From: Sean Christopherson <seanjc@google.com>
To: Ackerley Tng <ackerleytng@google.com>
Cc: Fuad Tabba <tabba@google.com>,
James Houghton <jthoughton@google.com>,
kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org,
linux-mm@kvack.org, pbonzini@redhat.com, chenhuacai@kernel.org,
mpe@ellerman.id.au, anup@brainfault.org,
paul.walmsley@sifive.com, palmer@dabbelt.com,
aou@eecs.berkeley.edu, viro@zeniv.linux.org.uk,
brauner@kernel.org, willy@infradead.org,
akpm@linux-foundation.org, xiaoyao.li@intel.com,
yilun.xu@intel.com, chao.p.peng@linux.intel.com,
jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com,
isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz,
vannapurve@google.com, mail@maciej.szmigiero.name,
david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com,
liam.merwick@oracle.com, isaku.yamahata@gmail.com,
kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com,
steven.price@arm.com, quic_eberman@quicinc.com,
quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com,
quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com,
quic_pderrin@quicinc.com, quic_pheragu@quicinc.com,
catalin.marinas@arm.com, james.morse@arm.com,
yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org,
will@kernel.org, qperret@google.com, keirf@google.com,
roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org,
jgg@nvidia.com, rientjes@google.com, jhubbard@nvidia.com,
fvdl@google.com, hughd@google.com, peterx@redhat.com,
pankaj.gupta@amd.com, ira.weiny@intel.com
Subject: Re: [PATCH v9 08/17] KVM: guest_memfd: Check that userspace_addr and fd+offset refer to same range
Date: Wed, 14 May 2025 06:52:48 -0700 [thread overview]
Message-ID: <aCSgMEXrNYgB_Ha4@google.com> (raw)
In-Reply-To: <diqzo6vvpami.fsf@ackerleytng-ctop.c.googlers.com>
On Wed, May 14, 2025, Ackerley Tng wrote:
> Sean Christopherson <seanjc@google.com> writes:
> > On Wed, May 14, 2025, Fuad Tabba wrote:
> >> On Tue, 13 May 2025 at 21:31, James Houghton <jthoughton@google.com> wrote:
> >> > > @@ -585,9 +611,14 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
> >> > > offset + size > i_size_read(inode))
> >> > > goto err;
> >> > >
> >> > > - if (kvm_gmem_supports_shared(inode) &&
> >> > > - !kvm_arch_vm_supports_gmem_shared_mem(kvm))
> >> > > - goto err;
> >> > > + if (kvm_gmem_supports_shared(inode)) {
> >> > > + if (!kvm_arch_vm_supports_gmem_shared_mem(kvm))
> >> > > + goto err;
> >> > > +
> >> > > + if (slot->userspace_addr &&
> >> > > + !kvm_gmem_is_same_range(kvm, slot, file, offset))
> >> > > + goto err;
> >> >
> >> > This is very nit-picky, but I would rather this not be -EINVAL, maybe
> >> > -EIO instead? Or maybe a pr_warn_once() and let the call proceed?
> >
> > Or just omit the check entirely. The check isn't binding (ba-dump, ching!),
> > because the mapping/VMA can change the instant mmap_read_unlock() is called.
> >
> >> > The userspace_addr we got isn't invalid per se, we're just trying to
> >> > give a hint to the user that their VMAs (or the userspace address they
> >> > gave us) are messed up. I don't really like lumping this in with truly
> >> > invalid arguments.
> >>
> >> I don't mind changing the return error, but I don't think that we
> >> should have a kernel warning (pr_warn_once) for something userspace
> >> can trigger.
> >
> > This isn't a WARN, e.g. won't trip panic_on_warn. In practice, it's not
> > meaningfully different than pr_info(). That said, I agree that printing anything
> > is a bad approach.
> >
> >> It's not an IO error either. I think that this is an invalid argument
> >> (EINVAL).
> >
> > I agree with James, this isn't an invalid argument. Having the validity of an
> > input hinge on the ordering between a KVM ioctl() and mmap() is quite odd. I
> > know KVM arm64 does exactly this for KVM_SET_USER_MEMORY_REGION{,2}, but I don't
> > love the semantics. And unlike that scenario, where e.g. MTE tags are verified
> > again at fault-time, KVM won't re-check the VMA when accessing guest memory via
> > the userspace mapping, e.g. through uaccess.
> >
> > Unless I'm forgetting something, I'm leaning toward omitting the check entirely.
> >
>
> I'm good with dropping this patch. I might have misunderstood the conclusion
> of the guest_memfd call.
No, I don't think you misunderstood anything. It's just that sometimes opinions
different when there's actual code, versus a verbal discussion. I.e. this sounds
like a good idea, but when seeing the code and thinking through the effects, it's
less appealing.
next prev parent reply other threads:[~2025-05-14 13:52 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 16:34 [PATCH v9 00/17] KVM: Mapping guest_memfd backed memory at the host for software protected VMs Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 01/17] KVM: Rename CONFIG_KVM_PRIVATE_MEM to CONFIG_KVM_GMEM Fuad Tabba
2025-05-21 7:14 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 02/17] KVM: Rename CONFIG_KVM_GENERIC_PRIVATE_MEM to CONFIG_KVM_GENERIC_GMEM_POPULATE Fuad Tabba
2025-05-13 21:56 ` Ira Weiny
2025-05-21 7:14 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 03/17] KVM: Rename kvm_arch_has_private_mem() to kvm_arch_supports_gmem() Fuad Tabba
2025-05-21 7:15 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 04/17] KVM: x86: Rename kvm->arch.has_private_mem to kvm->arch.supports_gmem Fuad Tabba
2025-05-21 7:15 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 05/17] KVM: Rename kvm_slot_can_be_private() to kvm_slot_has_gmem() Fuad Tabba
2025-05-21 7:16 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 06/17] KVM: Fix comments that refer to slots_lock Fuad Tabba
2025-05-21 7:16 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 07/17] KVM: guest_memfd: Allow host to map guest_memfd() pages Fuad Tabba
2025-05-13 18:37 ` Ackerley Tng
2025-05-16 19:21 ` James Houghton
2025-05-18 15:17 ` Fuad Tabba
2025-05-21 7:36 ` David Hildenbrand
2025-05-14 8:03 ` Shivank Garg
2025-05-14 9:45 ` Fuad Tabba
2025-05-14 10:07 ` Roy, Patrick
2025-05-14 11:30 ` Fuad Tabba
2025-05-14 14:00 ` kernel test robot
2025-05-14 20:40 ` James Houghton
2025-05-15 7:25 ` Fuad Tabba
2025-05-14 23:37 ` kernel test robot
2025-05-15 23:42 ` Gavin Shan
2025-05-16 7:31 ` Fuad Tabba
2025-05-16 6:08 ` Gavin Shan
2025-05-16 7:56 ` Fuad Tabba
2025-05-16 11:12 ` Gavin Shan
2025-05-16 14:20 ` Fuad Tabba
2025-05-21 7:41 ` David Hildenbrand
2025-05-13 16:34 ` [PATCH v9 08/17] KVM: guest_memfd: Check that userspace_addr and fd+offset refer to same range Fuad Tabba
2025-05-13 20:30 ` James Houghton
2025-05-14 7:33 ` Fuad Tabba
2025-05-14 13:32 ` Sean Christopherson
2025-05-14 13:47 ` Ackerley Tng
2025-05-14 13:52 ` Sean Christopherson [this message]
2025-05-14 17:39 ` David Hildenbrand
2025-05-13 16:34 ` [PATCH v9 09/17] KVM: x86/mmu: Handle guest page faults for guest_memfd with shared memory Fuad Tabba
2025-05-21 7:48 ` David Hildenbrand
2025-05-22 0:40 ` Ackerley Tng
2025-05-22 7:16 ` David Hildenbrand
2025-05-22 7:46 ` Fuad Tabba
2025-05-22 8:14 ` David Hildenbrand
2025-05-22 10:24 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 10/17] KVM: x86: Compute max_mapping_level with input from guest_memfd Fuad Tabba
2025-05-14 7:13 ` Shivank Garg
2025-05-14 7:24 ` Fuad Tabba
2025-05-14 15:27 ` kernel test robot
2025-05-21 8:01 ` David Hildenbrand
2025-05-22 0:45 ` Ackerley Tng
2025-05-22 13:22 ` Sean Christopherson
2025-05-22 13:49 ` David Hildenbrand
2025-05-22 7:22 ` Fuad Tabba
2025-05-22 8:56 ` David Hildenbrand
2025-05-22 9:34 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 11/17] KVM: arm64: Refactor user_mem_abort() calculation of force_pte Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 12/17] KVM: arm64: Rename variables in user_mem_abort() Fuad Tabba
2025-05-21 2:25 ` Gavin Shan
2025-05-21 9:57 ` Fuad Tabba
2025-05-21 8:02 ` David Hildenbrand
2025-05-13 16:34 ` [PATCH v9 13/17] KVM: arm64: Handle guest_memfd()-backed guest page faults Fuad Tabba
2025-05-14 21:26 ` James Houghton
2025-05-15 9:27 ` Fuad Tabba
2025-05-21 8:04 ` David Hildenbrand
2025-05-21 11:10 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 14/17] KVM: arm64: Enable mapping guest_memfd in arm64 Fuad Tabba
2025-05-14 5:44 ` kernel test robot
2025-05-15 23:50 ` James Houghton
2025-05-16 7:07 ` Fuad Tabba
2025-05-21 8:05 ` David Hildenbrand
2025-05-21 10:12 ` Fuad Tabba
2025-05-21 10:26 ` David Hildenbrand
2025-05-21 10:29 ` Fuad Tabba
2025-05-21 12:44 ` David Hildenbrand
2025-05-21 13:15 ` Fuad Tabba
2025-05-21 13:21 ` David Hildenbrand
2025-05-21 13:32 ` Fuad Tabba
2025-05-21 13:45 ` David Hildenbrand
2025-05-21 14:14 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 15/17] KVM: Introduce the KVM capability KVM_CAP_GMEM_SHARED_MEM Fuad Tabba
2025-05-21 2:46 ` Gavin Shan
2025-05-21 8:24 ` Fuad Tabba
2025-05-21 8:06 ` David Hildenbrand
2025-05-13 16:34 ` [PATCH v9 16/17] KVM: selftests: guest_memfd mmap() test when mapping is allowed Fuad Tabba
2025-05-21 6:53 ` Gavin Shan
2025-05-21 9:38 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 17/17] KVM: selftests: Test guest_memfd same-range validation Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aCSgMEXrNYgB_Ha4@google.com \
--to=seanjc@google.com \
--cc=ackerleytng@google.com \
--cc=akpm@linux-foundation.org \
--cc=amoorthy@google.com \
--cc=anup@brainfault.org \
--cc=aou@eecs.berkeley.edu \
--cc=brauner@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=chao.p.peng@linux.intel.com \
--cc=chenhuacai@kernel.org \
--cc=david@redhat.com \
--cc=dmatlack@google.com \
--cc=fvdl@google.com \
--cc=hch@infradead.org \
--cc=hughd@google.com \
--cc=ira.weiny@intel.com \
--cc=isaku.yamahata@gmail.com \
--cc=isaku.yamahata@intel.com \
--cc=james.morse@arm.com \
--cc=jarkko@kernel.org \
--cc=jgg@nvidia.com \
--cc=jhubbard@nvidia.com \
--cc=jthoughton@google.com \
--cc=keirf@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=liam.merwick@oracle.com \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mail@maciej.szmigiero.name \
--cc=maz@kernel.org \
--cc=mic@digikod.net \
--cc=michael.roth@amd.com \
--cc=mpe@ellerman.id.au \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=pankaj.gupta@amd.com \
--cc=paul.walmsley@sifive.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=qperret@google.com \
--cc=quic_cvanscha@quicinc.com \
--cc=quic_eberman@quicinc.com \
--cc=quic_mnalajal@quicinc.com \
--cc=quic_pderrin@quicinc.com \
--cc=quic_pheragu@quicinc.com \
--cc=quic_svaddagi@quicinc.com \
--cc=quic_tsoni@quicinc.com \
--cc=rientjes@google.com \
--cc=roypat@amazon.co.uk \
--cc=shuah@kernel.org \
--cc=steven.price@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=vannapurve@google.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=wei.w.wang@intel.com \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=xiaoyao.li@intel.com \
--cc=yilun.xu@intel.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.