From: Sean Christopherson <seanjc@google.com>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Ackerley Tng <ackerleytng@google.com>,
Alexey Kardashevskiy <aik@amd.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
Kevin Tian <kevin.tian@intel.com>, Joerg Roedel <joro@8bytes.org>,
Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Steve Sistare <steven.sistare@oracle.com>,
Nicolin Chen <nicolinc@nvidia.com>,
iommu@lists.linux.dev, linux-coco@lists.linux.dev,
Dan Williams <dan.j.williams@intel.com>,
Santosh Shukla <santosh.shukla@amd.com>,
"Pratik R . Sampat" <prsampat@amd.com>,
Fuad Tabba <tabba@google.com>,
Xu Yilun <yilun.xu@linux.intel.com>,
"Aneesh Kumar K . V" <aneesh.kumar@kernel.org>,
michael.roth@amd.com, vannapurve@google.com
Subject: Re: [RFC PATCH kernel] iommufd: Allow mapping from KVM's guest_memfd
Date: Thu, 26 Feb 2026 14:40:50 -0800 [thread overview]
Message-ID: <aaDL8tYrVCWlQg79@google.com> (raw)
In-Reply-To: <20260226190757.GA44359@ziepe.ca>
On Thu, Feb 26, 2026, Jason Gunthorpe wrote:
> On Thu, Feb 26, 2026 at 12:19:52AM -0800, Ackerley Tng wrote:
> > Sean Christopherson <seanjc@google.com> writes:
> >
> > > On Wed, Feb 25, 2026, Alexey Kardashevskiy wrote:
> > >> For the new guest_memfd type, no additional reference is taken as
> > >> pinning is guaranteed by the KVM guest_memfd library.
> > >>
> > >> There is no KVM-GMEMFD->IOMMUFD direct notification mechanism as
> > >> the assumption is that:
> > >> 1) page stage change events will be handled by VMM which is going
> > >> to call IOMMUFD to remap pages;
> > >> 2) shrinking GMEMFD equals to VM memory unplug and VMM is going to
> > >> handle it.
> > >
> > > The VMM is outside of the kernel's effective TCB. Assuming the VMM will always
> > > do the right thing is a non-starter.
> >
> > I think looking up the guest_memfd file from the userspace address
> > (uptr) is a good start
>
> Please no, if we need complicated things like notifiers then it is
> better to start directly with the struct file interface and get
> immediately into some guestmemfd API instead of trying to get their
> from a VMA. A VMA doesn't help in any way and just complicates things.
+1000. Anything that _requires_ a VMA to do something with guest_memfd is broken
by design.
> > I didn't think of this before LPC but forcing unmapping during
> > truncation (aka shrinking guest_memfd) is probably necessary for overall
> > system stability and correctness, so notifying and having guest_memfd
> > track where its pages were mapped in the IOMMU is necessary. Whether or
> > not to unmap during conversions could be a arch-specific thing, but all
> > architectures would want the memory unmapped if the memory is removed
> > from guest_memfd ownership.
>
> Things like truncate are a bit easier to handle, you do need a
> protective notifier, but if it detects truncate while an iommufd area
> still covers the truncated region it can just revoke the whole
> area. Userspace made a mistake and gets burned but the kernel is
> safe. We don't need something complicated kernel side to automatically
> handle removing just the slice of truncated guestmemfd, for example.
Yeah, as long as the behavior is well-documented from time zero, we can probably
get away with fairly draconian behavior.
> If guestmemfd is fully pinned and cannot free memory outside of
> truncate that may be good enough (though somehow I think that is not
> the case)
With in-place conversion, PUNCH_HOLE and private=>shared conversions are the only
two ways to partial "remove" memory from guest_memfd, so it may really be that
simple.
next prev parent reply other threads:[~2026-02-26 22:40 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-25 7:52 [RFC PATCH kernel] iommufd: Allow mapping from KVM's guest_memfd Alexey Kardashevskiy
2026-02-25 13:55 ` Sean Christopherson
2026-02-26 6:47 ` Alexey Kardashevskiy
2026-02-26 19:27 ` Jason Gunthorpe
2026-02-27 11:03 ` Xu Yilun
2026-02-26 8:19 ` Ackerley Tng
2026-02-26 19:07 ` Jason Gunthorpe
2026-02-26 22:40 ` Sean Christopherson [this message]
2026-02-27 0:21 ` Jason Gunthorpe
2026-02-27 0:28 ` Sean Christopherson
2026-02-27 1:09 ` Jason Gunthorpe
2026-02-27 10:35 ` Xu Yilun
2026-02-27 13:18 ` Jason Gunthorpe
2026-02-28 4:14 ` Xu Yilun
2026-02-28 18:29 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaDL8tYrVCWlQg79@google.com \
--to=seanjc@google.com \
--cc=ackerleytng@google.com \
--cc=aik@amd.com \
--cc=aneesh.kumar@kernel.org \
--cc=dan.j.williams@intel.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=nicolinc@nvidia.com \
--cc=pbonzini@redhat.com \
--cc=prsampat@amd.com \
--cc=robin.murphy@arm.com \
--cc=santosh.shukla@amd.com \
--cc=steven.sistare@oracle.com \
--cc=tabba@google.com \
--cc=vannapurve@google.com \
--cc=will@kernel.org \
--cc=yilun.xu@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox