From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sean Christopherson Date: Thu, 13 Feb 2020 20:46:28 +0000 Subject: Re: [PATCH 01/35] mm:gup/writeback: add callbacks for inaccessible pages Message-Id: <20200213204628.GE18610@linux.intel.com> List-Id: References: <20200207113958.7320-1-borntraeger@de.ibm.com> <20200207113958.7320-2-borntraeger@de.ibm.com> <28792269-e053-ac70-a344-45612ee5c729@de.ibm.com> <20200213195602.GD18610@linux.intel.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Christian Borntraeger Cc: Janosch Frank , Andrew Morton , Marc Zyngier , Tom Lendacky , KVM , Cornelia Huck , David Hildenbrand , Thomas Huth , Ulrich Weigand , Claudio Imbrenda , Andrea Arcangeli , linux-s390 , Michael Mueller , Vasily Gorbik , linux-mm@kvack.org, kvm-ppc@vger.kernel.org, Paolo Bonzini On Thu, Feb 13, 2020 at 09:13:35PM +0100, Christian Borntraeger wrote: > > On 13.02.20 20:56, Sean Christopherson wrote: > > On Mon, Feb 10, 2020 at 06:27:04PM +0100, Christian Borntraeger wrote: > > Am I missing a need to do this for the swap/reclaim case? Or is there a > > completely different use case I'm overlooking? > > This is actually to protect the host against a malicious user space. For > example a bad QEMU could simply start direct I/O on such protected memory. > We do not want userspace to be able to trigger I/O errors and thus we > implemented the logic to "whenever somebody accesses that page (gup) or > doing I/O, make sure that this page can be accessed. When the guest tries > to access that page we will wait in the page fault handler for writeback to > have finished and for the page_ref to be the expected value. Ah. I was assuming the pages would unmappable by userspace, enforced by some other mechanism > > > > Tangentially related, hooks here could be quite useful for sanity checking > > the kernel/KVM and/or debugging kernel/KVM bugs. Would it make sense to > > pass a param to arch_make_page_accessible() to provide some information as > > to why the page needs to be made accessible? > > Some kind of enum that can be used optionally to optimize things? Not just optimize, in the case above it'd probably preferable for us to reject a userspace mapping outright, e.g. return -EFAULT if called from gup()/follow(). Debug scenarios might also require differentiating between writeback and "other". From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga03.intel.com ([134.134.136.65]:54689 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728053AbgBMUqd (ORCPT ); Thu, 13 Feb 2020 15:46:33 -0500 Date: Thu, 13 Feb 2020 12:46:28 -0800 From: Sean Christopherson Subject: Re: [PATCH 01/35] mm:gup/writeback: add callbacks for inaccessible pages Message-ID: <20200213204628.GE18610@linux.intel.com> References: <20200207113958.7320-1-borntraeger@de.ibm.com> <20200207113958.7320-2-borntraeger@de.ibm.com> <28792269-e053-ac70-a344-45612ee5c729@de.ibm.com> <20200213195602.GD18610@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-s390-owner@vger.kernel.org List-ID: To: Christian Borntraeger Cc: Janosch Frank , Andrew Morton , Marc Zyngier , Tom Lendacky , KVM , Cornelia Huck , David Hildenbrand , Thomas Huth , Ulrich Weigand , Claudio Imbrenda , Andrea Arcangeli , linux-s390 , Michael Mueller , Vasily Gorbik , linux-mm@kvack.org, kvm-ppc@vger.kernel.org, Paolo Bonzini On Thu, Feb 13, 2020 at 09:13:35PM +0100, Christian Borntraeger wrote: > > On 13.02.20 20:56, Sean Christopherson wrote: > > On Mon, Feb 10, 2020 at 06:27:04PM +0100, Christian Borntraeger wrote: > > Am I missing a need to do this for the swap/reclaim case? Or is there a > > completely different use case I'm overlooking? > > This is actually to protect the host against a malicious user space. For > example a bad QEMU could simply start direct I/O on such protected memory. > We do not want userspace to be able to trigger I/O errors and thus we > implemented the logic to "whenever somebody accesses that page (gup) or > doing I/O, make sure that this page can be accessed. When the guest tries > to access that page we will wait in the page fault handler for writeback to > have finished and for the page_ref to be the expected value. Ah. I was assuming the pages would unmappable by userspace, enforced by some other mechanism > > > > Tangentially related, hooks here could be quite useful for sanity checking > > the kernel/KVM and/or debugging kernel/KVM bugs. Would it make sense to > > pass a param to arch_make_page_accessible() to provide some information as > > to why the page needs to be made accessible? > > Some kind of enum that can be used optionally to optimize things? Not just optimize, in the case above it'd probably preferable for us to reject a userspace mapping outright, e.g. return -EFAULT if called from gup()/follow(). Debug scenarios might also require differentiating between writeback and "other".