From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16EEAC83F17 for ; Tue, 15 Jul 2025 09:34:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9150B6B009E; Tue, 15 Jul 2025 05:34:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7B1266B00A0; Tue, 15 Jul 2025 05:34:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 679116B00A1; Tue, 15 Jul 2025 05:34:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 51CFC6B009E for ; Tue, 15 Jul 2025 05:34:12 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 17B0AC02B8 for ; Tue, 15 Jul 2025 09:34:12 +0000 (UTC) X-FDA: 83665987944.15.9E3DF28 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) by imf10.hostedemail.com (Postfix) with ESMTP id 40C63C000D for ; Tue, 15 Jul 2025 09:34:10 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=0LblJ7fs; spf=pass (imf10.hostedemail.com: domain of 3kCB2aAUKCPMoVWWVbjjbgZ.Xjhgdips-hhfqVXf.jmb@flex--tabba.bounces.google.com designates 209.85.128.74 as permitted sender) smtp.mailfrom=3kCB2aAUKCPMoVWWVbjjbgZ.Xjhgdips-hhfqVXf.jmb@flex--tabba.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1752572050; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=WSSwKIi+z+0CV3EnxLo9K1Ta6KVi8c942Os2pIujWoc=; b=uXTx3ToBqC+4Uc3oqzTvL6Yxkd0DS3Kqvs+O2G2BCao2OABq8gk/xjv8em2kJP5603dS77 eiAJoVXuPi/0pgK3P1x2OpG9msAlxv+XFMvfEX8VubRP8hU8IKa+GkJ1akXEpScXp0gj2I za+7BB3kw6KsA3nIOclSJDw/00C5m4E= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=0LblJ7fs; spf=pass (imf10.hostedemail.com: domain of 3kCB2aAUKCPMoVWWVbjjbgZ.Xjhgdips-hhfqVXf.jmb@flex--tabba.bounces.google.com designates 209.85.128.74 as permitted sender) smtp.mailfrom=3kCB2aAUKCPMoVWWVbjjbgZ.Xjhgdips-hhfqVXf.jmb@flex--tabba.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752572050; a=rsa-sha256; cv=none; b=8X0noRi/Fj4V7b05cTXOMTYSsCDSuhFWwbA+hfgHZwGV1b3LQ3BUACauPovPOc+69lS7S7 L6JMpaUUcpBonUni5e4NIjQC0lTCKhObCSpzqs7lxWbjTNszr2Q0Bz3nMNlT7JbM9GZBkW 5V68Xxa+8syAdQepFMfqCPKkiei9xsM= Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-451d2037f1eso33660785e9.0 for ; Tue, 15 Jul 2025 02:34:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1752572049; x=1753176849; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=WSSwKIi+z+0CV3EnxLo9K1Ta6KVi8c942Os2pIujWoc=; b=0LblJ7fsGekVPfXpyySQzTkKe4d/JMMmTH2JO0som9hjkxIf7AuFdLnUPVfGYciObe zTPHkzgXTxiILezoQSqyCXJRHdsybTCGQaqArySsKZ0kwNhbDrwlEABbuGXHrITTNy0T L/IzRhB3B8yyqwc2/6Z7AstMHANYLSWt2Q1ZMtSu5xhipFSg1wUQc0NlL4pwrHTIqYdP sQURQt9qX0Q5ixV4E0A75tP2ArgAbusrKoXRKm7fpFoLrb/8EZLvJ66TF+CCNhDMURHP QV3K2jpRZSkD7MKDXPW/P2+k86pQZoL/t55wNJ3/oPjbuoQb08wioDQGRr98GCRl3DqP X63Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752572049; x=1753176849; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WSSwKIi+z+0CV3EnxLo9K1Ta6KVi8c942Os2pIujWoc=; b=ahnrtQjy6tVMir/r4xd6aF6ThZm5K2hajGENzpKbfHjEm9fSbqIrO3Qil+ZSC2vrUs Ro4PqAUyNrzK+ySym0GeEXPmcUrI3BrttkBJgHz5tMm0fuaq3hb4kCnWIntyYiJn1Jf5 7FVv4gCpHdELHJea1ryEdEP+pP+0FqKEyEEx4lroSQRz5d4ftGWqxa44QMdA16nr622h wKAaS9CVr40P59iRRmCL0EYakdlCyihUL9dA2QyVIjnOrD3bPVu6+0NR7Ups9doo16S1 cTUsQd66IYh5+eWcbMInU0+Rj3wHRq5NFzWAPT0QW4vrMoaEg0hfJPXmmWB3OxirdvAu wFcA== X-Forwarded-Encrypted: i=1; AJvYcCWTdj13Ve880lX4i4qQnXEranZW4qZSXeCJT5GUW1ft27Qjv7uvQphB1R4Ix2T0FmUYGochS6uYWQ==@kvack.org X-Gm-Message-State: AOJu0YzG1m1TC8goXCLodNMS7D0Gy8aSqrnmLzDUj9sRW1z/YHZqJRJE KL9IAOGo4+3wH8Nygjh52zWN9SZU1EdOVe8qeROiFP49WCfwxZKU9070N3UF0HdQDXj2vrIAFkv LAA== X-Google-Smtp-Source: AGHT+IHgamLFcufzCJQVsHbvBUVlJeiytNHFVEbf8P/4J7LbjSqlHqRHXf8I6zFTOn/KcAg4RaZF5Qer8Q== X-Received: from wmbea10.prod.google.com ([2002:a05:600c:674a:b0:455:fdc1:e6]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:1e04:b0:456:c48:491f with SMTP id 5b1f17b1804b1-4560c484fbbmr122769635e9.10.1752572048741; Tue, 15 Jul 2025 02:34:08 -0700 (PDT) Date: Tue, 15 Jul 2025 10:33:37 +0100 In-Reply-To: <20250715093350.2584932-1-tabba@google.com> Mime-Version: 1.0 References: <20250715093350.2584932-1-tabba@google.com> X-Mailer: git-send-email 2.50.0.727.gbf7dc18ff4-goog Message-ID: <20250715093350.2584932-9-tabba@google.com> Subject: [PATCH v14 08/21] KVM: guest_memfd: Allow host to map guest_memfd pages From: Fuad Tabba To: kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mm@kvack.org, kvmarm@lists.linux.dev Cc: pbonzini@redhat.com, chenhuacai@kernel.org, mpe@ellerman.id.au, anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, seanjc@google.com, viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org, akpm@linux-foundation.org, xiaoyao.li@intel.com, yilun.xu@intel.com, chao.p.peng@linux.intel.com, jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com, isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz, vannapurve@google.com, ackerleytng@google.com, mail@maciej.szmigiero.name, david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com, liam.merwick@oracle.com, isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com, steven.price@arm.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com, quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, catalin.marinas@arm.com, james.morse@arm.com, yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org, will@kernel.org, qperret@google.com, keirf@google.com, roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org, jgg@nvidia.com, rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com, hughd@google.com, jthoughton@google.com, peterx@redhat.com, pankaj.gupta@amd.com, ira.weiny@intel.com, tabba@google.com Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 40C63C000D X-Stat-Signature: fuqi6q3ob58xhstnkptztmfp1cpb6ifi X-HE-Tag: 1752572049-502754 X-HE-Meta: U2FsdGVkX19dqHrybs/PsKIs6qVehlRBzl2kUfXozZWNU4aLPR+zA37my3MSInrOyqfIsdid4y92bpwKepKGddNHdNsJRKWmPT9q6GFA1uJJ+OOBtv9vfpmgYy/1fzt247nK3bBZTL+G89c3gdicH22xnPpRH/oLgmwFa/vsr3nr2p+uZzvGfFMddLkhQiezhyUgDCUaurumDgBu4Lp9DGxfNvKwHcmUt84DXQef5tulFdnT7Wr3EB04/cD6fbJeY1IiGlbG8VFj9EJ5PHDLl+dguxyX4kZPQFrR+FCenfKE1IjN5Zoz9otUqXLQhw1hC6py5TcWP0PhmNoQ7SsOe0yChf8tXJcgoVxmhpVgqa3AlOj4q5DV/pwvkS/PU1OujEoLG3RX/CNUvQ1Y2mJ8e7XIZWqTCw6RR+iK7sPYZ11ynLEbaPq2NTfmok6bU4KOLwPb4BThVvQSJVAqarQt8uchjhD6+nH4SP4NHHwgDIS1My90tXbG8sp6TEOHsdN4gj/e9+fwXa4KDm9S2Umz+9QpBuxVC3Gik+UKFvt5xFHD7Rl2z2i3pIZOxKW8XsDy1jj8Ldyv2M+PPX17GTyN1FeW5x4re+c2XV+/8wpXqYuzuKLSH2VEL/Y/y7sHuW8+3JCbGiCgCWIR393hjsWnfWj+c1uxCFXLs30cVtdKUHJCnuqdQA4nK+ak9z+P3/t7bmW4GRPTbcweQ8R5mc0SsNqCcPgw+xQP6lj0Pd7kBFr6GkyqUQModoXJZ98mM7kxUHUIKu+p5JCS+Lx3aJP9uMTjMqkzifJ34Uax8fNYa8sZrZij94+bu8h/XZuvUG3EC/b2hGxzPzxXDwdav6XwBnFNoBQlpS7pbqSlDGML14EQ+R+VKbr3WrEgLTrPzNLBtJl/QuUnQpxC35SBdEPNe+YR/ILxlxOZDgEH7HhR6Zx4yBx02kk+P1dcaT1p6egtcpGpocIsFVo8CxmZwAp N+M7NpVH MAEbbf2XNjWuiC6u4HhZeQe77Otx7gMFwDL4+KtCaredOFwppeYyP9jZZj5UcWWC9FyvoKddO8MbuwpjYW2Qhi7at11pdkFNEiDMTprGQFyDUmSQf5waArkI+PiU51xQuEHaVuCc/csThGlFB6//Lr1WHWx9wKmxFda0EE41/qlnNjRWIkODq2vjNfYMAynqTeQFwOkGcfLg2Qs8WR/V6a6cl3XvH1dlo1BRdUzDghBiP5nB9C5p5c5NJCzLg0EUYBqL7E6sDaAqCwhq9MxUIBsihHeT2Jt5OU+uar40wfikGvjmYJCFWlLcf4VyCydJRIoOIb3DxQBCrRkpc6EMxiyB3JhR9t7k6NJyfRM2uK9kKpNO5Lg2CY4/fmWt4tW6Ach/3pZ/xSWBEykA2q7KmgHCSrTHyquGh5Wf5vxzsJ//vxdYeh/sOHjQ4Uf5KRN4x32FiNizKu/vx9iVG5+/jKFe7ZRnmVk6s6AWc0dGVflU7lkBR1VSxRLap+JKM/AcWx7tEC4aFJk0MUwvKi0Ufxh/PHRSnk7QyGhPZHQ5VWj266pUHTYWIWVscoS13YYD8JOHskiOe9pngOVupVI58BxmwB7BaTEZC8bSq8Dxis+lygnakXsBqOG/2m0KXhtxvW/asyT/rJqv7Z232/EEG0Ax76xpyw9F0vuxEui2e9b7dD0inYFthDilKDpn1Lv3eG7EkSkSHZj4f9/DK7udD7MxwE04Cm0xp1aOHEnAl3KrSfjR9xRQg0mvTIkLyZ+foMfme5P19Bo3K4qo= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Introduce the core infrastructure to enable host userspace to mmap() guest_memfd-backed memory. This is needed for several evolving KVM use cases: * Non-CoCo VM backing: Allows VMMs like Firecracker to run guests entirely backed by guest_memfd, even for non-CoCo VMs [1]. This provides a unified memory management model and simplifies guest memory handling. * Direct map removal for enhanced security: This is an important step for direct map removal of guest memory [2]. By allowing host userspace to fault in guest_memfd pages directly, we can avoid maintaining host kernel direct maps of guest memory. This provides additional hardening against Spectre-like transient execution attacks by removing a potential attack surface within the kernel. * Future guest_memfd features: This also lays the groundwork for future enhancements to guest_memfd, such as supporting huge pages and enabling in-place sharing of guest memory with the host for CoCo platforms that permit it [3]. Therefore, enable the basic mmap and fault handling logic within guest_memfd. However, this functionality is not yet exposed to userspace and remains inactive until two conditions are met in subsequent patches: * Kconfig Gate (CONFIG_KVM_GMEM_SUPPORTS_MMAP): A new Kconfig option, KVM_GMEM_SUPPORTS_MMAP, is introduced later in this series. This option gates the compilation and availability of this mmap functionality at a system level. While the code changes in this patch might seem small, the Kconfig option is introduced to explicitly signal the intent to enable this new capability and to provide a clear compile-time switch for it. It also helps ensure that the necessary architecture-specific glue (like kvm_arch_supports_gmem_mmap) is properly defined. * Per-instance opt-in (GUEST_MEMFD_FLAG_MMAP): On a per-instance basis, this functionality is enabled by the guest_memfd flag GUEST_MEMFD_FLAG_MMAP, which will be set in the KVM_CREATE_GUEST_MEMFD ioctl. This flag is crucial because when host userspace maps guest_memfd pages, KVM must *not* manage the these memory regions in the same way it does for traditional KVM memory slots. The presence of GUEST_MEMFD_FLAG_MMAP on a guest_memfd instance allows mmap() and faulting of guest_memfd memory to host userspace. Additionally, it informs KVM to always consume guest faults to this memory from guest_memfd, regardless of whether it is a shared or a private fault. This opt-in mechanism ensures compatibility and prevents conflicts with existing KVM memory management. This is a per-guest_memfd flag rather than a per-memslot or per-VM capability because the ability to mmap directly applies to the specific guest_memfd object, regardless of how it might be used within various memory slots or VMs. [1] https://github.com/firecracker-microvm/firecracker/tree/feature/secret-hiding [2] https://lore.kernel.org/linux-mm/cc1bb8e9bc3e1ab637700a4d3defeec95b55060a.camel@amazon.com [3] https://lore.kernel.org/all/c1c9591d-218a-495c-957b-ba356c8f8e09@redhat.com/T/#u Reviewed-by: Gavin Shan Reviewed-by: Shivank Garg Acked-by: David Hildenbrand Co-developed-by: Ackerley Tng Signed-off-by: Ackerley Tng Signed-off-by: Fuad Tabba --- include/linux/kvm_host.h | 13 +++++++ include/uapi/linux/kvm.h | 1 + virt/kvm/Kconfig | 4 +++ virt/kvm/guest_memfd.c | 73 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 91 insertions(+) diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 1ec71648824c..9ac21985f3b5 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -740,6 +740,19 @@ static inline bool kvm_arch_supports_gmem(struct kvm *kvm) } #endif +/* + * Returns true if this VM supports mmap() in guest_memfd. + * + * Arch code must define kvm_arch_supports_gmem_mmap if support for guest_memfd + * is enabled. + */ +#if !defined(kvm_arch_supports_gmem_mmap) +static inline bool kvm_arch_supports_gmem_mmap(struct kvm *kvm) +{ + return false; +} +#endif + #ifndef kvm_arch_has_readonly_mem static inline bool kvm_arch_has_readonly_mem(struct kvm *kvm) { diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h index 7a4c35ff03fe..3beafbf306af 100644 --- a/include/uapi/linux/kvm.h +++ b/include/uapi/linux/kvm.h @@ -1596,6 +1596,7 @@ struct kvm_memory_attributes { #define KVM_MEMORY_ATTRIBUTE_PRIVATE (1ULL << 3) #define KVM_CREATE_GUEST_MEMFD _IOWR(KVMIO, 0xd4, struct kvm_create_guest_memfd) +#define GUEST_MEMFD_FLAG_MMAP (1ULL << 0) struct kvm_create_guest_memfd { __u64 size; diff --git a/virt/kvm/Kconfig b/virt/kvm/Kconfig index 559c93ad90be..fa4acbedb953 100644 --- a/virt/kvm/Kconfig +++ b/virt/kvm/Kconfig @@ -128,3 +128,7 @@ config HAVE_KVM_ARCH_GMEM_PREPARE config HAVE_KVM_ARCH_GMEM_INVALIDATE bool depends on KVM_GMEM + +config KVM_GMEM_SUPPORTS_MMAP + select KVM_GMEM + bool diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index 6db515833f61..07a4b165471d 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -312,7 +312,77 @@ static pgoff_t kvm_gmem_get_index(struct kvm_memory_slot *slot, gfn_t gfn) return gfn - slot->base_gfn + slot->gmem.pgoff; } +static bool kvm_gmem_supports_mmap(struct inode *inode) +{ + const u64 flags = (u64)inode->i_private; + + if (!IS_ENABLED(CONFIG_KVM_GMEM_SUPPORTS_MMAP)) + return false; + + return flags & GUEST_MEMFD_FLAG_MMAP; +} + +static vm_fault_t kvm_gmem_fault_user_mapping(struct vm_fault *vmf) +{ + struct inode *inode = file_inode(vmf->vma->vm_file); + struct folio *folio; + vm_fault_t ret = VM_FAULT_LOCKED; + + if (((loff_t)vmf->pgoff << PAGE_SHIFT) >= i_size_read(inode)) + return VM_FAULT_SIGBUS; + + folio = kvm_gmem_get_folio(inode, vmf->pgoff); + if (IS_ERR(folio)) { + int err = PTR_ERR(folio); + + if (err == -EAGAIN) + return VM_FAULT_RETRY; + + return vmf_error(err); + } + + if (WARN_ON_ONCE(folio_test_large(folio))) { + ret = VM_FAULT_SIGBUS; + goto out_folio; + } + + if (!folio_test_uptodate(folio)) { + clear_highpage(folio_page(folio, 0)); + kvm_gmem_mark_prepared(folio); + } + + vmf->page = folio_file_page(folio, vmf->pgoff); + +out_folio: + if (ret != VM_FAULT_LOCKED) { + folio_unlock(folio); + folio_put(folio); + } + + return ret; +} + +static const struct vm_operations_struct kvm_gmem_vm_ops = { + .fault = kvm_gmem_fault_user_mapping, +}; + +static int kvm_gmem_mmap(struct file *file, struct vm_area_struct *vma) +{ + if (!kvm_gmem_supports_mmap(file_inode(file))) + return -ENODEV; + + if ((vma->vm_flags & (VM_SHARED | VM_MAYSHARE)) != + (VM_SHARED | VM_MAYSHARE)) { + return -EINVAL; + } + + vma->vm_ops = &kvm_gmem_vm_ops; + + return 0; +} + static struct file_operations kvm_gmem_fops = { + .mmap = kvm_gmem_mmap, .open = generic_file_open, .release = kvm_gmem_release, .fallocate = kvm_gmem_fallocate, @@ -463,6 +533,9 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm_create_guest_memfd *args) u64 flags = args->flags; u64 valid_flags = 0; + if (kvm_arch_supports_gmem_mmap(kvm)) + valid_flags |= GUEST_MEMFD_FLAG_MMAP; + if (flags & ~valid_flags) return -EINVAL; -- 2.50.0.727.gbf7dc18ff4-goog