From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Garg, Shivank" <shivankg@amd.com>
Cc: linux-kernel@vger.kernel.org,
Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
David Hildenbrand <david@kernel.org>,
Vlastimil Babka <vbabka@kernel.org>,
kvm@vger.kernel.org
Subject: Re: [PATCH] KVM: guest_memfd: fix NUMA interleave index double-counting
Date: Fri, 5 Jun 2026 10:55:43 -0400 [thread overview]
Message-ID: <20260605105455-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <42c42370-2cf1-4b98-8d6a-8d7cd62f95f4@amd.com>
On Fri, Jun 05, 2026 at 06:31:51PM +0530, Garg, Shivank wrote:
>
>
> On 6/5/2026 5:16 AM, Michael S. Tsirkin wrote:
> > [You don't often get email from mst@redhat.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> >
> > On Thu, Jun 04, 2026 at 12:21:15AM +0530, Garg, Shivank wrote:
> >>
> >>
> >> On 6/3/2026 9:27 PM, Michael S. Tsirkin wrote:
> >>> kvm_gmem_get_policy() sets *ilx to the full page offset
> >>> (vm_pgoff + vma offset). But get_vma_policy() adds the page
> >>> offset on top of *ilx, so the offset is counted twice. This
> >>> causes NUMA interleaving to skip nodes: for order-0 pages the
> >>> effective index jumps by 2 for each consecutive page.
> >>>
> >>> The get_policy vm_op should return only a per-file bias in *ilx
> >>> (like shmem_get_policy does with inode->i_ino), letting
> >>> get_vma_policy() add the page-offset component.
> >>>
> >>> Fix by setting *ilx to inode->i_ino instead of the full page
> >>> offset. The page offset is computed by get_vma_policy() in
> >>> mm/mempolicy.c. The full offset is still computed
> >>> in kvm_gmem_get_policy() for mpol_shared_policy_lookup().
> >>> shmem_get_policy() follows the same pattern.
> >>>
> >>> Found by Sashiko (sashiko.dev) AI code review.
> >>>
> >>> Fixes: ed1ffa810bd6 ("KVM: guest_memfd: Enforce NUMA mempolicy using shared policy")
> >>> Cc: Sean Christopherson <seanjc@google.com>
> >>> Cc: Paolo Bonzini <pbonzini@redhat.com>
> >>> Assisted-by: Claude:claude-opus-4-6
> >>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> >>> ---
> >>> virt/kvm/guest_memfd.c | 7 ++++---
> >>> 1 file changed, 4 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
> >>> index 69c9d6d546b2..0bcf6fc08e2d 100644
> >>> --- a/virt/kvm/guest_memfd.c
> >>> +++ b/virt/kvm/guest_memfd.c
> >>> @@ -438,11 +438,12 @@ static int kvm_gmem_set_policy(struct vm_area_struct *vma, struct mempolicy *mpo
> >>> }
> >>>
> >>> static struct mempolicy *kvm_gmem_get_policy(struct vm_area_struct *vma,
> >>> - unsigned long addr, pgoff_t *pgoff)
> >>> + unsigned long addr, pgoff_t *ilx)
> >>> {
> >>> struct inode *inode = file_inode(vma->vm_file);
> >>> + pgoff_t pgoff = vma->vm_pgoff + ((addr - vma->vm_start) >> PAGE_SHIFT);
> >>>
> >>> - *pgoff = vma->vm_pgoff + ((addr - vma->vm_start) >> PAGE_SHIFT);
> >>> + *ilx = inode->i_ino;
> >>>
> >>> /*
> >>> * Return the memory policy for this index, or NULL if none is set.
> >>> @@ -453,7 +454,7 @@ static struct mempolicy *kvm_gmem_get_policy(struct vm_area_struct *vma,
> >>> * can then replace NULL with the default memory policy instead of the
> >>> * current task's memory policy.
> >>> */
> >>> - return mpol_shared_policy_lookup(&GMEM_I(inode)->policy, *pgoff);
> >>> + return mpol_shared_policy_lookup(&GMEM_I(inode)->policy, pgoff);
> >>> }
> >>> #endif /* CONFIG_NUMA */
> >>>
> >>> --
> >>> MST
> >>>
> >>
> >> Thanks for fixing this. LGTM!
> >>
> >> Reviewed-by: Shivank Garg <shivankg@amd.com>
> >
> >
> > Can u actually test it though pls?
> > Because I think another patch I sent in response so Sashiko
> > is also needed.
>
> Hi Michael,
>
> Yes, I tested this.
>
> I used kretprobes to read *ilx on each kvm_gmem_get_policy(), while calling
> get_mempolicy(MPOL_F_ADDR) on consecutive offsets(0..7) of guest_memfd mapping:
>
> BEFORE:
> page offset: 0 1 2 3 4 5 6 7
> *ilx: 0 1 2 3 4 5 6 7
>
> get_vma_policy() again add the page offset on top. so, it will increase by stride 2.
>
> AFTER Fix:
> page offset: 0 1 2 3 ... 7
> *ilx: 128376 128376 128376 128376 ... 128376
>
> It store i_no, so after get_vma_policy(), it will increase by just 1.
>
> It's hard to show any wrong allocation with the bug because this index value is not
> used by allocation path, which uses NO_INTERLEAVE_INDEX.
>
> Tested-by: Shivank Garg <shivankg@amd.com>
>
> Thanks,
> Shivank
>
So for this to be useful at all
we do need the patch I sent in response to sashiko, right?
Mind trying out that one?
--
MST
next prev parent reply other threads:[~2026-06-05 14:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 15:57 [PATCH] KVM: guest_memfd: fix NUMA interleave index double-counting Michael S. Tsirkin
2026-06-03 16:15 ` sashiko-bot
2026-06-04 7:53 ` Michael S. Tsirkin
2026-06-03 18:51 ` Garg, Shivank
2026-06-04 23:46 ` Michael S. Tsirkin
2026-06-05 13:01 ` Garg, Shivank
2026-06-05 14:55 ` Michael S. Tsirkin [this message]
2026-06-05 9:26 ` David Hildenbrand (Arm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605105455-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=david@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=shivankg@amd.com \
--cc=vbabka@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.