Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp458423ybb;
        Wed, 8 Apr 2020 03:26:14 -0700 (PDT)
X-Google-Smtp-Source: APiQypJKCsxsMCWLLebqQePSkGbTG72gGZgl7rKnK4u+y0bvpE+QfN9HTC5/1y0z2l29/zK8a46/
X-Received: by 2002:a05:6830:2411:: with SMTP id j17mr4971882ots.257.1586341573895;
        Wed, 08 Apr 2020 03:26:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586341573; cv=none;
        d=google.com; s=arc-20160816;
        b=zDxpe+2DuMV+VRDjSaCtgHlgH/NVqOJbZVY5uWF11Sz81TxL3u1rW5mjcYZ4ZRA9N/
         ePTo6Ozve+ZCWE8x0pFdn9K2WN4A3eDRCMI6IZ0Ac0nOqXgskZg8Azi69Lhr32+vGIB8
         aobcmL+VqBtDu7tNMr6pdcY1aOC9YvgY/5kG+Ie4c0Sh2svQlbjXYW3AeOMH9sgFWnxA
         5eNobAiIuoNyoh04FDNO8XCqWTabt/nNLW1O7b1eWXOf+ziq4rUXww5mo417Vu5bW9+B
         0U+w8TU8OxPZIiGfJFU2chq8v1U06Yv6nL6gkK3N8zVI1pdcLkMLVQ5M6f74hMQKeF1P
         Hf+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:references:in-reply-to:subject:cc:to:from;
        bh=74hBQamUKnBEQu10a5ICxG9adna+S6IMjR5gKdTTUOc=;
        b=l00J+Fl+ZjCsJWIlsNUeIbSi5aKi1eqaCLgrUEh9V0nW7PL5XP2pUHEfvi/Yc07C4u
         10xXnToztgGmFnZO6mYS/tjD0/zmEQV2JyrEdA540NsUSUtjV8ezvMfZkiJ/o0IqvlT6
         NankUGZzV7iHmf3p3YzG8BZPtoIKncCqs9nDRn8R9XLbwtKAqTWfw8pyC+aELNJ3DTgl
         HsKICQyVmctIONOFDpDD61qlLhFCT9IQ7wA/urDhOVYvjBe8MJYbnmeJgIe6WtoEzRLr
         9jyHnvSQuF/E0rZO6k4pCIKc9j166PZHSgCIMP/oUzTPd1ptqtutZrWU9LDi2vyH0qqq
         4oDw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q10si1769138oij.227.2020.04.08.03.25.59;
        Wed, 08 Apr 2020 03:26:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727935AbgDHKMN convert rfc822-to-8bit (ORCPT
        <rfc822;zjuysxie86@gmail.com> + 99 others);
        Wed, 8 Apr 2020 06:12:13 -0400
Received: from Galois.linutronix.de ([193.142.43.55]:49398 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726632AbgDHKMN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 8 Apr 2020 06:12:13 -0400
Received: from p5de0bf0b.dip0.t-ipconnect.de ([93.224.191.11] helo=nanos.tec.linutronix.de)
        by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
        (Exim 4.80)
        (envelope-from <tglx@linutronix.de>)
        id 1jM7gj-0004in-9o; Wed, 08 Apr 2020 12:12:05 +0200
Received: by nanos.tec.linutronix.de (Postfix, from userid 1000)
        id B495C10069D; Wed,  8 Apr 2020 12:12:04 +0200 (CEST)
From:   Thomas Gleixner <tglx@linutronix.de>
To:     Andy Lutomirski <luto@amacapital.net>
Cc:     Vivek Goyal <vgoyal@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Andy Lutomirski <luto@kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        kvm list <kvm@vger.kernel.org>, stable <stable@vger.kernel.org>
Subject: Re: [PATCH v2] x86/kvm: Disable KVM_ASYNC_PF_SEND_ALWAYS
In-Reply-To: <F2BD5266-A9E5-41C8-AC64-CC33EB401B37@amacapital.net>
References: <877dyqkj3h.fsf@nanos.tec.linutronix.de> <F2BD5266-A9E5-41C8-AC64-CC33EB401B37@amacapital.net>
Date:   Wed, 08 Apr 2020 12:12:04 +0200
Message-ID: <87v9mab823.fsf@nanos.tec.linutronix.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8BIT
X-Linutronix-Spam-Score: -1.0
X-Linutronix-Spam-Level: -
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,  ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Andy Lutomirski <luto@amacapital.net> writes:
>> On Apr 7, 2020, at 3:48 PM, Thomas Gleixner <tglx@linutronix.de> wrote:
>>   Inject #MC
>
> No, not what I meant. Host has two sane choices here IMO:
>
> 1. Tell the guest that the page is gone as part of the wakeup. No #PF or #MC.
>
> 2. Tell guest that it’s resolved and inject #MC when the guest
> retries.  The #MC is a real fault, RIP points to the right place, etc.

Ok, that makes sense.

>>> 1. Access to bad memory results in an async-page-not-present, except
>>> that, it’s not deliverable, the guest is killed.
>> 
>> That's incorrect. The proper reaction is a real #PF. Simply because this
>> is part of the contract of sharing some file backed stuff between host
>> and guest in a well defined "virtio" scenario and not a random access to
>> memory which might be there or not.
>
> The problem is that the host doesn’t know when #PF is safe. It’s sort
> of the same problem that async pf has now.  The guest kernel could
> access the problematic page in the middle of an NMI, under
> pagefault_disable(), etc — getting #PF as a result of CPL0 access to a
> page with a valid guest PTE is simply not part of the x86
> architecture.

Fair enough. 

> Replace copy_to_user() with some access to a gup-ed mapping with no
> extable handler and it doesn’t look so good any more.

In this case the guest needs to die.

> Of course, the guest will oops if this happens, but the guest needs to
> be able to oops cleanly. #PF is too fragile for this because it’s not
> IST, and #PF is the wrong thing anyway — #PF is all about
> guest-virtual-to-guest-physical mappings.  Heck, what would CR2 be?
> The host might not even know the guest virtual address.

It knows, but I can see your point.

>>> 2. Access to bad memory results in #MC.  Sure, #MC is a turd, but it’s
>>> an *architectural* turd. By all means, have a nice simple PV mechanism
>>> to tell the #MC code exactly what went wrong, but keep the overall
>>> flow the same as in the native case.
>> 
>> It's a completely different flow as you evaluate PV turd instead of
>> analysing the MCE banks and the other error reporting facilities.
>
> I’m fine with the flow being different. do_machine_check() could have
> entirely different logic to decide the error in PV.  But I think we
> should reuse the overall flow: kernel gets #MC with RIP pointing to
> the offending instruction. If there’s an extable entry that can handle
> memory failure, handle it. If it’s a user access, handle it.  If it’s
> an unrecoverable error because it was a non-extable kernel access,
> oops or panic.
>
> The actual PV part could be extremely simple: the host just needs to
> tell the guest “this #MC is due to memory failure at this guest
> physical address”.  No banks, no DIMM slot, no rendezvous crap (LMCE),
> no other nonsense.  It would be nifty if the host also told the guest
> what the guest virtual address was if the host knows it.

It does. The EPT violations store:

  - guest-linear address
  - guest-physical address

That's also part of the #VE exception to which Paolo was referring.

Thanks,

        tglx