Kernel KVM virtualization development
 help / color / mirror / Atom feed
From: Xiaoyao Li <xiaoyao.li@intel.com>
To: Ackerley Tng <ackerleytng@google.com>,
	sashiko-reviews@lists.linux.dev,
	Ackerley Tng via B4 Relay
	<devnull+ackerleytng.google.com@kernel.org>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v8 24/46] KVM: guest_memfd: Make in-place conversion the default
Date: Wed, 1 Jul 2026 19:17:08 +0800	[thread overview]
Message-ID: <affe09f7-31bd-4d86-906c-9c6f92eb903a@intel.com> (raw)
In-Reply-To: <CAEvNRgE6iKBhMYM64rgvuVEOvAFyNoryzpjTtSQRf5TcrLTepA@mail.gmail.com>

On 6/25/2026 7:47 AM, Ackerley Tng wrote:
> sashiko-bot@kernel.org writes:
> 
>> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>> - [Medium] Unprivileged userspace can trigger a WARN_ON_ONCE if the host administrator misconfigures a module parameter.
>> --
>>
>> commit bf8cb04a544d7b8235d73034e0febf195ab335c3
>> Author: Ackerley Tng <ackerleytng@google.com>
>>
>> KVM: guest_memfd: Make in-place conversion the default
>>
>> This commit makes in-place conversion the default when the architecture
>> supports private memory. It introduces a module parameter to override the
>> default and adds a warning in the CoCo VM memory population path if in-place
>> conversion is disabled without enabling per-VM memory attributes.
>>
>>> diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
>>> index 86c9f5b0863cb..5cb73543c03c8 100644
>>> --- a/virt/kvm/guest_memfd.c
>>> +++ b/virt/kvm/guest_memfd.c
>>> @@ -1193,10 +1193,15 @@ static bool kvm_gmem_range_is_private(struct file *file, pgoff_t index,
>>>   {
>>>   	struct maple_tree *mt = &GMEM_I(file_inode(file))->attributes;
>>>
>>> +#ifdef CONFIG_KVM_VM_MEMORY_ATTRIBUTES
>>>   	if (!gmem_in_place_conversion)
>>>   		return kvm_range_has_vm_memory_attributes(kvm, gfn, gfn + nr_pages,
>>>   							  KVM_MEMORY_ATTRIBUTE_PRIVATE,
>>>   							  KVM_MEMORY_ATTRIBUTE_PRIVATE);
>>> +#else
>>> +	if (WARN_ON_ONCE(!gmem_in_place_conversion))
>>> +		return false;
>>> +#endif
>>
>> [Severity: Medium]
>> Could this WARN_ON_ONCE() be triggered by unprivileged userspace if the
>> administrator misconfigures the module parameter?
>>
>> If the system administrator sets kvm.gmem_in_place_conversion=0 on a kernel
>> compiled without CONFIG_KVM_VM_MEMORY_ATTRIBUTES, it appears this warning can
>> be reached from an unprivileged ioctl path calling kvm_gmem_populate().
>>
>> Since an unprivileged user creating a CoCo VM can intentionally trigger this
>> warning, could this act as a host-side denial of service on systems configured
>> with panic_on_warn=1?
>>
>> Would it be better to convert this to a pr_warn_once()
> 
> Sean, what do you think of using pr_warn_once()?

How about don't expose the module param when 
CONFIG_KVM_VM_MEMORY_ATTRIBUTES=n? something like:

--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -103,7 +103,9 @@ module_param(allow_unsafe_mappings, bool, 0444);

  #ifdef kvm_arch_has_private_mem
  bool __ro_after_init gmem_in_place_conversion = 
!IS_ENABLED(CONFIG_KVM_VM_MEMORY_ATTRIBUTES);
+#ifdef CONFIG_KVM_VM_MEMORY_ATTRIBUTES
  module_param(gmem_in_place_conversion, bool, 0444);
+#endif
  EXPORT_SYMBOL_FOR_KVM_INTERNAL(gmem_in_place_conversion);
  #endif


>> or perhaps validate the
>> module parameter at initialization time?
> 
> I thought about this too, but didn't want to move it to initialization
> time because this (populate) is probably the first time the kernel
> knows for sure something is used weirdly.
> 
> Like, perhaps the admin did compile without
> CONFIG_KVM_VM_MEMORY_ATTRIBUTES and also set gmem_in_place_conversion=0
> but wants to use the host only for non-CoCo VMs and hence doesn't need a
> warning, idk.
> 
>>
>> --
>> Sashiko AI review · https://sashiko.dev/#/patchset/20260618-gmem-inplace-conversion-v8-0-9d2959357853@google.com?part=24
> 


  reply	other threads:[~2026-07-01 11:17 UTC|newest]

Thread overview: 202+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-19  0:31 [PATCH v8 00/46] guest_memfd: In-place conversion support Ackerley Tng via B4 Relay
2026-06-19  0:31 ` [PATCH v8 01/46] KVM: guest_memfd: Introduce per-gmem attributes, use to guard user mappings Ackerley Tng via B4 Relay
2026-06-22  9:08   ` Binbin Wu
2026-06-23  1:37     ` Sean Christopherson
2026-06-23  2:14       ` Binbin Wu
2026-06-24  0:09       ` Ackerley Tng
2026-06-19  0:31 ` [PATCH v8 02/46] KVM: Rename KVM_GENERIC_MEMORY_ATTRIBUTES to KVM_VM_MEMORY_ATTRIBUTES Ackerley Tng via B4 Relay
2026-06-23  2:48   ` Binbin Wu
2026-06-30 10:45   ` Xiaoyao Li
2026-06-19  0:31 ` [PATCH v8 03/46] KVM: Move KVM_VM_MEMORY_ATTRIBUTES config definition to x86 Ackerley Tng via B4 Relay
2026-06-23  2:48   ` Binbin Wu
2026-06-30 10:45   ` Xiaoyao Li
2026-06-19  0:31 ` [PATCH v8 04/46] KVM: Decouple kvm_has_arch_private_mem from CONFIG_KVM_VM_MEMORY_ATTRIBUTES Ackerley Tng via B4 Relay
2026-06-19  8:10   ` Fuad Tabba
2026-06-23  2:51   ` Binbin Wu
2026-06-24  0:13     ` Ackerley Tng
2026-06-24 15:12       ` Sean Christopherson
2026-06-30 10:47   ` Xiaoyao Li
2026-06-30 13:06     ` Sean Christopherson
2026-06-30 16:24       ` Xiaoyao Li
2026-06-19  0:31 ` [PATCH v8 05/46] KVM: Make CONFIG_KVM_VM_MEMORY_ATTRIBUTES selectable Ackerley Tng via B4 Relay
2026-06-19  8:12   ` Fuad Tabba
2026-06-19 12:51   ` Julian Braha
2026-06-23  0:16     ` Sean Christopherson
2026-06-24  0:14       ` Ackerley Tng
2026-06-30 10:55   ` Xiaoyao Li
2026-06-19  0:31 ` [PATCH v8 06/46] KVM: Enumerate support for PRIVATE memory iff kvm_arch_has_private_mem is defined Ackerley Tng via B4 Relay
2026-06-23  3:10   ` Binbin Wu
2026-07-01  9:19   ` Xiaoyao Li
2026-07-01 16:55     ` Sean Christopherson
2026-06-19  0:31 ` [PATCH v8 07/46] KVM: Rename memory attribute APIs to prepare for in-place gmem conversion Ackerley Tng via B4 Relay
2026-06-19  0:55   ` sashiko-bot
2026-06-19  8:17     ` Fuad Tabba
2026-06-24 13:37       ` Ackerley Tng
2026-06-19  8:16   ` Fuad Tabba
2026-06-23  4:55   ` Binbin Wu
2026-06-24 13:44     ` Ackerley Tng
2026-06-30 15:22   ` Xiaoyao Li
2026-06-30 17:30     ` Sean Christopherson
2026-07-01  7:01       ` Xiaoyao Li
2026-07-01 15:07         ` Sean Christopherson
2026-06-19  0:31 ` [PATCH v8 08/46] KVM: Provide generic interface for checking memory private/shared status Ackerley Tng via B4 Relay
2026-06-19  0:51   ` sashiko-bot
2026-06-19  8:19   ` Fuad Tabba
2026-06-19  8:21     ` Fuad Tabba
2026-06-19  9:57       ` Suzuki K Poulose
2026-06-24 14:18         ` Ackerley Tng
2026-07-01  7:22   ` Xiaoyao Li
2026-06-19  0:31 ` [PATCH v8 09/46] KVM: guest_memfd: Introduce function to check GFN " Ackerley Tng via B4 Relay
2026-06-19  0:49   ` sashiko-bot
2026-06-19  8:24     ` Fuad Tabba
2026-06-19  8:25   ` Fuad Tabba
2026-06-23  5:25   ` Binbin Wu
2026-06-24 14:38     ` Ackerley Tng
2026-06-25  1:39       ` Binbin Wu
2026-06-30 12:19   ` Xiaoyao Li
2026-06-19  0:31 ` [PATCH v8 10/46] KVM: guest_memfd: Wire up core private/shared attribute interfaces Ackerley Tng via B4 Relay
2026-06-19  8:34   ` Fuad Tabba
2026-06-23  6:15   ` Binbin Wu
2026-06-24 20:44     ` Ackerley Tng
2026-06-19  0:31 ` [PATCH v8 11/46] KVM: Consolidate private memory and guest_memfd ifdeffery in kvm_host.h Ackerley Tng via B4 Relay
2026-06-19 11:02   ` Fuad Tabba
2026-06-23  6:19   ` Binbin Wu
2026-06-30 13:59   ` Xiaoyao Li
2026-06-19  0:31 ` [PATCH v8 12/46] KVM: guest_memfd: Only prepare folios for private pages Ackerley Tng via B4 Relay
2026-06-23  6:48   ` Binbin Wu
2026-07-01  8:05   ` Xiaoyao Li
2026-06-19  0:31 ` [PATCH v8 13/46] KVM: guest_memfd: Add base support for KVM_SET_MEMORY_ATTRIBUTES2 Ackerley Tng via B4 Relay
2026-06-19  9:25   ` Fuad Tabba
2026-06-23  0:22     ` Sean Christopherson
2026-06-23  8:20       ` Fuad Tabba
2026-06-24 21:03         ` Ackerley Tng
2026-06-23  7:38   ` Binbin Wu
2026-06-24 21:10     ` Ackerley Tng
2026-07-01 15:35   ` Sean Christopherson
2026-06-19  0:31 ` [PATCH v8 14/46] KVM: guest_memfd: Ensure pages are not in use before conversion Ackerley Tng via B4 Relay
2026-06-19  0:31 ` [PATCH v8 15/46] KVM: guest_memfd: Call arch invalidate hooks on conversion Ackerley Tng via B4 Relay
2026-06-19 10:09   ` Fuad Tabba
2026-06-23  1:15     ` Sean Christopherson
2026-06-23  8:58       ` Fuad Tabba
2026-06-24 17:46       ` Ackerley Tng
2026-06-24 22:15         ` Suzuki K Poulose
2026-06-25  6:48         ` Fuad Tabba
2026-06-19  0:31 ` [PATCH v8 16/46] KVM: guest_memfd: Return early if range already has requested attributes Ackerley Tng via B4 Relay
2026-06-19  0:31 ` [PATCH v8 17/46] KVM: guest_memfd: Advertise KVM_SET_MEMORY_ATTRIBUTES2 ioctl Ackerley Tng via B4 Relay
2026-06-19  0:53   ` sashiko-bot
2026-06-19 10:35     ` Fuad Tabba
2026-06-23  0:27       ` Sean Christopherson
2026-06-19 10:35   ` Fuad Tabba
2026-06-23  9:14   ` Binbin Wu
2026-07-01  9:03   ` Xiaoyao Li
2026-07-01 16:09     ` Sean Christopherson
2026-06-19  0:31 ` [PATCH v8 18/46] KVM: guest_memfd: Handle lru_add fbatch refcounts during conversion safety check Ackerley Tng via B4 Relay
2026-06-23  9:48   ` Binbin Wu
2026-06-24 17:01     ` Sean Christopherson
2026-06-24 16:57   ` Sean Christopherson
2026-06-24 22:25     ` Ackerley Tng
2026-06-25  0:35       ` Sean Christopherson
2026-06-25 12:57         ` David Hildenbrand (Arm)
2026-06-25 15:40           ` Sean Christopherson
2026-06-19  0:31 ` [PATCH v8 19/46] KVM: guest_memfd: Use actual size for invalidation in kvm_gmem_release() Ackerley Tng via B4 Relay
2026-06-19  0:49   ` sashiko-bot
2026-06-19 10:46   ` Fuad Tabba
2026-06-19  0:31 ` [PATCH v8 20/46] KVM: guest_memfd: Determine invalidation filter from memory attributes Ackerley Tng via B4 Relay
2026-06-19  0:31 ` [PATCH v8 21/46] KVM: guest_memfd: Zero page while getting pfn Ackerley Tng via B4 Relay
2026-06-19 10:51   ` Fuad Tabba
2026-06-23  8:56   ` Yan Zhao
2026-06-24 22:30     ` Ackerley Tng
2026-06-19  0:31 ` [PATCH v8 22/46] KVM: SEV: Make 'uaddr' parameter optional for KVM_SEV_SNP_LAUNCH_UPDATE Ackerley Tng via B4 Relay
2026-06-19 11:01   ` Fuad Tabba
2026-06-24 22:31     ` Ackerley Tng
2026-06-19  0:32 ` [PATCH v8 23/46] KVM: TDX: Make source page optional for KVM_TDX_INIT_MEM_REGION Ackerley Tng via B4 Relay
2026-06-19  0:58   ` sashiko-bot
2026-06-19 11:09   ` Fuad Tabba
2026-06-22  7:18     ` Yan Zhao
2026-06-23  1:24     ` Sean Christopherson
2026-06-22  6:57   ` Yan Zhao
2026-06-23  1:22     ` Sean Christopherson
2026-06-23  5:16       ` Yan Zhao
2026-06-23  8:41         ` Yan Zhao
2026-06-24 22:31           ` Sean Christopherson
2026-06-24 23:00             ` Ackerley Tng
2026-06-25  2:25               ` Yan Zhao
2026-06-26  0:07                 ` Ackerley Tng
2026-06-26  1:17                   ` Yan Zhao
2026-06-26 15:28                     ` Ackerley Tng
2026-06-29  9:40                       ` Yan Zhao
2026-06-30  0:00                         ` Ackerley Tng
2026-06-30  2:09                           ` Yan Zhao
2026-06-30  0:35                         ` Sean Christopherson
2026-06-30  2:21                           ` Yan Zhao
2026-06-30 13:27                             ` Sean Christopherson
2026-07-01  6:21                               ` Yan Zhao
2026-06-19  0:32 ` [PATCH v8 24/46] KVM: guest_memfd: Make in-place conversion the default Ackerley Tng via B4 Relay
2026-06-19  0:58   ` sashiko-bot
2026-06-24 23:47     ` Ackerley Tng
2026-07-01 11:17       ` Xiaoyao Li [this message]
2026-06-22  4:53   ` Yan Zhao
2026-06-25  0:05     ` Ackerley Tng
2026-06-25  0:41       ` Sean Christopherson
2026-06-25  1:51         ` Yan Zhao
2026-06-25 10:57           ` Yan Zhao
2026-06-25 14:36             ` [PATCH v8 24/46] KVM: guest_memfd: Make in-place conversion the default\ Sean Christopherson
2026-06-26  0:29               ` Yan Zhao
2026-06-26 19:06                 ` Sean Christopherson
2026-06-29 11:39                   ` Yan Zhao
2026-07-01 11:07                   ` Xiaoyao Li
2026-07-01 13:53                     ` Sean Christopherson
2026-06-25  1:21       ` [PATCH v8 24/46] KVM: guest_memfd: Make in-place conversion the default Yan Zhao
2026-06-25 18:20         ` Ackerley Tng
2026-06-26  0:04           ` Yan Zhao
2026-06-24 18:57   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 25/46] KVM: guest_memfd: Enable INIT_SHARED on guest_memfd for x86 Coco VMs Ackerley Tng via B4 Relay
2026-07-01 11:18   ` Xiaoyao Li
2026-06-19  0:32 ` [PATCH v8 26/46] KVM: selftests: Create gmem fd before "regular" fd when adding memslot Ackerley Tng via B4 Relay
2026-06-19  0:32 ` [PATCH v8 27/46] KVM: selftests: Rename guest_memfd{,_offset} to gmem_{fd,offset} Ackerley Tng via B4 Relay
2026-06-19  0:56   ` sashiko-bot
2026-06-19  0:32 ` [PATCH v8 28/46] KVM: selftests: Add support for mmap() on guest_memfd in core library Ackerley Tng via B4 Relay
2026-06-24 19:07   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 29/46] KVM: selftests: Add selftests global for guest memory attributes capability Ackerley Tng via B4 Relay
2026-06-24 19:26   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 30/46] KVM: selftests: Add helpers for calling ioctls on guest_memfd Ackerley Tng via B4 Relay
2026-06-24 19:26   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 31/46] KVM: selftests: Test basic single-page conversion flow Ackerley Tng via B4 Relay
2026-06-24 19:45   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 32/46] KVM: selftests: Test conversion flow when INIT_SHARED Ackerley Tng via B4 Relay
2026-06-24 19:55   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 33/46] KVM: selftests: Test conversion precision in guest_memfd Ackerley Tng via B4 Relay
2026-06-25  6:57   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 34/46] KVM: selftests: Test conversion before allocation Ackerley Tng via B4 Relay
2026-06-25  7:00   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 35/46] KVM: selftests: Convert with allocated folios in different layouts Ackerley Tng via B4 Relay
2026-06-25  7:03   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 36/46] KVM: selftests: Test that truncation does not change shared/private status Ackerley Tng via B4 Relay
2026-06-25  7:03   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 37/46] KVM: selftests: Test that shared/private status is consistent across processes Ackerley Tng via B4 Relay
2026-06-19  1:02   ` sashiko-bot
2026-06-25  7:14   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 38/46] KVM: selftests: Add helpers to pin pages with CONFIG_GUP_TEST Ackerley Tng via B4 Relay
2026-06-19  3:02   ` sashiko-bot
2026-06-25  7:40   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 39/46] KVM: selftests: Test conversion with elevated page refcount Ackerley Tng via B4 Relay
2026-06-19  1:07   ` sashiko-bot
2026-06-25  8:04   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 40/46] KVM: selftests: Reset shared memory after hole-punching Ackerley Tng via B4 Relay
2026-06-25  8:46   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 41/46] KVM: selftests: Provide function to look up guest_memfd details from gpa Ackerley Tng via B4 Relay
2026-06-25  8:58   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 42/46] KVM: selftests: Provide common function to set memory attributes Ackerley Tng via B4 Relay
2026-06-25  9:09   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 43/46] KVM: selftests: Check fd/flags provided to mmap() when setting up memslot Ackerley Tng via B4 Relay
2026-06-25  9:20   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 44/46] KVM: selftests: Make TEST_EXPECT_SIGBUS thread-safe Ackerley Tng via B4 Relay
2026-06-25  9:30   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 45/46] KVM: selftests: Update private_mem_conversions_test to mmap() guest_memfd Ackerley Tng via B4 Relay
2026-06-25  9:43   ` Fuad Tabba
2026-06-19  0:32 ` [PATCH v8 46/46] KVM: selftests: Update private memory exits test to work with per-gmem attributes Ackerley Tng via B4 Relay
2026-06-25  9:56   ` Fuad Tabba
2026-06-19 12:28 ` [PATCH v8 00/46] guest_memfd: In-place conversion support Garg, Shivank
2026-06-25  0:19   ` Ackerley Tng
2026-06-23  2:39 ` Xiaoyao Li
2026-06-25  0:19   ` Ackerley Tng

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=affe09f7-31bd-4d86-906c-9c6f92eb903a@intel.com \
    --to=xiaoyao.li@intel.com \
    --cc=ackerleytng@google.com \
    --cc=devnull+ackerleytng.google.com@kernel.org \
    --cc=kvm@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox