From: Paolo Bonzini <pbonzini@redhat.com>
To: David Woodhouse <dwmw2@infradead.org>, Marc Zyngier <maz@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>,
Shuah Khan <skhan@linuxfoundation.org>,
kvm@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
Sean Christopherson <seanjc@google.com>,
Jim Mattson <jmattson@google.com>,
Oliver Upton <oupton@kernel.org>, Joey Gouly <joey.gouly@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Raghavendra Rao Ananta <rananta@google.com>,
Eric Auger <eric.auger@redhat.com>, Kees Cook <kees@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Nathan Chancellor <nathan@kernel.org>,
linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH] Documentation: KVM: Document guest-visible compatibility expectations
Date: Wed, 13 May 2026 14:43:42 +0200 [thread overview]
Message-ID: <ba08dfe9-932b-40c3-9fdf-fc891d52e1d8@redhat.com> (raw)
In-Reply-To: <48b06e5655d56ff6eda30e563b34894fa0eb2f07.camel@infradead.org>
On 5/13/26 11:24, David Woodhouse wrote:
> On Wed, 2026-05-13 at 09:42 +0100, Marc Zyngier wrote:
>> If userspace is not a total joke, it will read all the ID registers,
>> and configure what it wants to see, assuming it is a feature that can
>> be configured (not everything can, because the architecture itself is
>> not fully backward compatible).
>>
>> Yes, this is buggy at times, because the combinatorial explosion of
>> CPU capabilities and supported features makes it pretty hard to test
>> (and really nobody actually does). But overall, it works, and QEMU is
>> growing an infrastructure to manage it in a "user friendly" way.
>
> Yes, that is precisely what I'm asking for. I'm prepared to deal with
> the fact that KVM/Arm64 is not a stable and mature platform like x86
> is, and that userspace has to find all the random changes from one
> version to the next, and explicitly pin things down to be compatible.
>
> All I'm asking for is that KVM makes it *possible* to pin things down
> to the behaviour of previously released Linux/KVM kernels.
>
>> But really, this isn't what David is asking. He's demanding "bug for
>> bug" compatibility. For that, we have two possible cases:
>
> No, I am not asking you to meet that bar. I merely observed that x86
> does and that it would be nice. But we are a *long* way from that.
x86 doesn't do bug-for-bug compatibility, thankfully - we have quirks
but only 11 of them, or about one per year since we started adding them.
We only add quirks, generally speaking, when 1) we change the way file
descriptors are initialized, 2) guests in the wild were relying on it,
or 3) it prevends restoring state saved from an old kernel. Is there
anything else?
So you're asking something not really far from this:
>> - this is a behaviour that is not allowed by the architecture: we fix
>> it for good. We do that on every release. Some minor, some much more
>> visible. And there is no way we will add this sort of "bring the
>> bugs back" type of behaviours. Specially when it is really obvious
>> that no SW can make any reasonable use of the defect. We allow
>> userspace to keep behaving as before, but the guest will not see a
>> non-compliant behaviour.
... where for example
https://lore.kernel.org/kvm/e03f092dfbb7d391a6bf2797ba01e122ba080bcd.camel@infradead.org/
is an example of a bug that "no SW can make any reasonable use of".
> Marc, this is complete nonsense and you should know better.
> Once a behaviour is present in a released version of Linux/KVM, we
> can't just declare it "wrong" and unilaterally impose a change in
> guest-visible behaviour on *running* guests as a side-effect of a
> kernel upgrade.
>
> The criterion for *KVM* to remain compatible is "once it has been in a
> released version of the kernel". Not "once it is in the architecture".
That is *also* obviously nonsense though, isn't it (see example above)?
The truth is in the middle, "once it is in the architecture" is likely
too narrow but "once it is in a Linux release" is way too broad. And
besides, both miss the point of *configurability* which is the basis of
it all.
The main difference between x86 and Arm is the default state at
creation; x86 defaults to a blank slate, mostly; and when we didn't do
that, we regretted it later (cue the STUFF_FEATURE_MSRS quirk). It's
too late to change the behavior for Arm, but I think we can agree that
patches such as
https://lore.kernel.org/kvm/20260511113558.3325004-2-dwmw2@infradead.org/
("KVM: arm64: vgic: Allow userspace to set IIDR revision 1") are what
the letter and spirit of this proposal is about.
Marc did not mention having to deal with guests in the wild. Let's
ignore it for now because even defining "guests in the wild" is hard;
and anyway it's not related to the patch that triggered the discussion.
So we have the third case, "restoring state saved from an old kernel".
If this case arises, I do believe that Arm will have to deal with it and
introduce quirks or KVM_GET/SET_REG hacks. Maybe it hasn't happened
yet, lucky you.
Overall, even if we may disagree about the details, are we really on
terribly distant grounds, or are we not?
Paolo
next prev parent reply other threads:[~2026-05-13 12:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 8:57 [PATCH] Documentation: KVM: Document guest-visible compatibility expectations David Woodhouse
2026-05-11 15:14 ` Paolo Bonzini
2026-05-11 16:38 ` David Woodhouse
2026-05-11 16:56 ` Paolo Bonzini
2026-05-11 17:53 ` David Woodhouse
2026-05-13 8:42 ` Marc Zyngier
2026-05-13 9:24 ` David Woodhouse
2026-05-13 12:43 ` Paolo Bonzini [this message]
2026-05-13 13:03 ` Eric Auger
2026-05-13 13:57 ` David Woodhouse
2026-05-13 16:24 ` Paolo Bonzini
2026-05-13 18:26 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ba08dfe9-932b-40c3-9fdf-fc891d52e1d8@redhat.com \
--to=pbonzini@redhat.com \
--cc=arnd@arndb.de \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dwmw2@infradead.org \
--cc=eric.auger@redhat.com \
--cc=jmattson@google.com \
--cc=joey.gouly@arm.com \
--cc=kees@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=maz@kernel.org \
--cc=nathan@kernel.org \
--cc=oupton@kernel.org \
--cc=rananta@google.com \
--cc=seanjc@google.com \
--cc=skhan@linuxfoundation.org \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox