From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F7E0C3ABCC for ; Wed, 14 May 2025 13:47:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BD05B6B0152; Wed, 14 May 2025 09:47:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B59B46B0153; Wed, 14 May 2025 09:47:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9F97E6B0154; Wed, 14 May 2025 09:47:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 7DB456B0152 for ; Wed, 14 May 2025 09:47:36 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id B8BC0C0D67 for ; Wed, 14 May 2025 13:47:37 +0000 (UTC) X-FDA: 83441640954.02.FD8DF0B Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) by imf04.hostedemail.com (Postfix) with ESMTP id D24F540004 for ; Wed, 14 May 2025 13:47:35 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=GoF+CVPM; spf=pass (imf04.hostedemail.com: domain of 39p4kaAsKCA8przt60tD82vv33v0t.r310x29C-11zAprz.36v@flex--ackerleytng.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=39p4kaAsKCA8przt60tD82vv33v0t.r310x29C-11zAprz.36v@flex--ackerleytng.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747230455; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=NAeeCNPnco32qDMK0805AT1A5LqfUBAlcHGKeMgxKz0=; b=gEs9c1O7A7xJwnzV+alInW5AyJHvmwkiKceDehcqe6ftzN++rhkbJ9V+IbhpR1LCA3jPuG +enMDRmM7XczbOumjJ4WNJpdau+nE+5PHaRo+UqO6E4mq7et7aa+JwetDuzQkvZYRE+86x D+gCtx1msA+kL6k9BPjd1MYA7W6OJ6E= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747230455; a=rsa-sha256; cv=none; b=4n/u3wKzi80Df6Sdv+04P1TEz52QBnLxvYF3+ruVf7dsb7GKQ1R/6EIhVj9whThpLFmb+/ SeuK2TOZA9oLGWnuH8FI6TbrG/opF/DynMSzPNePVmyvAOqwtWBY2lCWjcHCdTn52SFipJ cN2xjPhI9MvK2jh7tHw20wKrAX74LOs= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=GoF+CVPM; spf=pass (imf04.hostedemail.com: domain of 39p4kaAsKCA8przt60tD82vv33v0t.r310x29C-11zAprz.36v@flex--ackerleytng.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=39p4kaAsKCA8przt60tD82vv33v0t.r310x29C-11zAprz.36v@flex--ackerleytng.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-30c54b40096so5200625a91.1 for ; Wed, 14 May 2025 06:47:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1747230454; x=1747835254; darn=kvack.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=NAeeCNPnco32qDMK0805AT1A5LqfUBAlcHGKeMgxKz0=; b=GoF+CVPM52Foiam0RJGy5HEe3ajRooXcCU6qGa5qvX84Y/XuegVRx014T7Eo4OPvpr C7mMGfLVN4VenWdOz2SwIm7PZTLWL2R2KSY3bR7OoPxphtdnMxYBqkmemhlwo3BrISJJ WOg6+A0+huE1jVzVtYLMFSMC8xJnteYAv5U134lwVpxxPP8UCpJsf1eM9YBnSGcgVpmo iFLnnqdMZa5ZAcdS21bxvQNGBqEvcUyg2Y2XJHADj5kog43got1glhFAkuc4SSWEeFyP adl1GWeZPc8ok0TqCNB8q7JGdPGhxShOmMsPmLLajr4xjqZOqPfCLtCx6nehUa5UXI2B XRvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747230454; x=1747835254; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=NAeeCNPnco32qDMK0805AT1A5LqfUBAlcHGKeMgxKz0=; b=vUiY/SBqtKKzk6QRzzJ79tY/2REg2ZxUD/pcAlZgBQ6Hdk86VejvKWPSQ3DFtqdn8D 9842udfax2tngoKq5QbF3KnoR78Z9/TpQSzGGnNc1JVklisjr4xWT1diILLM+LzTGt2q ef4pjXI0JBYL76JVKHSTB6dr4wtclMnbwM3K+13qWZl2QsUqHfQ9uILuCLAyIQ5qOQOM AsMbMEOcCYsZ6rBPh52zLhEpgfAA6syZPF8N56UgHYuM5XVbWNP3epPMZgqoDKDA5xm5 Lo1wVVUuaQbW1u8130kFWy9QPERRH6FUO8Qp+EHVlK4VAZCzgpem0ylVC+YZL4v2FlId TfBg== X-Forwarded-Encrypted: i=1; AJvYcCW3WQflKQKcNHSFW35sDVzBSgIksx58Nv1EhXMrn1GWdPplTaWTS7cB8PCj8ca62rCSzshl7opBWw==@kvack.org X-Gm-Message-State: AOJu0Yw34ayDLKbhzyuuQ6ShyOb0ey9iJLyZlVuwDdP/SffVk9Ist/m1 qElrjgag5thx50Bkvbjr1zodlEymZRGeF4eQerxfr+bCZGBwf5botQIbdQtipZwK05CRg6zdsCt Dz72M8GVanaBjiJ/KqTq7GA== X-Google-Smtp-Source: AGHT+IFlOuQgyMPVc1YUUtLXJF5y8ehrcWnysunLFjMxE8p4X6GNDVE1Npu94fwETvyfjq0ALu78lCMC+AguGK3AiA== X-Received: from pjbsy12.prod.google.com ([2002:a17:90b:2d0c:b0:2fc:2b96:2d4b]) (user=ackerleytng job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:4b85:b0:305:5f25:59a5 with SMTP id 98e67ed59e1d1-30e2e644d22mr5148468a91.35.1747230454332; Wed, 14 May 2025 06:47:34 -0700 (PDT) Date: Wed, 14 May 2025 06:47:33 -0700 In-Reply-To: Mime-Version: 1.0 References: <20250513163438.3942405-1-tabba@google.com> <20250513163438.3942405-9-tabba@google.com> Message-ID: Subject: Re: [PATCH v9 08/17] KVM: guest_memfd: Check that userspace_addr and fd+offset refer to same range From: Ackerley Tng To: Sean Christopherson , Fuad Tabba Cc: James Houghton , kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mm@kvack.org, pbonzini@redhat.com, chenhuacai@kernel.org, mpe@ellerman.id.au, anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org, akpm@linux-foundation.org, xiaoyao.li@intel.com, yilun.xu@intel.com, chao.p.peng@linux.intel.com, jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com, isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz, vannapurve@google.com, mail@maciej.szmigiero.name, david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com, liam.merwick@oracle.com, isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com, steven.price@arm.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com, quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, catalin.marinas@arm.com, james.morse@arm.com, yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org, will@kernel.org, qperret@google.com, keirf@google.com, roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org, jgg@nvidia.com, rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com, hughd@google.com, peterx@redhat.com, pankaj.gupta@amd.com, ira.weiny@intel.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: usexgp78f15mtnscco5e3h9n8z5eh3no X-Rspamd-Queue-Id: D24F540004 X-Rspam-User: X-Rspamd-Server: rspam02 X-HE-Tag: 1747230455-396552 X-HE-Meta: U2FsdGVkX18+irB/lv8nqAor77wV8ATLZeacmCZwRtqdiNn/qdoPuhogsdEZe8dAWa2OPI6YgJgyqfUmp+14c2CuJrUsA8YJQNOmy6NX2M97Ctax7TijQ/ZqwHaWNaveZ1o0vjIKsXwuouWm5SDbNoEHlav/Syvo8mR4gf3SAWe9FxIrdyu8sJXNy54gAgXPIDq/1h9WFsEVDVmN6m1uBsxFyWiBgdJgxqWtbUTKJmWyC7//rPsAQYNbhxknDBmwfyNTy3wP+M2wXqI9GhqAYhSKlfJKPcVmS6Ew6qvrK1DGX40QmsT36RLzxr58pfLODcD5qMIg6H6ANG5ztkrf92rH/uAaxIGJq0SjwOW34eBvaQLisH27E99qQC79cJO9rKQplaP2aXR3BK/J3BW5NvsftrOelIRxk3YjgeEa4icEdYOVgnt8R78OzDnAw/i/cy2cU/RLuEzX7dcT5sxgkRrzIA0hOLZ2DQAF0bBY+gEq5HZ0S1llUOyBf0eRWot6GMxVz7tlcuA8BLwlTn6vqH8HABFB70y8WFZyOeIvI94sqkzzGS+CammBNahiqMkBdIPCE7n9kEVsoHsZctPFVeakvaWMGIP+m6jiugFeMgtj+zECuioHHMY2jGe4vr3MzS1bLAUnTze+MtFXJo3Tgbcjm9Jt7/EgrGCoH++aZJWmq+cr5xROzuHxWwxscGqW4KnxKmdHiq9lMZOrXkrHzgew9CEVrXpx2uyMA3p4W2vbnX3xAwVGQkI9iGd9j260UdDIc17ihrEx3kanlnyh4fnz+RHb0ASo6fmmRMFGggzdvdWS8YcqM1eLjVSvHTlx1vHTqdpiMTC2SzlqX/g2UtKdDF5bhwI7wGjYwJXKHrgDLb4xKPt93sNoTDDp5fDMqUOBmPiAtb7xJrxJsWB9eRav+YtzIe4jAOPfjvrh+yYU2OareV56jdQISoKHci7AJU6EybGtbpLeh1DkVSV T9K8Vb2i T6iDOP0uv8h2KczWMHU5LtbgTBayn4LCO5VPZJPplX4m6WNjoVFcAkSlNnNb7iAR1nYBe9F98AX9TNyoOvEVGoBDj6yRsvmBjhXW0yncl4hstcnT8P7r+hlyMW4enfgSwG5cjFxODtYBbFlF2SsZ9Y9OC4Wunx016XeqaNIVSqPAHb9oyu2Kj617iFTbaAktvrCv/U+DSCts+OQ780of9nV5zqcD0rR/+f0aeW6gN58dQn3PAuZrqUitnPTjAop6HE6gwOhen0lho6zIxir/BVkwToUwHlLpt9FxyW+cxPVRrB673BUEt5r733v0ZgK0Xogr4wwLjQrwHbcxSOaUJCqb6OaZ7XKqUHhRovvWYyg27tsjmyCc3B7LJXRKtLfP9DEn5b7hCVxgJPW2ppegvOF+jD3SerHdmb9kV9eLJm5jTLXdLe7JaTlXSOeOIvQrzHt7vnU0h4ENjhcG/rLu9bs5DOT7FrMi3koyVLkuf9aspWrT6FY+6JVGy+atrnVkwGHUhTv+M59jljmHegCw566lY25+ykR2mSM0Gi+JGuLaNVLslW40RvzULrMOScxggsm/eOS+piHpXggPSPpbCgXefC81WuHGGPktBaVxaXbUkkZKmAkJCDX0OHV6bnxtWSNgfnkCPEPgo8EwZIoGtDCt/wMheHxGmnMgnVMYdXDl1piXTFiWxB5g6Lw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Sean Christopherson writes: > On Wed, May 14, 2025, Fuad Tabba wrote: >> On Tue, 13 May 2025 at 21:31, James Houghton wro= te: >> > >> > On Tue, May 13, 2025 at 9:34=E2=80=AFAM Fuad Tabba = wrote: >> > > diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c >> > > index 8e6d1866b55e..2f499021df66 100644 >> > > --- a/virt/kvm/guest_memfd.c >> > > +++ b/virt/kvm/guest_memfd.c >> > > @@ -556,6 +556,32 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm= _create_guest_memfd *args) >> > > return __kvm_gmem_create(kvm, size, flags); >> > > } >> > > >> > > +static bool kvm_gmem_is_same_range(struct kvm *kvm, >> > > + struct kvm_memory_slot *slot, >> > > + struct file *file, loff_t offset) >> > > +{ >> > > + struct mm_struct *mm =3D kvm->mm; >> > > + loff_t userspace_addr_offset; >> > > + struct vm_area_struct *vma; >> > > + bool ret =3D false; >> > > + >> > > + mmap_read_lock(mm); >> > > + >> > > + vma =3D vma_lookup(mm, slot->userspace_addr); >> > > + if (!vma) >> > > + goto out; >> > > + >> > > + if (vma->vm_file !=3D file) >> > > + goto out; >> > > + >> > > + userspace_addr_offset =3D slot->userspace_addr - vma->vm_sta= rt; >> > > + ret =3D userspace_addr_offset + (vma->vm_pgoff << PAGE_SHIFT= ) =3D=3D offset; >> > > +out: >> > > + mmap_read_unlock(mm); >> > > + >> > > + return ret; >> > > +} >> > > + >> > > int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, >> > > unsigned int fd, loff_t offset) >> > > { >> > > @@ -585,9 +611,14 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_m= emory_slot *slot, >> > > offset + size > i_size_read(inode)) >> > > goto err; >> > > >> > > - if (kvm_gmem_supports_shared(inode) && >> > > - !kvm_arch_vm_supports_gmem_shared_mem(kvm)) >> > > - goto err; >> > > + if (kvm_gmem_supports_shared(inode)) { >> > > + if (!kvm_arch_vm_supports_gmem_shared_mem(kvm)) >> > > + goto err; >> > > + >> > > + if (slot->userspace_addr && >> > > + !kvm_gmem_is_same_range(kvm, slot, file, offset)= ) >> > > + goto err; >> > >> > This is very nit-picky, but I would rather this not be -EINVAL, maybe >> > -EIO instead? Or maybe a pr_warn_once() and let the call proceed? > > Or just omit the check entirely. The check isn't binding (ba-dump, ching= !), > because the mapping/VMA can change the instant mmap_read_unlock() is call= ed. > >> > The userspace_addr we got isn't invalid per se, we're just trying to >> > give a hint to the user that their VMAs (or the userspace address they >> > gave us) are messed up. I don't really like lumping this in with truly >> > invalid arguments. >>=20 >> I don't mind changing the return error, but I don't think that we >> should have a kernel warning (pr_warn_once) for something userspace >> can trigger. > > This isn't a WARN, e.g. won't trip panic_on_warn. In practice, it's not > meaningfully different than pr_info(). That said, I agree that printing = anything > is a bad approach. > >> It's not an IO error either. I think that this is an invalid argument >> (EINVAL). > > I agree with James, this isn't an invalid argument. Having the validity = of an > input hinge on the ordering between a KVM ioctl() and mmap() is quite odd= . I > know KVM arm64 does exactly this for KVM_SET_USER_MEMORY_REGION{,2}, but = I don't > love the semantics. And unlike that scenario, where e.g. MTE tags are ve= rified > again at fault-time, KVM won't re-check the VMA when accessing guest memo= ry via > the userspace mapping, e.g. through uaccess. > > Unless I'm forgetting something, I'm leaning toward omitting the check en= tirely. > I'm good with dropping this patch. I might have misunderstood the conclusion of the guest_memfd call. >> That said, other than opposing the idea of pr_warn, I am happy to change= it.