From: Oliver Upton <oupton@kernel.org>
To: David Woodhouse <dwmw2@infradead.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Marc Zyngier <maz@kernel.org>, Will Deacon <will@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
Shuah Khan <skhan@linuxfoundation.org>, kvm <kvm@vger.kernel.org>,
Linux Doc Mailing List <linux-doc@vger.kernel.org>,
"Kernel Mailing List, Linux" <linux-kernel@vger.kernel.org>,
Sean Christopherson <seanjc@google.com>,
Jim Mattson <jmattson@google.com>,
Joey Gouly <joey.gouly@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Raghavendra Rao Ananta <rananta@google.com>,
Eric Auger <eric.auger@redhat.com>, Kees Cook <kees@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Nathan Chancellor <nathan@kernel.org>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
kvmarm@lists.linux.dev,
linux-kselftest <linux-kselftest@vger.kernel.org>
Subject: Re: [PATCH] Documentation: KVM: Document guest-visible compatibility expectations
Date: Tue, 19 May 2026 15:57:42 -0700 [thread overview]
Message-ID: <agzq5kwzuJvd7Mh5@kernel.org> (raw)
In-Reply-To: <1243d375846c4f4e20c229a6f09300126188fc8b.camel@infradead.org>
On Tue, May 19, 2026 at 10:58:05PM +0100, David Woodhouse wrote:
> On Tue, 2026-05-19 at 14:10 -0700, Oliver Upton wrote:
> > And in the absence of clear evidence of a guest depending on the broken
> > IGROUPR behavior, I don't see how the guest-side changes of Christoffer's
> > series are any different from the multitude of bug fixes that we take
> > every single release cycle. It is an unfortunate bug and I concur with
> > Marc that it doesn't seem like the sort of thing a guest could rely
> > upon.
>
> I find this concerning, because I've already explained this.
>
> There is a very real possibility of guests simply not *noticing* that
> they had bugs in this area, as it didn't *matter* what they wrote to
> these registers since it never worked.
>
> There is an even larger possibility of guests having worked around the
> original issue by *detecting* whether the registers were actually
> writable before choosing to use the alternative groups. And if such a
> guest launches on a new kernel and then needs to be rolled back to an
> older kernel, that will also break.
The onus is on you to substantiate this claim. I would imagine after
carrying the revert for so long that there must be at least one example
of such a guest?
What ifs and maybes do not meet the bar, in my opinion, for preserving
bug emulation in KVM. Of course there could be a little flexibility with
that but we need to have some way of discriminating between bug fixes
and genuine guest expectations around the behavior of virtual hardware.
> > Wrong or not, this behavior is documented unambiguously. From the VGICv2
> > UAPI documentation:
> >
> > """
> > Userspace should set GICD_IIDR before setting any other registers (both
> > KVM_DEV_ARM_VGIC_GRP_DIST_REGS and KVM_DEV_ARM_VGIC_GRP_CPU_REGS) to ensure
> > the expected behavior. Unless GICD_IIDR has been set from userspace, writes
> > to the interrupt group registers (GICD_IGROUPR) are ignored.
> > """
> >
> > I'm not inclined to change that.
>
> That'll all very well... but as far as I can tell, QEMU *doesn't* set
> GICD_IIDR, so it still gets the bizarre behaviour where the *guest* can
> write the registers, but userspace can't. So it looks like it'll work
> except migration will fail. Am I missing something?
That's exactly it, and why I said tying up UAPI opt-in with
guest-visible registers is a really bad idea.
> But honestly, I don't care one iota about GICv2; I was only trying to
> do the cleanup while I was there. Feel free to drop that part entirely.
>
> > As a way out of this whole mess, can we
> > instead:
> >
> > - Allow userspace to set IIDR.Revision to 1
> >
> > - Drop any bug emulation from the handling of IGROUPR registers
>
> It doesn't make sense to allow setting IIDR.Revision to 1 *without* the
> one-liner that actually implements the corresponding behaviour change
> in the IGROUPR registers.
As I described earlier, this whole IIDR crap inarguably broke UAPI and
obviously normal guest behavior (i.e. reading the register). At minimum
we need to permit previously-valid values for IIDR, even if they carry
no implied behaviors.
> And as explained at least twice now, it's the
> behaviour change that's *important* here.
>
> The fact that it's a long-standing bug in KVM which downstream has been
> working around for a long time doesn't matter. The unconditional
> behavioural change *is* a bug and we should fix it.
That is the nature of a bug fix. If you can provide some concrete
evidence of a guest depending on the RAZ/WI behavior then I agree we
need to preserve the old behavior.
Otherwise I see this as a matter of principle in how we do bug fixes to
KVM. Even if upstream took the strictest possible stance towards behavior
changes we will invariably fail to account for some minutia.
> > - Special-case the stupid GICv2 UAPI where IGROUPR are only writable if
> > the VMM has written to IIDR and the revision >= 2
>
> That already *is* a special case, right? And you'd rather leave it as it is?
Left as documented, yes. With the exception that revision == 1 writes
not be considered opt-in to restorable IGROUPR.
Thanks,
Oliver
next prev parent reply other threads:[~2026-05-19 22:57 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 8:57 [PATCH] Documentation: KVM: Document guest-visible compatibility expectations David Woodhouse
2026-05-11 15:14 ` Paolo Bonzini
2026-05-11 16:38 ` David Woodhouse
2026-05-11 16:56 ` Paolo Bonzini
2026-05-11 17:53 ` David Woodhouse
2026-05-13 8:42 ` Marc Zyngier
2026-05-13 9:24 ` David Woodhouse
2026-05-13 12:43 ` Paolo Bonzini
2026-05-13 13:03 ` Eric Auger
2026-05-13 13:57 ` David Woodhouse
2026-05-13 16:24 ` Paolo Bonzini
2026-05-13 18:26 ` David Woodhouse
2026-05-19 10:41 ` David Woodhouse
2026-05-19 11:11 ` Will Deacon
2026-05-19 11:44 ` David Woodhouse
2026-05-19 12:13 ` Paolo Bonzini
2026-05-19 12:38 ` Marc Zyngier
2026-05-19 12:56 ` Marc Zyngier
2026-05-19 13:24 ` David Woodhouse
2026-05-19 12:59 ` David Woodhouse
2026-05-19 13:53 ` Paolo Bonzini
2026-05-19 14:13 ` David Woodhouse
2026-05-19 21:10 ` Oliver Upton
2026-05-19 21:58 ` David Woodhouse
2026-05-19 22:57 ` Oliver Upton [this message]
2026-05-19 23:33 ` David Woodhouse
2026-05-20 17:47 ` Oliver Upton
2026-05-20 18:29 ` David Woodhouse
2026-05-19 12:42 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agzq5kwzuJvd7Mh5@kernel.org \
--to=oupton@kernel.org \
--cc=arnd@arndb.de \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dwmw2@infradead.org \
--cc=eric.auger@redhat.com \
--cc=jmattson@google.com \
--cc=joey.gouly@arm.com \
--cc=kees@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=maz@kernel.org \
--cc=nathan@kernel.org \
--cc=pbonzini@redhat.com \
--cc=rananta@google.com \
--cc=seanjc@google.com \
--cc=skhan@linuxfoundation.org \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox