From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13EFBC3ABD8 for ; Wed, 14 May 2025 13:52:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 790066B0157; Wed, 14 May 2025 09:52:53 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7497A6B0159; Wed, 14 May 2025 09:52:53 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 56A936B015A; Wed, 14 May 2025 09:52:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 38C126B0157 for ; Wed, 14 May 2025 09:52:53 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 02E6380E56 for ; Wed, 14 May 2025 13:52:52 +0000 (UTC) X-FDA: 83441654226.01.D767AD6 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) by imf02.hostedemail.com (Postfix) with ESMTP id 2C19B80004 for ; Wed, 14 May 2025 13:52:51 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=eK3JQyQn; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf02.hostedemail.com: domain of 3MaAkaAYKCEw6so1xqu22uzs.q20zw18B-00y9oqy.25u@flex--seanjc.bounces.google.com designates 209.85.215.201 as permitted sender) smtp.mailfrom=3MaAkaAYKCEw6so1xqu22uzs.q20zw18B-00y9oqy.25u@flex--seanjc.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747230771; a=rsa-sha256; cv=none; b=RkZ9YmVJ/I6xEEiD2N42MAkRa3RrK15mVZLe+VvlnPkXKUFEj3rEIhzsdtGeREBSBcwuMA OJ+bM0cGEdA2OA2Gq0E5HyMprHKYOb4abgsKM+F4WGUjJDbV/XbQ56AqbDwTiPslyUOaEp +u7jw1K4ucM7wRBj9LPUtbDTEgaSZfU= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=eK3JQyQn; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf02.hostedemail.com: domain of 3MaAkaAYKCEw6so1xqu22uzs.q20zw18B-00y9oqy.25u@flex--seanjc.bounces.google.com designates 209.85.215.201 as permitted sender) smtp.mailfrom=3MaAkaAYKCEw6so1xqu22uzs.q20zw18B-00y9oqy.25u@flex--seanjc.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747230771; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=eYg4+rpHp33PbS4Itshy4T2HbraqnrFIaURvTmb0+kE=; b=AXfoghlV+YjPAzx6H9jyyxgashIKsiaoCM5dXEGry1XWSaS+bIugzJ+VTxEmX78pEqmaj0 7O417B/DiZ5/27H66XF+UxdIg0Ob+Ct1OEg4I7ptQBmLmYHWQgk7vniLsh4hAHoOax8ac6 z0m2LDw3HwzU8vXbFC0PMcj5reae+eI= Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-b0f807421c9so3629951a12.0 for ; Wed, 14 May 2025 06:52:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1747230770; x=1747835570; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=eYg4+rpHp33PbS4Itshy4T2HbraqnrFIaURvTmb0+kE=; b=eK3JQyQnOqDeLkJrpQLHCcuinaWSroOeHx34ngPdrGKRRJiUMtt3FoaqPC+zESx98N v7tRgwy7jAfhB8HB2wBitfkocvo/gKhg41bycS7HH6LLss2a0kw7lTrbfYgOpn4YTnIR 7B+ruXSO2fVYIRrbNFP+R83uxREDK+pf9fd9XfXnCE34Cbk8q/3TuUrzVirBkDGucQJV ldI6hcWEWbP8unxS4Dgnu3cfkz/sZ1YE0UqV/liLmWWxhSzO9ZzKVLoc4TfDW7qSiS0s sL8v36NwkWkulon90divK/rqZEsgVmeTi70HQmg2WnIlHpCtQgk+VuyZH26t3Oi+E9PQ WTLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747230770; x=1747835570; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=eYg4+rpHp33PbS4Itshy4T2HbraqnrFIaURvTmb0+kE=; b=QakgbOfVrNmdSGSAR99Fz2JBA09kFEphJ6ZLD9yHrzDqZx2F/D8Pj/VguIusmcIzl5 zaUFwlMQG9AJ4aKb7sCZoSqpuecvu7mbzrHpzXOsRg1slXsYly5oK1IDIeNXnffTnNUI I2xQ4xjHGT82G7XU1LGD5mlR5C9qeLD2TiOqoIbt4EvFVpB9pAK0N43VL2CY2IDXA/YF 2gd15Upl4MlfPUzLuSsorbAvwELS+zMLjRaiomiH4KM2nETZh7H1C9LayR/MccnrhCTZ 8csl67xxxvqIsyN1FZ3uAYMHsz3K457oh5wAktlBMyzeR7wXOUzplmLmSt2Wq4oL/Dey gezw== X-Forwarded-Encrypted: i=1; AJvYcCVVC3lVjXuO6DywnRW65kOfc22CPBAEFjujEJhmR3g1ApIQgpERc8YCNRBWWiCArCBfIeUaykgchw==@kvack.org X-Gm-Message-State: AOJu0Yx9JJvDxHirbvH3KGsRhbjYMHpuXOWYhs0mRL2DwVSyfi7A1vlJ E6pox7ytWTmmGLlzrJgKNiAw4W5fND3sfrnAthfRQeco8JYLVO4+i8gXOgx/6/2rvrUZZDHVaQa cig== X-Google-Smtp-Source: AGHT+IHrlpU6TSN8LFEDqLk4N7nyxIXqbtuZg3bjjLval5KFIlyghPAfN3T3Jm+iafOU8Hu0EqUexqT5TWc= X-Received: from pjbee11.prod.google.com ([2002:a17:90a:fc4b:b0:2fc:ccfe:368]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:1a89:b0:2fe:85f0:e115 with SMTP id 98e67ed59e1d1-30e2e65e6e3mr4418434a91.26.1747230769918; Wed, 14 May 2025 06:52:49 -0700 (PDT) Date: Wed, 14 May 2025 06:52:48 -0700 In-Reply-To: Mime-Version: 1.0 References: <20250513163438.3942405-1-tabba@google.com> <20250513163438.3942405-9-tabba@google.com> Message-ID: Subject: Re: [PATCH v9 08/17] KVM: guest_memfd: Check that userspace_addr and fd+offset refer to same range From: Sean Christopherson To: Ackerley Tng Cc: Fuad Tabba , James Houghton , kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mm@kvack.org, pbonzini@redhat.com, chenhuacai@kernel.org, mpe@ellerman.id.au, anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org, akpm@linux-foundation.org, xiaoyao.li@intel.com, yilun.xu@intel.com, chao.p.peng@linux.intel.com, jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com, isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz, vannapurve@google.com, mail@maciej.szmigiero.name, david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com, liam.merwick@oracle.com, isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com, steven.price@arm.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com, quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, catalin.marinas@arm.com, james.morse@arm.com, yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org, will@kernel.org, qperret@google.com, keirf@google.com, roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org, jgg@nvidia.com, rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com, hughd@google.com, peterx@redhat.com, pankaj.gupta@amd.com, ira.weiny@intel.com Content-Type: text/plain; charset="us-ascii" X-Stat-Signature: xoeakn8nf7o7tbntxfucucdcu3ancnik X-Rspam-User: X-Rspamd-Queue-Id: 2C19B80004 X-Rspamd-Server: rspam06 X-HE-Tag: 1747230771-626534 X-HE-Meta: U2FsdGVkX19h3r71xzyuqQWhs0KHnOsxukFUZdzlzjU89lsTIieSojBLVJabQa1g/pM3tpFxW92w0KGoE027t/YBoG/5SQPJcMi2gittGZzJaaYUl7JyVDdqSn3S9LSg5Rqf3qwg5gT1kkfM/Ri/PJiX+ScvfQ6+wdUINrKEXlkV+e7/4DjNWPe9UIdrtHREwUY8P/CHT/2X4dY+wurk7EkuydVcFiMHZPo3xDXUuar1287WSZxOfd2hLSL/UXM6i2zVPXRn1rY//pUlq0iik+0TecbJqRW5jnCX32QLt+6VmQQfIzCKVds48vfYgzweFHGeTMcHRUhSn3Lh2iYC96eMPIQGl6OcNayOTqRQlaEfETbOONGSXwvj/546KLe9GrLc7PMjpvGtNH8KZc2KaJJ1im11eB/lmPLjIraF9RkaiM1dBEabTS3B7IaQcrruiwPv1aZ7pWDkZWyUH3yUnrpmCNTS99+KPAMeKIM4H/But1poBXHsgz1hI2Uvg1WGdh/R0cG6OiSqYU1TAnNjaSt5goKLOTZH6gw+F3QSROTHwH9Qbl5SsGsDdmYDxE9uIbis8xMDDpVFxxye+3tYeZT1L0I8CNnZhWntnRF2eqdyYpme5p05tdStjbQef6D0/J67FvZii0Pu/5EdzFDh5KaYRGevGVHA99UGBuH5+sV282my2iPU4tcLZq35dv7gF/HJQnrjW4WKe5PZtFjah3Z7dyD4g/D1jGnxo1SwI+Hj6yYl6qHCZTZNKyKhlU6AEj6qIwam5kbWK0wpGRBnor8mGMwpusYY8QPxqzIBsAbuJVh9ipIvVV8n7GDO4qRR3De69IyxPQ1/B3cNjjjnTjq1OqHXDRbbL5jsVltq0SPPjomLAh+4jO6fRViqQ7aWRMojX7jeCl6NMuatx+aEG3G4LylTaUHF4vFx0c0EgCuKKBRANvjVbYqYqNzV7zbYmL0DSTVwFRXX0oPXQZu UiiGELAU q/CQkUtoxZUYhx0WEARXvjU23gN0dfyOApCKfbCszDtMdFWF7XkDR1VTVmcmT0TGOnorqS5aNV9b28vtM+HhrCMXEUL9XZ7jHdr8Cw4PhDeup2yaqGmwMW7dTU56igCmu8+0Xqjs7p4kqYyTLY6v/h6hDu0nt0aMS/feOeUjGOMMp+tHfurAQ2yKhtU4DGGVCe+UXYwO0JIhhhU1OAkA8CURe0RgzCUQF5+Dr1D1YE6xm0dUcZ4KyuWQgF+X0ZGHUvPhZK9uhSmG7/Ba8ZEShHlTdUXFvmSGBvG1lNrd0VDFcHpKoKRxkuhr3GdU5Z+cKHySJos3lBn1f2W9IAJs3sNaPjaRSmnAtjjaLBw/2ao77rl/ZDKaD/BwJjpiWDwAGTU33j5H9v+wcTOKK/GoEzKHpOCsb1kVBWJ5bFm+vb0ds1UvEfaXgBglSZgdiBOXWA84q/VYCW0EcaDIomIFuV3iiKRgaOC3CGDZs0+9558Q/XMkH081QuwZI957qsvrOZVR7eHkCtnxPB2cSo5AFZf7Tmby5sm5JB4H92No1ZsZRIz8QpL/fzZtMb7L3OV3eW4H+bcwvcCHpyPsECTPTKpM+uSnUfrnV2PU4HjaYvSwghWJkR5XlObstOF/+TvwQa/WE752vzyVWJk0oQOm7tI+vgdXDVHQCiHji8D5qxNIGGdLEOeIG/NbpwKF8+uLwzleD X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, May 14, 2025, Ackerley Tng wrote: > Sean Christopherson writes: > > On Wed, May 14, 2025, Fuad Tabba wrote: > >> On Tue, 13 May 2025 at 21:31, James Houghton wrote: > >> > > @@ -585,9 +611,14 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, > >> > > offset + size > i_size_read(inode)) > >> > > goto err; > >> > > > >> > > - if (kvm_gmem_supports_shared(inode) && > >> > > - !kvm_arch_vm_supports_gmem_shared_mem(kvm)) > >> > > - goto err; > >> > > + if (kvm_gmem_supports_shared(inode)) { > >> > > + if (!kvm_arch_vm_supports_gmem_shared_mem(kvm)) > >> > > + goto err; > >> > > + > >> > > + if (slot->userspace_addr && > >> > > + !kvm_gmem_is_same_range(kvm, slot, file, offset)) > >> > > + goto err; > >> > > >> > This is very nit-picky, but I would rather this not be -EINVAL, maybe > >> > -EIO instead? Or maybe a pr_warn_once() and let the call proceed? > > > > Or just omit the check entirely. The check isn't binding (ba-dump, ching!), > > because the mapping/VMA can change the instant mmap_read_unlock() is called. > > > >> > The userspace_addr we got isn't invalid per se, we're just trying to > >> > give a hint to the user that their VMAs (or the userspace address they > >> > gave us) are messed up. I don't really like lumping this in with truly > >> > invalid arguments. > >> > >> I don't mind changing the return error, but I don't think that we > >> should have a kernel warning (pr_warn_once) for something userspace > >> can trigger. > > > > This isn't a WARN, e.g. won't trip panic_on_warn. In practice, it's not > > meaningfully different than pr_info(). That said, I agree that printing anything > > is a bad approach. > > > >> It's not an IO error either. I think that this is an invalid argument > >> (EINVAL). > > > > I agree with James, this isn't an invalid argument. Having the validity of an > > input hinge on the ordering between a KVM ioctl() and mmap() is quite odd. I > > know KVM arm64 does exactly this for KVM_SET_USER_MEMORY_REGION{,2}, but I don't > > love the semantics. And unlike that scenario, where e.g. MTE tags are verified > > again at fault-time, KVM won't re-check the VMA when accessing guest memory via > > the userspace mapping, e.g. through uaccess. > > > > Unless I'm forgetting something, I'm leaning toward omitting the check entirely. > > > > I'm good with dropping this patch. I might have misunderstood the conclusion > of the guest_memfd call. No, I don't think you misunderstood anything. It's just that sometimes opinions different when there's actual code, versus a verbal discussion. I.e. this sounds like a good idea, but when seeing the code and thinking through the effects, it's less appealing.