From: Quentin Perret <qperret@google.com>
To: Fuad Tabba <tabba@google.com>
Cc: kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org,
linux-mm@kvack.org, pbonzini@redhat.com, chenhuacai@kernel.org,
mpe@ellerman.id.au, anup@brainfault.org,
paul.walmsley@sifive.com, palmer@dabbelt.com,
aou@eecs.berkeley.edu, seanjc@google.com,
viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org,
akpm@linux-foundation.org, xiaoyao.li@intel.com,
yilun.xu@intel.com, chao.p.peng@linux.intel.com,
jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com,
isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz,
vannapurve@google.com, ackerleytng@google.com,
mail@maciej.szmigiero.name, david@redhat.com,
michael.roth@amd.com, wei.w.wang@intel.com,
liam.merwick@oracle.com, isaku.yamahata@gmail.com,
kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com,
steven.price@arm.com, quic_eberman@quicinc.com,
quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com,
quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com,
quic_pderrin@quicinc.com, quic_pheragu@quicinc.com,
catalin.marinas@arm.com, james.morse@arm.com,
yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org,
will@kernel.org, keirf@google.com, roypat@amazon.co.uk,
shuah@kernel.org, hch@infradead.org, jgg@nvidia.com,
rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com,
hughd@google.com, jthoughton@google.com, peterx@redhat.com
Subject: Re: [PATCH v5 6/9] KVM: arm64: Refactor user_mem_abort() calculation of force_pte
Date: Thu, 6 Mar 2025 10:46:20 +0000 [thread overview]
Message-ID: <Z8l8_J5ro97MsMuR@google.com> (raw)
In-Reply-To: <20250303171013.3548775-7-tabba@google.com>
On Monday 03 Mar 2025 at 17:10:10 (+0000), Fuad Tabba wrote:
> To simplify the code and to make the assumptions clearer,
> refactor user_mem_abort() by immediately setting force_pte to
> true if the conditions are met. Also, remove the comment about
> logging_active being guaranteed to never be true for VM_PFNMAP
> memslots, since it's not technically correct right now.
>
> No functional change intended.
>
> Signed-off-by: Fuad Tabba <tabba@google.com>
> ---
> arch/arm64/kvm/mmu.c | 13 ++++---------
> 1 file changed, 4 insertions(+), 9 deletions(-)
>
> diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
> index 1f55b0c7b11d..887ffa1f5b14 100644
> --- a/arch/arm64/kvm/mmu.c
> +++ b/arch/arm64/kvm/mmu.c
> @@ -1460,7 +1460,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
> bool fault_is_perm)
> {
> int ret = 0;
> - bool write_fault, writable, force_pte = false;
> + bool write_fault, writable;
> bool exec_fault, mte_allowed;
> bool device = false, vfio_allow_any_uc = false;
> unsigned long mmu_seq;
> @@ -1472,6 +1472,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
> gfn_t gfn;
> kvm_pfn_t pfn;
> bool logging_active = memslot_is_logging(memslot);
> + bool force_pte = logging_active || is_protected_kvm_enabled();
> long vma_pagesize, fault_granule;
> enum kvm_pgtable_prot prot = KVM_PGTABLE_PROT_R;
> struct kvm_pgtable *pgt;
> @@ -1521,16 +1522,10 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
> return -EFAULT;
> }
>
> - /*
> - * logging_active is guaranteed to never be true for VM_PFNMAP
> - * memslots.
> - */
Indeed, I tried to add the following snippeton top of upstream:
diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index 1f55b0c7b11d..b5c3a6b9957f 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1525,6 +1525,8 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
* logging_active is guaranteed to never be true for VM_PFNMAP
* memslots.
*/
+ WARN_ON_ONCE(logging_active && (vma->vm_flags & VM_PFNMAP));
if (logging_active || is_protected_kvm_enabled()) {
force_pte = true;
vma_shift = PAGE_SHIFT;
And I could easily get that thing to trigger -- the trick is to back a
memslot with standard anon memory, enable dirty logging, and then mmap()
with MAP_FIXED on top of that a VM_PFNMAP region, and KVM will happily
proceed. Note that this has nothing to do with your series, it's just an
existing upstream bug.
Sadly that means the vma checks we do in kvm_arch_prepare_memory_region()
are bogus. Memslots are associated with an HVA range, not the underlying
VMAs which are not guaranteed stable. This bug applies to both the
VM_PFNMAP checks and the MTE checks, I think.
I can't immediately think of a good way to make the checks more robust,
but I'll have a think. If anybody has an idea ... :-)
Thanks,
Quentin
> - if (logging_active || is_protected_kvm_enabled()) {
> - force_pte = true;
> + if (force_pte)
> vma_shift = PAGE_SHIFT;
> - } else {
> + else
> vma_shift = get_vma_page_shift(vma, hva);
> - }
>
> switch (vma_shift) {
> #ifndef __PAGETABLE_PMD_FOLDED
> --
> 2.48.1.711.g2feabab25a-goog
>
next prev parent reply other threads:[~2025-03-06 10:46 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-03 17:10 [PATCH v5 0/9] KVM: Mapping guest_memfd backed memory at the host for software protected VMs Fuad Tabba
2025-03-03 17:10 ` [PATCH v5 1/9] mm: Consolidate freeing of typed folios on final folio_put() Fuad Tabba
2025-03-04 8:45 ` Kirill A. Shutemov
2025-03-04 9:43 ` David Hildenbrand
2025-03-03 17:10 ` [PATCH v5 2/9] KVM: guest_memfd: Handle final folio_put() of guest_memfd pages Fuad Tabba
2025-03-07 17:04 ` Ackerley Tng
2025-03-10 10:50 ` Fuad Tabba
2025-03-10 14:23 ` Ackerley Tng
2025-03-10 14:35 ` Fuad Tabba
2025-03-03 17:10 ` [PATCH v5 3/9] KVM: guest_memfd: Allow host to map guest_memfd() pages Fuad Tabba
2025-03-04 8:58 ` Kirill A. Shutemov
2025-03-04 9:27 ` Fuad Tabba
2025-03-04 9:45 ` Kirill A. Shutemov
2025-03-04 9:52 ` Fuad Tabba
2025-03-06 0:01 ` Ackerley Tng
2025-03-06 8:48 ` Fuad Tabba
2025-03-06 17:05 ` Ackerley Tng
2025-03-06 22:46 ` Ackerley Tng
2025-03-07 8:57 ` Fuad Tabba
2025-03-07 1:53 ` James Houghton
2025-03-07 8:55 ` Fuad Tabba
2025-03-03 17:10 ` [PATCH v5 4/9] KVM: guest_memfd: Handle in-place shared memory as guest_memfd backed memory Fuad Tabba
2025-03-06 16:09 ` Ackerley Tng
2025-03-06 17:02 ` Fuad Tabba
2025-03-03 17:10 ` [PATCH v5 5/9] KVM: x86: Mark KVM_X86_SW_PROTECTED_VM as supporting guest_memfd shared memory Fuad Tabba
2025-03-03 17:10 ` [PATCH v5 6/9] KVM: arm64: Refactor user_mem_abort() calculation of force_pte Fuad Tabba
2025-03-06 10:46 ` Quentin Perret [this message]
2025-03-06 10:54 ` Fuad Tabba
2025-03-03 17:10 ` [PATCH v5 7/9] KVM: arm64: Handle guest_memfd()-backed guest page faults Fuad Tabba
2025-03-03 17:10 ` [PATCH v5 8/9] KVM: arm64: Enable mapping guest_memfd in arm64 Fuad Tabba
2025-03-03 17:10 ` [PATCH v5 9/9] KVM: guest_memfd: selftests: guest_memfd mmap() test when mapping is allowed Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z8l8_J5ro97MsMuR@google.com \
--to=qperret@google.com \
--cc=ackerleytng@google.com \
--cc=akpm@linux-foundation.org \
--cc=amoorthy@google.com \
--cc=anup@brainfault.org \
--cc=aou@eecs.berkeley.edu \
--cc=brauner@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=chao.p.peng@linux.intel.com \
--cc=chenhuacai@kernel.org \
--cc=david@redhat.com \
--cc=dmatlack@google.com \
--cc=fvdl@google.com \
--cc=hch@infradead.org \
--cc=hughd@google.com \
--cc=isaku.yamahata@gmail.com \
--cc=isaku.yamahata@intel.com \
--cc=james.morse@arm.com \
--cc=jarkko@kernel.org \
--cc=jgg@nvidia.com \
--cc=jhubbard@nvidia.com \
--cc=jthoughton@google.com \
--cc=keirf@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=liam.merwick@oracle.com \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mail@maciej.szmigiero.name \
--cc=maz@kernel.org \
--cc=mic@digikod.net \
--cc=michael.roth@amd.com \
--cc=mpe@ellerman.id.au \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=quic_cvanscha@quicinc.com \
--cc=quic_eberman@quicinc.com \
--cc=quic_mnalajal@quicinc.com \
--cc=quic_pderrin@quicinc.com \
--cc=quic_pheragu@quicinc.com \
--cc=quic_svaddagi@quicinc.com \
--cc=quic_tsoni@quicinc.com \
--cc=rientjes@google.com \
--cc=roypat@amazon.co.uk \
--cc=seanjc@google.com \
--cc=shuah@kernel.org \
--cc=steven.price@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=vannapurve@google.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=wei.w.wang@intel.com \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=xiaoyao.li@intel.com \
--cc=yilun.xu@intel.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox