8iSc/M1TcZVc53+wa7zP5 Tb9Z+vThJxRTWSVodIDtTeQURErilncjxxvYG3twcwp4SwcMhMghTKnGuyFcx5E3u9op urwsPp7ml1jXtsdtMgi4qrKgUrrB9ExuedEFgFnOqB7xVaGp1/vADAz/671qCTyJCdfq 21XmZFkyypYNTPYTCQvsMFgSNIU54e5y75QspGf0Wa6dV9LIStgMrLEksm//mqaYCJIn WNWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723807187; x=1724411987; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rZ/Girz08IZmHtZsrVU+idIVHnjPppCsG5oXI3Hdtsc=; b=VNGTYNZdxtT1eHkbfruKY/tJ+wx705CnJipcdmPlMItmOZ75MKBXrQapvnj3cMqAOM IBfCg2MoprvAWjrfqlVwpjkmKdkszBJvwui0k9K6btmsYx38V5c6VTTFwuxBMEa1W9ve 14qXMpRKHfdpSgRJQlBPDDAGG0SLLOUo8mIlgTrpLY09Km510IW1O0JIEwNom/8myXir Ia/rdcG05XvYaFHDWbRwcAHDc/BeuMc64QOOCDfSqts86Tq/acLqKVtayzVw7oy/P9ix abQMWxFh5vQmlheSWHrKsMFWpDkQOXO+eFaDObZ/Oir8xYR7lUlqWauILenPdWXQ/NfE q/xQ== X-Forwarded-Encrypted: i=1; AJvYcCW4cLu0Mf+sF76kBeM9+WFZKQUwPUKER6yXW/xUNEBU7QXRE8eSBNQIXOWreftHGkLazsYpOu5UnQ==@kvack.org X-Gm-Message-State: AOJu0YxxyAV2xVoHyCoyQ+ulUQg/Qo4Kp5yH8LCp7wVAUNpkZjB6pd1T NFoAkHh6lyNu2SaY8G3IG5wClmxxzYgD7edm7nEKDlYom/NDT9ilFAe2m+qrtZeOypWJ/uBIguf 5Ig9U6uBN0aEusyVkDtax9/33fIML1dqxCitU X-Google-Smtp-Source: AGHT+IFjh0jaZHz+bXJLGOwDlxY14HFpbgg6MC9AUdExHwCz1VC6lyjw8E/zebexbyTLHtHDRbeRFor8g+UdLx/zwRY= X-Received: by 2002:adf:e388:0:b0:368:4e28:47f7 with SMTP id ffacd0b85a97d-37194314f7emr1429125f8f.6.1723807186811; Fri, 16 Aug 2024 04:19:46 -0700 (PDT) MIME-Version: 1.0 References: <20240805-guest-memfd-lib-v1-0-e5a29a4ff5d7@quicinc.com> <20240805-guest-memfd-lib-v1-4-e5a29a4ff5d7@quicinc.com> <4cdd93ba-9019-4c12-a0e6-07b430980278@redhat.com> In-Reply-To: From: Fuad Tabba Date: Fri, 16 Aug 2024 12:19:09 +0100 Message-ID: Subject: Re: [PATCH RFC 4/4] mm: guest_memfd: Add ability for mmap'ing pages To: David Hildenbrand Cc: Elliot Berman , Andrew Morton , Paolo Bonzini , Sean Christopherson , Patrick Roy , qperret@google.com, Ackerley Tng , linux-coco@lists.linux.dev, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, kvm@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 9EC0710001F X-Stat-Signature: 7bnjfx1qtocixuj58xxonu48n4ixpphj X-HE-Tag: 1723807188-886462 X-HE-Meta: U2FsdGVkX18oUBxij2xwP9FYuVpHDV/zijHHqJDTR0vWZ1pLQv6LrADhBstK50IMQq+Bag/o76NI1kVzaN667LCP3Sn5N0nODgDpQZjZkId39yKUKNB4roIInu9JgGTB2tcil8II8tifEthNrdJsLTd04S2U3Tj58znk4TiiaIlKuGGHlqJawXd2kOpc87WEnUF0Rv8Xp3StzXhFpU1ULyBoNhRJQuP2iQXOvYu/ovKb8MgGyUdGVdc4KqYIrmSNXgQ95vTEJ+ksXM4k0PjA96mLsMrWjo6e++LHi4xawf4IB9a6PLgI5IlDZZbjUb5RFN5ltPRAo72pRRr3rDy4ZYWyNH38GFZn35NoGo+iPFJNx2cwDwsBFY9BsQn33NdWcf7Yg6dbAsIkkeZA3FvfcooAMZ2g3EdZ5d9IneISthq3KmZZXP9T8kp7oBRSt8zTgl7gny8/OzttZpCypcG4ERieofjYYSsy+C27+IIySReGwrFV7DfFvZ+3engOgS9/YopUZGmLvIcXKils2oHtT8A4iDIwMiUB44pCNPLxBMREbDEGj9aCUc1Cl8xPrsk5OagmrJsiN3B/BaLHfjxt3BOqgdwznWgJ9JYYiyhJNvxu8qQe4o3iTNGPVkeyTyFFxAHizxevbGMDWRvpO6QoXbm78eAKht7gQ7xXo6cGooxD9ABI2wq7hF9kYSKOByMlcOt6gm1CGdvyyQ3GN0tvpr6uXMrjOd6K+dQ3FSGRRwZd4N1yAT2xvb0wuWOi5XWXqfFzybHMnH3JkD+Dl5bH/gv4igVsqqZgUEpG3neptP16tDNcy7cTt/Oa1by/36wzGWYbvK29bmf13thcRaLVGcTsL8dPekkjmlh1xlEzXlos2kH8JRPKZuhiv1eRtcbAv1xca1Om7IDMtSUdUPcfncFQHYO9/ZkkKOOXz+FZGfOV3z4t1I3+Fopb4iyLLDC8AJxoiTFm8atSmAZ7rMB yXhNkYHS aaHYAdYWVsYpUhMhgoxWHFcKC8Yq1TNSTBpt9dQU7klg2CMCik9JUMwwBxqyxg7pNkkwj0Vnkw6ejptKU/qNGhRNBSIJjaBaU0qTZv1gktMeN71x+1qZ3mr/DpGTEh5D3vLl1kSI1/XWvxFcxYVXfOhEKl3oJbfp3+J2/rDNkQB3mAKuHP+yoT3kO/vOahYiSJ5p1P6pyaxmA0+zAHf71MJ5BCdkrtO/O1vmjQ6RattvFByo= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, 16 Aug 2024 at 10:48, David Hildenbrand wrote: > > On 15.08.24 09:24, Fuad Tabba wrote: > > Hi David, > > Hi! > > > > > On Tue, 6 Aug 2024 at 14:51, David Hildenbrand wrote: > >> > >>> > >>> - if (gmem_flags & GUEST_MEMFD_FLAG_NO_DIRECT_MAP) { > >>> + if (!ops->accessible && (gmem_flags & GUEST_MEMFD_FLAG_NO_DIRECT_MAP)) { > >>> r = guest_memfd_folio_private(folio); > >>> if (r) > >>> goto out_err; > >>> @@ -107,6 +109,82 @@ struct folio *guest_memfd_grab_folio(struct file *file, pgoff_t index, u32 flags > >>> } > >>> EXPORT_SYMBOL_GPL(guest_memfd_grab_folio); > >>> > >>> +int guest_memfd_make_inaccessible(struct file *file, struct folio *folio) > >>> +{ > >>> + unsigned long gmem_flags = (unsigned long)file->private_data; > >>> + unsigned long i; > >>> + int r; > >>> + > >>> + unmap_mapping_folio(folio); > >>> + > >>> + /** > >>> + * We can't use the refcount. It might be elevated due to > >>> + * guest/vcpu trying to access same folio as another vcpu > >>> + * or because userspace is trying to access folio for same reason > >> > >> As discussed, that's insufficient. We really have to drive the refcount > >> to 1 -- the single reference we expect. > >> > >> What is the exact problem you are running into here? Who can just grab a > >> reference and maybe do nasty things with it? > > > > I was wondering, why do we need to check the refcount? Isn't it enough > > to check for page_mapped() || page_maybe_dma_pinned(), while holding > > the folio lock? > > (folio_mapped() + folio_maybe_dma_pinned()) > > Not everything goes trough FOLL_PIN. vmsplice() is an example, or just > some very simple read/write through /proc/pid/mem. Further, some > O_DIRECT implementations still don't use FOLL_PIN. > > So if you see an additional folio reference, as soon as you mapped that > thing to user space, you have to assume that it could be someone > reading/writing that memory in possibly sane context. (vmsplice() should > be using FOLL_PIN|FOLL_LONGTERM, but that's a longer discussion) > > (noting that also folio_maybe_dma_pinned() can have false positives in > some cases due to speculative references or *many* references). Thanks for the clarification! /fuad > -- > Cheers, > > David / dhildenb >