From: David Hildenbrand <david@redhat.com>
To: Jue Wang <juew@google.com>
Cc: Dave Hansen <dave.hansen@intel.com>,
Naoya Horiguchi <naoya.horiguchi@nec.com>,
Tony Luck <tony.luck@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Jiaqi Yan <jiaqiyan@google.com>, Greg Thelen <gthelen@google.com>,
Mina Almasry <almasrymina@google.com>,
linux-mm@kvack.org, Sean Christopherson <seanjc@google.com>
Subject: Re: [RFC] Expose a memory poison detector ioctl to user space.
Date: Mon, 2 May 2022 19:38:28 +0200 [thread overview]
Message-ID: <d10f7c50-134b-39c1-7b24-a63d772cc731@redhat.com> (raw)
In-Reply-To: <CAPcxDJ4TfxbNgknKznnV3U9XMce=dfh9fN16iaG8nZqM39HA0A@mail.gmail.com>
On 02.05.22 19:36, Jue Wang wrote:
> On Mon, May 2, 2022 at 10:33 AM David Hildenbrand <david@redhat.com> wrote:
>>
>> On 02.05.22 19:30, Jue Wang wrote:
>>> On Mon, May 2, 2022 at 10:19 AM David Hildenbrand <david@redhat.com> wrote:
>>>>
>>>> On 26.04.22 21:39, Dave Hansen wrote:
>>>>> On 4/26/22 12:23, Jue Wang wrote:
>>>>>> On Tue, Apr 26, 2022 at 11:18 AM Dave Hansen <dave.hansen@intel.com> wrote:
>>>>>>> What if you're in a normal (non-TDX) guest and some of the physical
>>>>>>> address space has been ballooned away?
>>>>>>
>>>>>> Accessing to memory that gets ballooned away will cause extra EPT
>>>>>> violations and have the memory faulted in on the host side, which is
>>>>>> transparent to the guest.
>>>>>
>>>>> Yeah, but it completely subverts the whole purpose of ballooning. In
>>>>> other words, this is for all intents and purposes also mutually
>>>>> exclusive with ballooning.
>>>>
>>>> Some balloon (or balloon-like) implementations don't support reading
>>>> memory that's mapped into the direct map. For example, with never
>>>> virtio-mem devices in the hypervisor, reading unplugged memory can
>>>> result in undefined behavior (in the worst case, you'll get your VM zapped).
>>>>
>>>> Reading random physical memory ranges without further checks is a very
>>>> bad idea. There are more corner cases, that we e.g., exclude when
>>>> reading /proc/kcore.
>>>>
>>>> Take a look at read_kcore() KCORE_RAM case, where we e.g., exclude
>>>> reading PageOffline(), is_page_hwpoison() and !pfn_is_ram(). Unaccepted
>>>> memory might be another case we want to exclude there in the future.
>>>>
>>>>
>>>> I assume something as you imagine could be implemented in user space
>>>> just by relying on /proc/iomem and /proc/kcore right now in an unsafe
>>>> way. So you might want something similar, however, obviously without
>>>> exporting page content to user space and requiring root permissions.
>>>
>>> Thanks.
>>>
>>> Are the following cases benign if the scan only happens on the host side?
>>>
>>> . virtio-mem - unplugged memory
>>> . Unaccepted memory
>>
>> No, only in virtualized worlds.
>>
>> I assume GART memory that implements the pfn_is_ram() callback is around
>> on physical machines.
>
> I think host E820 provides an accurate view of which address range is
> ram or not?
On most physical machines maybe to some degree. It doesn't hold for
physically hot(un)plugged memory and I remember GART memory is special.
No idea how that is exposed in e820.
--
Thanks,
David / dhildenb
prev parent reply other threads:[~2022-05-02 17:38 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-25 16:34 Jue Wang
2022-04-26 15:40 ` Dave Hansen
2022-04-26 17:57 ` Jue Wang
2022-04-26 18:02 ` Jue Wang
2022-04-26 18:21 ` Dave Hansen
2022-04-26 19:25 ` Jue Wang
2022-04-26 19:52 ` Luck, Tony
2022-04-26 20:06 ` Jue Wang
2022-04-26 18:20 ` Dave Hansen
2022-04-26 19:23 ` Jue Wang
2022-04-26 19:39 ` Dave Hansen
2022-04-26 19:50 ` Jue Wang
2022-04-28 16:15 ` Erdem Aktas
2022-04-28 16:34 ` Dave Hansen
2022-04-29 19:46 ` Jue Wang
2022-04-29 21:10 ` Dave Hansen
2022-04-29 21:32 ` Jue Wang
2022-04-29 21:44 ` Jue Wang
2022-04-29 22:29 ` Dave Hansen
2022-04-29 22:53 ` Jue Wang
2022-05-02 15:30 ` Dave Hansen
2022-05-02 17:19 ` David Hildenbrand
2022-05-02 17:30 ` Jue Wang
2022-05-02 17:33 ` David Hildenbrand
2022-05-02 17:36 ` Jue Wang
2022-05-02 17:38 ` David Hildenbrand [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d10f7c50-134b-39c1-7b24-a63d772cc731@redhat.com \
--to=david@redhat.com \
--cc=almasrymina@google.com \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=gthelen@google.com \
--cc=jiaqiyan@google.com \
--cc=juew@google.com \
--cc=linux-mm@kvack.org \
--cc=naoya.horiguchi@nec.com \
--cc=seanjc@google.com \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox