Kernel KVM virtualization development
 help / color / mirror / Atom feed
From: "Gupta, Pankaj" <pankaj.gupta@amd.com>
To: Lorenzo Stoakes <ljs@kernel.org>,
	"David Hildenbrand (Arm)" <david@kernel.org>
Cc: seanjc@google.com, pbonzini@redhat.com, tglx@kernel.org,
	mingo@redhat.com, dave.hansen@linux.intel.com, bp@alien8.de,
	x86@kernel.org, thomas.lendacky@amd.com, hpa@zytor.com,
	yangge1116@126.com, kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] KVM: SEV: drop FOLL_LONGTERM for encrypted region registration
Date: Thu, 9 Jul 2026 17:19:10 +0200	[thread overview]
Message-ID: <58c4326d-b10d-42dc-af5d-3a5ff16c7e3e@amd.com> (raw)
In-Reply-To: <ak-uER-RndpksnhR@lucifer>

Hi Lorenzo,

>>>>> Hi David,
>>>>>
>>>>> Yes, it fails in this path but for file backed mapping, vma_is_fsdax() returns
>>>>> false because
>>>>>
>>>>> vma_is_dax() returns false:
>>>> Ah, okay, so fsdax is not involved and we really only fail because of the
>>>> writable_file_mapping_allowed() check.
>>>>
>>>> I was for a second thinking in terms of nested virt :)
>>>>
>>>>> Host side backend is regular file backed memory (no fsdax).
>>>> Okay, so we'll end up mapping an ordinary file into VM memory, and expose that
>>>> to the VM as part of virtio-pmem device.
>>>>
>>>> That also means that vfio etc. won't be able to longterm-pin such device memory.
>>>> So this is not a problem isolated to SEV.
>>>>
>>>> Forbidding to longterm pin is actually the right thing to do if the filesystem
>>>> relies on writenotify, as spelled out by Lorenzo's commit:
>>>>
>>>> "
>>>>       Writing to file-backed mappings which require folio dirty tracking using
>>>>       GUP is a fundamentally broken operation, as kernel write access to GUP
>>>>       mappings do not adhere to the semantics expected by a file system.
>>>>
>>>>       A GUP caller uses the direct mapping to access the folio, which does not
>>>>       cause write notify to trigger, nor does it enforce that the caller marks
>>>>       the folio dirty.
>>>>
>>>>       The problem arises when, after an initial write to the folio, writeback
>>>>       results in the folio being cleaned and then the caller, via the GUP
>>>>       interface, writes to the folio again.
>>>> "
>>>>
>>>> Hmmm
>>> Yes. For file based mapping we don't allow long term pinning.
>>>
>>> If we take into account the fragmentation concerns for MIGRATE_CMA and
>>> ZONE_MOVABLE allocations
>>>
>>> solvable with FOLL_LONGTERM, I can think of two options(tested) to allow file
>>> based mappings as well:
>>>
>>> 1. Fallback on FOLL_WRITE when FOLL_LONGTERM fails as suggested by Sean.
>> That is just not acceptable, as it breaks random other stuff (MIGRATE_CMA, as
>> one example) besides the file-pinning problems that Lorenzo added.
>>
>> If we're going to hack something in, then that we bypass the file writeback check.
>> Not that we don't use FOLL_LONGTERM.
>>
>> I'd hate to use a GUP flag to indicate "this is a legacy hack", but it clearly isolates the
>> issue (needs a better name obviously):
> So under what circumstances are we happy with totally breaking dirty tracking?
> :/ seems iffy, and exposing this to drivers generally is a bit worrysome.

The intention is to allow long-term pinning of file-backed mappings only 
for migration avoidance,

without kernel GUP writes, and therefore not impacting dirty tracking.

>>
>> diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
>> index ae9bca4eda5ca..e2c531f914d44 100644
>> --- a/include/linux/mm_types.h
>> +++ b/include/linux/mm_types.h
>> @@ -1912,6 +1912,9 @@ enum {
>>           */
>>          FOLL_HONOR_NUMA_FAULT = 1 << 12,
>>
>> +       /* TODO */
>> +       FOLL_LONGTERM = 1 << 13,
>> +
>>          /* See also internal only FOLL flags in mm/internal.h */
>>   };
>>
>> diff --git a/mm/gup.c b/mm/gup.c
>> index 0692119b79043..1fa0aa0cdc99d 100644
>> --- a/mm/gup.c
>> +++ b/mm/gup.c
>> @@ -1186,8 +1186,8 @@ static bool writable_file_mapping_allowed(struct vm_area_struct *vma,
>>           * If we aren't pinning then no problematic write can occur. A long term
>>           * pin is the most egregious case so this is the case we disallow.
>>           */
>> -       if ((gup_flags & (FOLL_PIN | FOLL_LONGTERM)) !=
>> -           (FOLL_PIN | FOLL_LONGTERM))
>> +       if ((gup_flags & (FOLL_PIN | FOLL_LONGTERM | FOLL_LONGTERM_HACK)) !=
>> +           (FOLL_PIN | FOLL_LONGTERM | FOLL_LONGTERM_HACK))
>>                  return true;
> Hmm I'm confused, you're then allowing FOLL_PIN | FOLL_LONGTERM, but disallowing
> FOLL_PIN | FOLL_LONGTERM | FOLL_LONGTERM_HACK?

Yes, I addressed this in my reply, but it wasn't a clean inline response.

>
> By the way I think this should be expressed better if I criticise myself here :)
>
> So like:
>
> 	if ((gup_flags & FOLL_PIN) && (gup_flags & FOLL_LONGTERM))
>
> Or even:
>
> 	/* Only an issue if we pin... */
> 	if (!(gup_flags & FOLL_PIN))
> 		return false;
> 	/* ...and that pin is longterm... */
> 	if (!(gup_flags & FOLL_LONGTERM))
> 		return false;
>
> But I'm confused as to why we are suddenly allowing something broken and what
> this hack flag is supposed to achieve?
>
> Shouldn't this rather be:
>
> 	/* Only an issue if we pin... */
> 	if (!(gup_flags & FOLL_PIN))
> 		return true;
> 	/* ...and that pin is longterm... */
> 	if (!(gup_flags & FOLL_LONGTERM))
> 		return true;
> 	/* ...and not overridden... */
> 	if (gup_flags & FOLL_LONGTERM_HACK)
> 		return true;
> 	/* ...and dirty tracking is required. */
> 	return !vma_needs_dirty_tracking(vma);
> }

Yes, this looks much better. Will incorporate this.

>
>>          /*
>> @@ -2746,7 +2746,7 @@ static bool gup_fast_folio_allowed(struct folio *folio, unsigned int flags)
>>           * If we aren't pinning then no problematic write can occur. A long term
>>           * pin is the most egregious case so this is the one we disallow.
>>           */
>> -       if ((flags & (FOLL_PIN | FOLL_LONGTERM | FOLL_WRITE)) ==
>> +       if ((flags & (FOLL_PIN | FOLL_LONGTERM | FOLL_WRITE | FOLL_LONGTERM_HACK)) ==
>>              (FOLL_PIN | FOLL_LONGTERM | FOLL_WRITE))
> Yeah this is just a bit horrid having to stare at a this a while... So
> FOLL_LONGTERM_HACK would enable here.
>
> Be nice to avoid this form of it as it's difficult to understand, do something
> like above or a clearer version anyway (probably best abstracted to a small
> function).

Sure.

Also, I am also planning to rename (FOLL_LONGTERM_HACK -> 
FOLL_PIN_NO_GUP_WRITE) in v2.

Please let me know if you have a preference.

Thanks,

Pankaj

>
>>                  reject_file_backed = true;
>>
>> @@ -3180,7 +3180,7 @@ static int gup_fast_fallback(unsigned long start, unsigned long nr_pages,
>>          int locked = 0;
>>          int ret;
>>
>> -       if (WARN_ON_ONCE(gup_flags & ~(FOLL_WRITE | FOLL_LONGTERM |
>> +       if (WARN_ON_ONCE(gup_flags & ~(FOLL_WRITE | FOLL_LONGTERM | FOLL_LONGTERM_HACK |
>>                                         FOLL_FORCE | FOLL_PIN | FOLL_GET |
>>                                         FOLL_FAST_ONLY | FOLL_NOFAULT |
>>                                         FOLL_PCI_P2PDMA | FOLL_HONOR_NUMA_FAULT)))
>>
>>
>> --
>> Cheers,
>>
>> David
> Thanks, Lorenzo

  reply	other threads:[~2026-07-09 15:19 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 14:45 [PATCH] KVM: SEV: drop FOLL_LONGTERM for encrypted region registration Pankaj Gupta
2026-07-01 14:58 ` sashiko-bot
2026-07-01 16:25 ` David Hildenbrand (Arm)
2026-07-01 16:30   ` Sean Christopherson
2026-07-01 16:39     ` David Hildenbrand (Arm)
2026-07-01 16:56       ` Sean Christopherson
2026-07-06 12:03   ` Gupta, Pankaj
2026-07-07 10:04     ` David Hildenbrand (Arm)
2026-07-07 13:45       ` Gupta, Pankaj
2026-07-07 13:59         ` Sean Christopherson
2026-07-07 14:58         ` David Hildenbrand (Arm)
2026-07-08 16:35           ` Gupta, Pankaj
2026-07-09 14:28           ` Lorenzo Stoakes
2026-07-09 15:19             ` Gupta, Pankaj [this message]
2026-07-09 15:44               ` Lorenzo Stoakes
2026-07-10 12:57                 ` David Hildenbrand (Arm)
2026-07-10 13:05                   ` Lorenzo Stoakes
2026-07-10 15:37                     ` David Hildenbrand (Arm)
2026-07-10 15:47                       ` Sean Christopherson
2026-07-10 16:13                         ` Lorenzo Stoakes
2026-07-10 16:24                           ` Sean Christopherson
2026-07-10 16:38                             ` David Hildenbrand (Arm)
2026-07-10 16:58                               ` Lorenzo Stoakes
2026-07-10 13:06                   ` Gupta, Pankaj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=58c4326d-b10d-42dc-af5d-3a5ff16c7e3e@amd.com \
    --to=pankaj.gupta@amd.com \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=david@kernel.org \
    --cc=hpa@zytor.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ljs@kernel.org \
    --cc=mingo@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=seanjc@google.com \
    --cc=stable@vger.kernel.org \
    --cc=tglx@kernel.org \
    --cc=thomas.lendacky@amd.com \
    --cc=x86@kernel.org \
    --cc=yangge1116@126.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox