From: Ackerley Tng <ackerleytng@google.com>
To: Binbin Wu <binbin.wu@linux.intel.com>
Cc: cgroups@vger.kernel.org, kvm@vger.kernel.org,
linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-mm@kvack.org, linux-trace-kernel@vger.kernel.org,
x86@kernel.org, akpm@linux-foundation.org, bp@alien8.de,
brauner@kernel.org, chao.p.peng@intel.com,
chenhuacai@kernel.org, corbet@lwn.net, dave.hansen@intel.com,
dave.hansen@linux.intel.com, david@redhat.com,
dmatlack@google.com, erdemaktas@google.com, fan.du@intel.com,
fvdl@google.com, haibo1.xu@intel.com, hannes@cmpxchg.org,
hch@infradead.org, hpa@zytor.com, hughd@google.com,
ira.weiny@intel.com, isaku.yamahata@intel.com, jack@suse.cz,
james.morse@arm.com, jarkko@kernel.org, jgg@ziepe.ca,
jgowans@amazon.com, jhubbard@nvidia.com, jroedel@suse.de,
jthoughton@google.com, jun.miao@intel.com, kai.huang@intel.com,
keirf@google.com, kent.overstreet@linux.dev,
liam.merwick@oracle.com, maciej.wieczor-retman@intel.com,
mail@maciej.szmigiero.name, maobibo@loongson.cn,
mathieu.desnoyers@efficios.com, maz@kernel.org,
mhiramat@kernel.org, mhocko@kernel.org, mic@digikod.net,
michael.roth@amd.com, mingo@redhat.com, mlevitsk@redhat.com,
mpe@ellerman.id.au, muchun.song@linux.dev, nikunj@amd.com,
nsaenz@amazon.es, oliver.upton@linux.dev, palmer@dabbelt.com,
pankaj.gupta@amd.com, paul.walmsley@sifive.com,
pbonzini@redhat.com, peterx@redhat.com, pgonda@google.com,
prsampat@amd.com, pvorel@suse.cz, qperret@google.com,
richard.weiyang@gmail.com, rick.p.edgecombe@intel.com,
rientjes@google.com, rostedt@goodmis.org, roypat@amazon.co.uk,
rppt@kernel.org, seanjc@google.com, shakeel.butt@linux.dev,
shuah@kernel.org, steven.price@arm.com,
steven.sistare@oracle.com, suzuki.poulose@arm.com,
tabba@google.com, tglx@linutronix.de, thomas.lendacky@amd.com,
vannapurve@google.com, vbabka@suse.cz, viro@zeniv.linux.org.uk,
vkuznets@redhat.com, wei.w.wang@intel.com, will@kernel.org,
willy@infradead.org, wyihan@google.com, xiaoyao.li@intel.com,
yan.y.zhao@intel.com, yilun.xu@intel.com, yuzenghui@huawei.com,
zhiquan1.li@intel.com
Subject: Re: [RFC PATCH v1 01/37] KVM: guest_memfd: Introduce per-gmem attributes, use to guard user mappings
Date: Wed, 28 Jan 2026 09:07:04 -0800 [thread overview]
Message-ID: <CAEvNRgEo2UZ63uv0F7Pv8VfeJipyu82b=Rgiz2gnttdRu9aEPQ@mail.gmail.com> (raw)
In-Reply-To: <ab3f297e-44d5-4f42-aa17-f2e7c135580e@linux.intel.com>
Binbin Wu <binbin.wu@linux.intel.com> writes:
> On 10/18/2025 4:11 AM, Ackerley Tng wrote:
> [...]
>>
>> +static int kvm_gmem_init_inode(struct inode *inode, loff_t size, u64 flags)
>> +{
>> + struct gmem_inode *gi = GMEM_I(inode);
>> + MA_STATE(mas, &gi->attributes, 0, (size >> PAGE_SHIFT) - 1);
>> + u64 attrs;
>> + int r;
>> +
>> + inode->i_op = &kvm_gmem_iops;
>> + inode->i_mapping->a_ops = &kvm_gmem_aops;
>> + inode->i_mode |= S_IFREG;
>> + inode->i_size = size;
>> + mapping_set_gfp_mask(inode->i_mapping, GFP_HIGHUSER);
>> + mapping_set_inaccessible(inode->i_mapping);
>> + /* Unmovable mappings are supposed to be marked unevictable as well. */
> AS_UNMOVABLE has been removed and got merged into AS_INACCESSIBLE, not sure if
> it's better to use "Inaccessible" instead of "Unmovable"
>
Thanks, will update comment as follows:
/*
* guest_memfd memory is not migratable or swappable - set
* inaccessible to gate off both.
*/
mapping_set_inaccessible(inode->i_mapping);
WARN_ON_ONCE(!mapping_unevictable(inode->i_mapping));
>> + WARN_ON_ONCE(!mapping_unevictable(inode->i_mapping));
>> +
>> + gi->flags = flags;
>> +
>> + mt_set_external_lock(&gi->attributes,
>> + &inode->i_mapping->invalidate_lock);
>> +
>> + /*
>> + * Store default attributes for the entire gmem instance. Ensuring every
>> + * index is represented in the maple tree at all times simplifies the
>> + * conversion and merging logic.
>> + */
>> + attrs = gi->flags & GUEST_MEMFD_FLAG_INIT_SHARED ? 0 : KVM_MEMORY_ATTRIBUTE_PRIVATE;
>> +
>> + /*
>> + * Acquire the invalidation lock purely to make lockdep happy. There
>> + * should be no races at this time since the inode hasn't yet been fully
>> + * created.
>> + */
>> + filemap_invalidate_lock(inode->i_mapping);
>> + r = mas_store_gfp(&mas, xa_mk_value(attrs), GFP_KERNEL);
>> + filemap_invalidate_unlock(inode->i_mapping);
>> +
>> + return r;
>> +}
>> +
> [...]
>> @@ -925,13 +986,39 @@ static struct inode *kvm_gmem_alloc_inode(struct super_block *sb)
>>
>> mpol_shared_policy_init(&gi->policy, NULL);
>>
>> + /*
>> + * Memory attributes are protected the filemap invalidation lock, but
> ^
> protected by
Thanks!
>> + * the lock structure isn't available at this time. Immediately mark
>> + * maple tree as using external locking so that accessing the tree
>> + * before its fully initialized results in NULL pointer dereferences
>> + * and not more subtle bugs.
>> + */
>> + mt_init_flags(&gi->attributes, MT_FLAGS_LOCK_EXTERN);
>> +
>> gi->flags = 0;
>> return &gi->vfs_inode;
>> }
>>
>> static void kvm_gmem_destroy_inode(struct inode *inode)
>> {
>> - mpol_free_shared_policy(&GMEM_I(inode)->policy);
>> + struct gmem_inode *gi = GMEM_I(inode);
>> +
>> + mpol_free_shared_policy(&gi->policy);
>> +
>> + /*
>> + * Note! Checking for an empty tree is functionally necessary to avoid
>> + * explosions if the tree hasn't been initialized, i.e. if the inode is
>
> It makes sense to skip __mt_destroy() when mtree is empty.
> But what explosions it could trigger if mtree is empty?
> It seems __mt_destroy() can handle the case if the external lock is not set.
>
>
Hope this updated comment clarify the explosion:
/*
* Note! Checking for an empty tree is functionally necessary
* to avoid explosions if the tree hasn't been fully
* initialized, i.e. if the inode is being destroyed before
* guest_memfd can set the external lock, lockdep would find
* that the tree's internal ma_lock was not held.
*/
>> + * being destroyed before guest_memfd can set the external lock.
>> + */
>> + if (!mtree_empty(&gi->attributes)) {
>> + /*
>> + * Acquire the invalidation lock purely to make lockdep happy,
>> + * the inode is unreachable at this point.
>> + */
>> + filemap_invalidate_lock(inode->i_mapping);
>> + __mt_destroy(&gi->attributes);
>> + filemap_invalidate_unlock(inode->i_mapping);
>> + }
>> }
>>
>> static void kvm_gmem_free_inode(struct inode *inode)
>> --
>> 2.51.0.858.gf9c4a03a3a-goog
next prev parent reply other threads:[~2026-01-28 17:07 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-17 20:11 [RFC PATCH v1 00/37] guest_memfd: In-place conversion support Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 01/37] KVM: guest_memfd: Introduce per-gmem attributes, use to guard user mappings Ackerley Tng
2025-10-27 13:27 ` Vlastimil Babka
2025-11-12 8:58 ` Binbin Wu
2026-01-28 17:07 ` Ackerley Tng [this message]
2026-01-19 7:58 ` Yan Zhao
2026-01-28 17:50 ` Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 02/37] KVM: Rename KVM_GENERIC_MEMORY_ATTRIBUTES to KVM_VM_MEMORY_ATTRIBUTES Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 03/37] KVM: Enumerate support for PRIVATE memory iff kvm_arch_has_private_mem is defined Ackerley Tng
2025-11-13 1:42 ` Binbin Wu
2025-10-17 20:11 ` [RFC PATCH v1 04/37] KVM: Stub in ability to disable per-VM memory attribute tracking Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 05/37] KVM: guest_memfd: Wire up kvm_get_memory_attributes() to per-gmem attributes Ackerley Tng
2026-01-15 11:08 ` Alexey Kardashevskiy
2026-01-28 21:47 ` Ackerley Tng
2026-01-29 0:37 ` Jason Gunthorpe
2026-01-29 1:03 ` Sean Christopherson
2026-01-29 1:16 ` Jason Gunthorpe
2026-01-29 11:10 ` Quentin Perret
2026-01-29 13:42 ` Jason Gunthorpe
2026-01-29 14:36 ` Quentin Perret
2026-02-03 1:07 ` Alexey Kardashevskiy
2026-02-03 18:13 ` Jason Gunthorpe
2026-02-03 9:56 ` Xu Yilun
2026-02-03 18:16 ` Jason Gunthorpe
2026-02-04 4:43 ` Xu Yilun
2026-02-04 12:47 ` Jason Gunthorpe
2026-02-05 7:04 ` Xu Yilun
2025-10-17 20:11 ` [RFC PATCH v1 06/37] KVM: guest_memfd: Update kvm_gmem_populate() to use gmem attributes Ackerley Tng
2025-11-10 10:01 ` Yan Zhao
2025-11-15 0:52 ` Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 07/37] KVM: Introduce KVM_SET_MEMORY_ATTRIBUTES2 Ackerley Tng
2025-10-22 15:21 ` Steven Price
2025-10-22 16:51 ` Ackerley Tng
2025-10-22 22:45 ` Ackerley Tng
2025-10-22 23:30 ` Sean Christopherson
2025-10-23 14:01 ` Ackerley Tng
2025-10-23 15:05 ` Sean Christopherson
2025-10-24 14:36 ` Ackerley Tng
2025-10-24 15:11 ` Sean Christopherson
2025-10-24 16:41 ` Ackerley Tng
2025-10-24 17:45 ` Sean Christopherson
2025-10-27 12:48 ` Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 08/37] KVM: guest_memfd: Don't set FGP_ACCESSED when getting folios Ackerley Tng
2025-10-27 13:39 ` Vlastimil Babka
2025-10-17 20:11 ` [RFC PATCH v1 09/37] KVM: guest_memfd: Skip LRU for guest_memfd folios Ackerley Tng
2025-10-27 13:56 ` Vlastimil Babka
2026-01-27 23:46 ` Ackerley Tng
2026-01-20 2:15 ` Yan Zhao
2025-10-17 20:11 ` [RFC PATCH v1 10/37] KVM: guest_memfd: Enable INIT_SHARED on guest_memfd for x86 Coco VMs Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 11/37] KVM: guest_memfd: Add support for KVM_SET_MEMORY_ATTRIBUTES Ackerley Tng
2025-11-04 9:25 ` Yan Zhao
2025-11-04 15:29 ` Vishal Annapurve
2025-11-15 0:46 ` Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 12/37] KVM: Move KVM_VM_MEMORY_ATTRIBUTES config definition to x86 Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 13/37] KVM: Let userspace disable per-VM mem attributes, enable per-gmem attributes Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 14/37] KVM: selftests: Create gmem fd before "regular" fd when adding memslot Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 15/37] KVM: selftests: Rename guest_memfd{,_offset} to gmem_{fd,offset} Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 16/37] KVM: selftests: Add support for mmap() on guest_memfd in core library Ackerley Tng
2025-10-24 16:48 ` Ackerley Tng
2025-10-24 18:18 ` Sean Christopherson
2025-10-27 12:51 ` Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 17/37] KVM: selftests: Update framework to use KVM_SET_MEMORY_ATTRIBUTES2 Ackerley Tng
2025-10-17 20:11 ` [RFC PATCH v1 18/37] KVM: selftests: Add helpers for calling ioctls on guest_memfd Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 19/37] KVM: selftests: guest_memfd: Test basic single-page conversion flow Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 20/37] KVM: selftests: guest_memfd: Test conversion flow when INIT_SHARED Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 21/37] KVM: selftests: guest_memfd: Test indexing in guest_memfd Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 22/37] KVM: selftests: guest_memfd: Test conversion before allocation Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 23/37] KVM: selftests: guest_memfd: Convert with allocated folios in different layouts Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 24/37] KVM: selftests: guest_memfd: Test precision of conversion Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 25/37] KVM: selftests: guest_memfd: Test that truncation does not change shared/private status Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 26/37] KVM: selftests: guest_memfd: Test that shared/private status is consistent across processes Ackerley Tng
2025-10-17 23:33 ` Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 27/37] KVM: selftests: guest_memfd: Test conversion with elevated page refcount Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 28/37] KVM: selftests: Reset shared memory after hole-punching Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 29/37] KVM: selftests: Add selftests global for guest memory attributes capability Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 30/37] KVM: selftests: Provide function to look up guest_memfd details from gpa Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 31/37] KVM: selftests: Provide common function to set memory attributes Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 32/37] KVM: selftests: Check fd/flags provided to mmap() when setting up memslot Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 33/37] KVM: selftests: Make TEST_EXPECT_SIGBUS thread-safe Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 34/37] KVM: selftests: Update private_mem_conversions_test to mmap() guest_memfd Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 35/37] KVM: selftests: Add script to exercise private_mem_conversions_test Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 36/37] KVM: selftests: Update pre-fault test to work with per-guest_memfd attributes Ackerley Tng
2025-10-17 20:12 ` [RFC PATCH v1 37/37] KVM: selftests: Update private memory exits test work with per-gmem attributes Ackerley Tng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEvNRgEo2UZ63uv0F7Pv8VfeJipyu82b=Rgiz2gnttdRu9aEPQ@mail.gmail.com' \
--to=ackerleytng@google.com \
--cc=akpm@linux-foundation.org \
--cc=binbin.wu@linux.intel.com \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=chao.p.peng@intel.com \
--cc=chenhuacai@kernel.org \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=david@redhat.com \
--cc=dmatlack@google.com \
--cc=erdemaktas@google.com \
--cc=fan.du@intel.com \
--cc=fvdl@google.com \
--cc=haibo1.xu@intel.com \
--cc=hannes@cmpxchg.org \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=hughd@google.com \
--cc=ira.weiny@intel.com \
--cc=isaku.yamahata@intel.com \
--cc=jack@suse.cz \
--cc=james.morse@arm.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=jgowans@amazon.com \
--cc=jhubbard@nvidia.com \
--cc=jroedel@suse.de \
--cc=jthoughton@google.com \
--cc=jun.miao@intel.com \
--cc=kai.huang@intel.com \
--cc=keirf@google.com \
--cc=kent.overstreet@linux.dev \
--cc=kvm@vger.kernel.org \
--cc=liam.merwick@oracle.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=maciej.wieczor-retman@intel.com \
--cc=mail@maciej.szmigiero.name \
--cc=maobibo@loongson.cn \
--cc=mathieu.desnoyers@efficios.com \
--cc=maz@kernel.org \
--cc=mhiramat@kernel.org \
--cc=mhocko@kernel.org \
--cc=mic@digikod.net \
--cc=michael.roth@amd.com \
--cc=mingo@redhat.com \
--cc=mlevitsk@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=muchun.song@linux.dev \
--cc=nikunj@amd.com \
--cc=nsaenz@amazon.es \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=pankaj.gupta@amd.com \
--cc=paul.walmsley@sifive.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=pgonda@google.com \
--cc=prsampat@amd.com \
--cc=pvorel@suse.cz \
--cc=qperret@google.com \
--cc=richard.weiyang@gmail.com \
--cc=rick.p.edgecombe@intel.com \
--cc=rientjes@google.com \
--cc=rostedt@goodmis.org \
--cc=roypat@amazon.co.uk \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=shakeel.butt@linux.dev \
--cc=shuah@kernel.org \
--cc=steven.price@arm.com \
--cc=steven.sistare@oracle.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=vannapurve@google.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=vkuznets@redhat.com \
--cc=wei.w.wang@intel.com \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=wyihan@google.com \
--cc=x86@kernel.org \
--cc=xiaoyao.li@intel.com \
--cc=yan.y.zhao@intel.com \
--cc=yilun.xu@intel.com \
--cc=yuzenghui@huawei.com \
--cc=zhiquan1.li@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox