* [PATCH] KVM: SEV: drop FOLL_LONGTERM for encrypted region registration
@ 2026-07-01 14:45 Pankaj Gupta
2026-07-01 16:25 ` David Hildenbrand (Arm)
0 siblings, 1 reply; 5+ messages in thread
From: Pankaj Gupta @ 2026-07-01 14:45 UTC (permalink / raw)
To: seanjc, pbonzini, tglx, mingo, dave.hansen
Cc: bp, x86, thomas.lendacky, hpa, david, yangge1116, kvm,
linux-kernel, pankaj.gupta, stable
commit 7e066cb9b71a ("KVM: SEV: Use long-term pin when registering encrypted memory regions")
added FOLL_LONGTERM to sev_mem_enc_register_region() so anonymous guest RAM is
migrated out of MIGRATE_CMA/ZONE_MOVABLE before a long term pin. This breaks
virtio-pmem which has file backed (MAP_SHARED) host mapping where GUP rejects
FOLL_WRITE | FOLL_LONGTERM since:
commit 8ac268436e6d ("mm/gup: disallow FOLL_LONGTERM GUP-nonfast writing to file-backed mappings")
commit a6e79df92e4a ("mm/gup: disallow FOLL_LONGTERM GUP-fast writing to file-backed mappings").
Drop FOLL_LONGTERM when registering encrypted memory regions and restore
the previous behavior.
Fixes: 7e066cb9b71a ("KVM: SEV: Use long-term pin when registering encrypted memory regions")
Cc: stable@vger.kernel.org
Signed-off-by: Pankaj Gupta <pankaj.gupta@amd.com>
---
arch/x86/kvm/svm/sev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 6c6a6d663e29..c4b53700f69e 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2764,7 +2764,7 @@ int sev_mem_enc_register_region(struct kvm *kvm,
return -ENOMEM;
region->pages = sev_pin_memory(kvm, range->addr, range->size, ®ion->npages,
- FOLL_WRITE | FOLL_LONGTERM);
+ FOLL_WRITE);
if (IS_ERR(region->pages)) {
ret = PTR_ERR(region->pages);
goto e_free;
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] KVM: SEV: drop FOLL_LONGTERM for encrypted region registration 2026-07-01 14:45 [PATCH] KVM: SEV: drop FOLL_LONGTERM for encrypted region registration Pankaj Gupta @ 2026-07-01 16:25 ` David Hildenbrand (Arm) 2026-07-01 16:30 ` Sean Christopherson 0 siblings, 1 reply; 5+ messages in thread From: David Hildenbrand (Arm) @ 2026-07-01 16:25 UTC (permalink / raw) To: Pankaj Gupta, seanjc, pbonzini, tglx, mingo, dave.hansen Cc: bp, x86, thomas.lendacky, hpa, yangge1116, kvm, linux-kernel, stable On 7/1/26 16:45, Pankaj Gupta wrote: > commit 7e066cb9b71a ("KVM: SEV: Use long-term pin when registering encrypted memory regions") > added FOLL_LONGTERM to sev_mem_enc_register_region() so anonymous guest RAM is > migrated out of MIGRATE_CMA/ZONE_MOVABLE before a long term pin. This breaks > virtio-pmem which has file backed (MAP_SHARED) host mapping where GUP rejects > FOLL_WRITE | FOLL_LONGTERM since: > > commit 8ac268436e6d ("mm/gup: disallow FOLL_LONGTERM GUP-nonfast writing to file-backed mappings") > commit a6e79df92e4a ("mm/gup: disallow FOLL_LONGTERM GUP-fast writing to file-backed mappings"). > > Drop FOLL_LONGTERM when registering encrypted memory regions and restore > the previous behavior. But that breaks the original issue of breaking ZONE_MOVABLE/CMA? If it is a longterm pin, it must use FOLL_LONGTERM. :/ I assume we fail in check_vma_flags() if ((gup_flags & FOLL_LONGTERM) && vma_is_fsdax(vma)) return -EOPNOTSUPP; IIRC, fsdax cannot tolerate unbounded pins. Is that the case we are running into? How does vfio deal with that? (does it?) -- Cheers, David ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] KVM: SEV: drop FOLL_LONGTERM for encrypted region registration 2026-07-01 16:25 ` David Hildenbrand (Arm) @ 2026-07-01 16:30 ` Sean Christopherson 2026-07-01 16:39 ` David Hildenbrand (Arm) 0 siblings, 1 reply; 5+ messages in thread From: Sean Christopherson @ 2026-07-01 16:30 UTC (permalink / raw) To: David Hildenbrand (Arm) Cc: Pankaj Gupta, pbonzini, tglx, mingo, dave.hansen, bp, x86, thomas.lendacky, hpa, yangge1116, kvm, linux-kernel, stable On Wed, Jul 01, 2026, David Hildenbrand (Arm) wrote: > On 7/1/26 16:45, Pankaj Gupta wrote: > > commit 7e066cb9b71a ("KVM: SEV: Use long-term pin when registering encrypted memory regions") > > added FOLL_LONGTERM to sev_mem_enc_register_region() so anonymous guest RAM is > > migrated out of MIGRATE_CMA/ZONE_MOVABLE before a long term pin. This breaks > > virtio-pmem which has file backed (MAP_SHARED) host mapping where GUP rejects > > FOLL_WRITE | FOLL_LONGTERM since: > > > > commit 8ac268436e6d ("mm/gup: disallow FOLL_LONGTERM GUP-nonfast writing to file-backed mappings") > > commit a6e79df92e4a ("mm/gup: disallow FOLL_LONGTERM GUP-fast writing to file-backed mappings"). > > > > Drop FOLL_LONGTERM when registering encrypted memory regions and restore > > the previous behavior. > > But that breaks the original issue of breaking ZONE_MOVABLE/CMA? Ya. > If it is a longterm pin, it must use FOLL_LONGTERM. :/ Heh, well, KVM showed that that's not entirely true for many years :-) Assuming we can't solve this some other way, and that there are "real" use cases that were broken by adding FOLL_LONGTERM, maybe this as a hack-a-fix? diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 74fb15551e83..ea136d79c963 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2752,6 +2752,25 @@ int sev_mem_enc_register_region(struct kvm *kvm, region->pages = sev_pin_memory(kvm, range->addr, range->size, ®ion->npages, FOLL_WRITE | FOLL_LONGTERM); + + /* + * On failure, attempt a "short"-term pin for backwards compatibility, + * in quotes because this isn't actually a short-term pin. The kernel + * disallows long-term writable pins on file-backed memory as a partial + * defense against the fundamental problem that most filesystems don't + * play nice with kernel writes via GUP (true short-term pins are much + * less likely to be problematic). + * + * Unfortunately, KVM (incorrectly) used a short-term pin for years, + * and so can't *require* a long-term pin. And for this use case, the + * potential filesystem crashes that occur with kernel writes are a + * non-issue, as KVM isn't using this pin to access guest memory, the + * pin is performed purely to prevent the memory from being migrated. + */ + if (IS_ERR(region->pages)) + region->pages = sev_pin_memory(kvm, range->addr, range->size, + ®ion->npages, FOLL_WRITE); + if (IS_ERR(region->pages)) { ret = PTR_ERR(region->pages); goto e_free; > I assume we fail in check_vma_flags() > > if ((gup_flags & FOLL_LONGTERM) && vma_is_fsdax(vma)) > return -EOPNOTSUPP; > > IIRC, fsdax cannot tolerate unbounded pins. Is that the case we are running into? > > How does vfio deal with that? (does it?) > > -- > Cheers, > > David ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] KVM: SEV: drop FOLL_LONGTERM for encrypted region registration 2026-07-01 16:30 ` Sean Christopherson @ 2026-07-01 16:39 ` David Hildenbrand (Arm) 2026-07-01 16:56 ` Sean Christopherson 0 siblings, 1 reply; 5+ messages in thread From: David Hildenbrand (Arm) @ 2026-07-01 16:39 UTC (permalink / raw) To: Sean Christopherson Cc: Pankaj Gupta, pbonzini, tglx, mingo, dave.hansen, bp, x86, thomas.lendacky, hpa, yangge1116, kvm, linux-kernel, stable On 7/1/26 18:30, Sean Christopherson wrote: > On Wed, Jul 01, 2026, David Hildenbrand (Arm) wrote: >> On 7/1/26 16:45, Pankaj Gupta wrote: >>> commit 7e066cb9b71a ("KVM: SEV: Use long-term pin when registering encrypted memory regions") >>> added FOLL_LONGTERM to sev_mem_enc_register_region() so anonymous guest RAM is >>> migrated out of MIGRATE_CMA/ZONE_MOVABLE before a long term pin. This breaks >>> virtio-pmem which has file backed (MAP_SHARED) host mapping where GUP rejects >>> FOLL_WRITE | FOLL_LONGTERM since: >>> >>> commit 8ac268436e6d ("mm/gup: disallow FOLL_LONGTERM GUP-nonfast writing to file-backed mappings") >>> commit a6e79df92e4a ("mm/gup: disallow FOLL_LONGTERM GUP-fast writing to file-backed mappings"). >>> >>> Drop FOLL_LONGTERM when registering encrypted memory regions and restore >>> the previous behavior. >> >> But that breaks the original issue of breaking ZONE_MOVABLE/CMA? > > Ya. > >> If it is a longterm pin, it must use FOLL_LONGTERM. :/ > > Heh, well, KVM showed that that's not entirely true for many years :-) What exactly do you mean? KVM MMUs sync through memory notifiers and doesn't need this. It's only our "interesting" CoCo code :) > > Assuming we can't solve this some other way, and that there are "real" use cases > that were broken by adding FOLL_LONGTERM, maybe this as a hack-a-fix? Well, it's not a driver's decision to make. :P But, can we actually whitelist virtio-pmem in GUP code somehow? I mean, it does not suffer from the documented writeback issue, that we wanted to protect from. We similarly allow shmem and hugetlb there. -- Cheers, David ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] KVM: SEV: drop FOLL_LONGTERM for encrypted region registration 2026-07-01 16:39 ` David Hildenbrand (Arm) @ 2026-07-01 16:56 ` Sean Christopherson 0 siblings, 0 replies; 5+ messages in thread From: Sean Christopherson @ 2026-07-01 16:56 UTC (permalink / raw) To: David Hildenbrand (Arm) Cc: Pankaj Gupta, pbonzini, tglx, mingo, dave.hansen, bp, x86, thomas.lendacky, hpa, yangge1116, kvm, linux-kernel, stable On Wed, Jul 01, 2026, David Hildenbrand (Arm) wrote: > On 7/1/26 18:30, Sean Christopherson wrote: > > On Wed, Jul 01, 2026, David Hildenbrand (Arm) wrote: > >> On 7/1/26 16:45, Pankaj Gupta wrote: > >>> commit 7e066cb9b71a ("KVM: SEV: Use long-term pin when registering encrypted memory regions") > >>> added FOLL_LONGTERM to sev_mem_enc_register_region() so anonymous guest RAM is > >>> migrated out of MIGRATE_CMA/ZONE_MOVABLE before a long term pin. This breaks > >>> virtio-pmem which has file backed (MAP_SHARED) host mapping where GUP rejects > >>> FOLL_WRITE | FOLL_LONGTERM since: > >>> > >>> commit 8ac268436e6d ("mm/gup: disallow FOLL_LONGTERM GUP-nonfast writing to file-backed mappings") > >>> commit a6e79df92e4a ("mm/gup: disallow FOLL_LONGTERM GUP-fast writing to file-backed mappings"). > >>> > >>> Drop FOLL_LONGTERM when registering encrypted memory regions and restore > >>> the previous behavior. > >> > >> But that breaks the original issue of breaking ZONE_MOVABLE/CMA? > > > > Ya. > > > >> If it is a longterm pin, it must use FOLL_LONGTERM. :/ > > > > Heh, well, KVM showed that that's not entirely true for many years :-) > > What exactly do you mean? KVM MMUs sync through memory notifiers and doesn't > need this. > > It's only our "interesting" CoCo code :) Yeah, I'm just being cheeky and saying that it's obviously possible to do what is effectively a long-term pint without specifying FOLL_LONGTERM, i.e. saying it "must" use FOLL_LONGTERM isn't super duper strictly true. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-07-01 16:56 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-07-01 14:45 [PATCH] KVM: SEV: drop FOLL_LONGTERM for encrypted region registration Pankaj Gupta 2026-07-01 16:25 ` David Hildenbrand (Arm) 2026-07-01 16:30 ` Sean Christopherson 2026-07-01 16:39 ` David Hildenbrand (Arm) 2026-07-01 16:56 ` Sean Christopherson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox