From: Sean Christopherson <seanjc@google.com>
To: James Houghton <jthoughton@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Akinobu Mita <akinobu.mita@gmail.com>,
David Matlack <dmatlack@google.com>,
kvm@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] KVM: Add fault injection for some MMU operations
Date: Wed, 4 Mar 2026 07:39:24 -0800 [thread overview]
Message-ID: <aahSLC2-KNA9zC_F@google.com> (raw)
In-Reply-To: <20250806215133.43475-2-jthoughton@google.com>
On Wed, Aug 06, 2025, James Houghton wrote:
> Provide fault injection hooks for three operations:
> 1. For all architectures, retries due to invalidation notifiers.
> 2. For x86, TDP MMU cmpxchg updates for SPTEs.
> 3. For x86, TDP MMU SPTE iteration rescheduling.
>
> For all of these, fault injection can induce the uncommon cases: (1)
> that an invalidation occurred, (2) a cmpxchg failed, and (3) that the
> MMU lock is contended.
...
> @@ -689,7 +691,8 @@ static inline int __must_check __tdp_mmu_set_spte_atomic(struct kvm *kvm,
> * operates on fresh data, e.g. if it retries
> * tdp_mmu_set_spte_atomic()
> */
> - if (!try_cmpxchg64(sptep, &iter->old_spte, new_spte))
> + if (tdp_mmu_cmpxchg_should_fail() ||
> + !try_cmpxchg64(sptep, &iter->old_spte, new_spte))
As discovered internally, this can cause the WARN_ON_ONCE() at the end of
kvm_tdp_mmu_zap_possible_nx_huge_page() to fire, because the flow *guarantees*
success.
Thinking about this all a bit more, while I *really* like the idea of triggering
uncommon paths in theory, I'm having strong reservations about enabling this in
upstream, as I'm worried the signal:noise ratio could be abysmal.
For many configurations and setups, mmu_notifier invalidations and MMU lock
contention is actually quite common, i.e. in the aggregate, KVM actually gets
good coverage of those paths. Giving userspace a way to deliberate induce retry
for those cases doesn't seem like it will add much value, while at the same time
it could lead to a rash of "bugs" due to e.g. syzkaller setting extreme retry
percentages and manufacturing scenarios like stuck tasks that can't happen in
practice.
The CMPXCHG thing definitely has value, but as above even that is error prone to
some degree.
So if we want to take this forward, I think we should limit it to CMPXCHG, figure
out a clean way for callers to prevent failure injection, and set a fairly high
bar for extending failure injection to other areas. E.g. as was the case with
the CMPXCHG injection, a real KVM bug that is extremely rare in practice, but
relatively easy to trigger with artificial failure.
next prev parent reply other threads:[~2026-03-04 15:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-06 21:51 [PATCH 0/2] KVM: Fault injection James Houghton
2025-08-06 21:51 ` [PATCH 1/2] KVM: Add fault injection for some MMU operations James Houghton
2026-03-04 15:39 ` Sean Christopherson [this message]
2025-08-06 21:51 ` [PATCH 2/2] Documentation: fault-injection: Add entries for KVM fault injection points James Houghton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aahSLC2-KNA9zC_F@google.com \
--to=seanjc@google.com \
--cc=akinobu.mita@gmail.com \
--cc=dmatlack@google.com \
--cc=jthoughton@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox