Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2753302pxb; Tue, 9 Mar 2021 09:59:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJybmqIZtsj4qVzLti4FiOBJXu4ubnyd4Wk5SRJe1/N9Sj/Bj5xxPYaBPL6nIR/pEgAK6Oj9 X-Received: by 2002:a17:906:c081:: with SMTP id f1mr21770898ejz.97.1615312764484; Tue, 09 Mar 2021 09:59:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615312764; cv=none; d=google.com; s=arc-20160816; b=0RAfs3xnm8EhWdC5DQPRHEdkZG4951to1udaFP0Ig16lUWnEuQne93/wIFKAxIKpw6 PTtObHpLkggqcWR5Nd3Lare6yYuHmg2WtOE9u0xILv/1a0Qm3QVH69UdV/DMnrhSARu+ gyR3P+CK82292XFf60StS2l6ddX7pBJ7IIH6t1xASU60A0KLzGC0c8K1OVMr88VBStvC 8QgCqUtlCIP+euhq3XB2sJLgo21H96n1sHbkHHHQqhGo+inguZLtGtLJ23so0TD5asJM lagTY9b+iaPWN/mHeIVHxFiyU9MMkKrk3ppQHbGze5YTolbZjAAHMaWAuqUc8X2mKGra TKRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date; bh=MlUSd85Hj5OIE/Fr7n6WnKNZg62n95Dqm7uXSfBo3RE=; b=HwJP0JQSdQydqu9lE6oHKvJHcFL5zp1ZfbA5S+wJSg9r2RVw9cH2xS2yQTO/8KvH37 lHovLSq7q1eb85xBj29AdGlvlDNp8DnXpbRaJoHmNEkcEfX8EM4OC4ufm0roN1AlWgR4 rBaWEAJdRYeY1eG0EuUmEICZcF0+fbMiejawWSmS+20LxMnEz60cq50/1E4/rOcTUYop frGfmnHXW3efh+EW2S+sscr9BWCFUSuE6cFJrN/VZut1auMSkvTg28RW2VY7+zeRh2Fn t/Qux0Ql54wq/bLHJPZtp77IxpnswlHYGhZ50JnA5dI2NsDjCBAcdiauN7lh6SFsxiCE 0C+w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jz18si8921882ejc.575.2021.03.09.09.59.01; Tue, 09 Mar 2021 09:59:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231571AbhCIR6E (ORCPT + 99 others); Tue, 9 Mar 2021 12:58:04 -0500 Received: from mail.kernel.org ([198.145.29.99]:51822 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230504AbhCIR5w (ORCPT ); Tue, 9 Mar 2021 12:57:52 -0500 Received: from disco-boy.misterjones.org (disco-boy.misterjones.org [51.254.78.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 109B76522E; Tue, 9 Mar 2021 17:57:52 +0000 (UTC) Received: from 78.163-31-62.static.virginmediabusiness.co.uk ([62.31.163.78] helo=why.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from ) id 1lJgc9-000biu-V8; Tue, 09 Mar 2021 17:57:50 +0000 Date: Tue, 09 Mar 2021 17:57:49 +0000 Message-ID: <87ft14xl9e.wl-maz@kernel.org> From: Marc Zyngier To: Steven Price Cc: Catalin Marinas , Will Deacon , James Morse , Julien Thierry , Suzuki K Poulose , kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Dave Martin , Mark Rutland , Thomas Gleixner , qemu-devel@nongnu.org, Juan Quintela , "Dr. David Alan Gilbert" , Richard Henderson , Peter Maydell , Haibo Xu , Andrew Jones Subject: Re: [PATCH v9 5/6] KVM: arm64: ioctl to fetch/store tags in a guest In-Reply-To: <20210301142315.30920-6-steven.price@arm.com> References: <20210301142315.30920-1-steven.price@arm.com> <20210301142315.30920-6-steven.price@arm.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-SA-Exim-Connect-IP: 62.31.163.78 X-SA-Exim-Rcpt-To: steven.price@arm.com, catalin.marinas@arm.com, will@kernel.org, james.morse@arm.com, julien.thierry.kdev@gmail.com, suzuki.poulose@arm.com, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Dave.Martin@arm.com, mark.rutland@arm.com, tglx@linutronix.de, qemu-devel@nongnu.org, quintela@redhat.com, dgilbert@redhat.com, richard.henderson@linaro.org, peter.maydell@linaro.org, Haibo.Xu@arm.com, drjones@redhat.com X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 01 Mar 2021 14:23:14 +0000, Steven Price wrote: > > The VMM may not wish to have it's own mapping of guest memory mapped > with PROT_MTE because this causes problems if the VMM has tag checking > enabled (the guest controls the tags in physical RAM and it's unlikely > the tags are correct for the VMM). > > Instead add a new ioctl which allows the VMM to easily read/write the > tags from guest memory, allowing the VMM's mapping to be non-PROT_MTE > while the VMM can still read/write the tags for the purpose of > migration. > > Signed-off-by: Steven Price > --- > arch/arm64/include/uapi/asm/kvm.h | 13 +++++++ > arch/arm64/kvm/arm.c | 57 +++++++++++++++++++++++++++++++ > include/uapi/linux/kvm.h | 1 + > 3 files changed, 71 insertions(+) > > diff --git a/arch/arm64/include/uapi/asm/kvm.h b/arch/arm64/include/uapi/asm/kvm.h > index 24223adae150..5fc2534ac5df 100644 > --- a/arch/arm64/include/uapi/asm/kvm.h > +++ b/arch/arm64/include/uapi/asm/kvm.h > @@ -184,6 +184,19 @@ struct kvm_vcpu_events { > __u32 reserved[12]; > }; > > +struct kvm_arm_copy_mte_tags { > + __u64 guest_ipa; > + __u64 length; > + union { > + void __user *addr; > + __u64 padding; > + }; > + __u64 flags; I'd be keen on a couple of reserved __64s. Just in case... > +}; > + > +#define KVM_ARM_TAGS_TO_GUEST 0 > +#define KVM_ARM_TAGS_FROM_GUEST 1 > + > /* If you need to interpret the index values, here is the key: */ > #define KVM_REG_ARM_COPROC_MASK 0x000000000FFF0000 > #define KVM_REG_ARM_COPROC_SHIFT 16 > diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c > index 46bf319f6cb7..01d404833e24 100644 > --- a/arch/arm64/kvm/arm.c > +++ b/arch/arm64/kvm/arm.c > @@ -1297,6 +1297,53 @@ static int kvm_vm_ioctl_set_device_addr(struct kvm *kvm, > } > } > > +static int kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, > + struct kvm_arm_copy_mte_tags *copy_tags) > +{ > + gpa_t guest_ipa = copy_tags->guest_ipa; > + size_t length = copy_tags->length; > + void __user *tags = copy_tags->addr; > + gpa_t gfn; > + bool write = !(copy_tags->flags & KVM_ARM_TAGS_FROM_GUEST); > + > + if (copy_tags->flags & ~KVM_ARM_TAGS_FROM_GUEST) > + return -EINVAL; > + > + if (length & ~PAGE_MASK || guest_ipa & ~PAGE_MASK) > + return -EINVAL; It is a bit odd to require userspace to provide a page-aligned addr/size, as it now has to find out about the kernel's page size. MTE_GRANULE_SIZE-aligned values would make more sense. Is there an underlying reason for this? > + > + gfn = gpa_to_gfn(guest_ipa); > + > + while (length > 0) { > + kvm_pfn_t pfn = gfn_to_pfn_prot(kvm, gfn, write, NULL); > + void *maddr; > + unsigned long num_tags = PAGE_SIZE / MTE_GRANULE_SIZE; > + > + if (is_error_noslot_pfn(pfn)) > + return -ENOENT; > + > + maddr = page_address(pfn_to_page(pfn)); > + > + if (!write) { > + num_tags = mte_copy_tags_to_user(tags, maddr, num_tags); > + kvm_release_pfn_clean(pfn); > + } else { > + num_tags = mte_copy_tags_from_user(maddr, tags, > + num_tags); > + kvm_release_pfn_dirty(pfn); > + } > + Is it actually safe to do this without holding any lock, without checking anything against the mmu_notifier_seq? What if the pages are being swapped out? Or the memslot removed from under your feet? It looks... dangerous. Do you even want to allow this while vcpus are actually running? > + if (num_tags != PAGE_SIZE / MTE_GRANULE_SIZE) > + return -EFAULT; > + > + gfn++; > + tags += num_tags; > + length -= PAGE_SIZE; > + } > + > + return 0; > +} > + > long kvm_arch_vm_ioctl(struct file *filp, > unsigned int ioctl, unsigned long arg) > { > @@ -1333,6 +1380,16 @@ long kvm_arch_vm_ioctl(struct file *filp, > > return 0; > } > + case KVM_ARM_MTE_COPY_TAGS: { > + struct kvm_arm_copy_mte_tags copy_tags; > + > + if (!kvm_has_mte(kvm)) > + return -EINVAL; > + > + if (copy_from_user(©_tags, argp, sizeof(copy_tags))) > + return -EFAULT; > + return kvm_vm_ioctl_mte_copy_tags(kvm, ©_tags); > + } > default: > return -EINVAL; > } > diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h > index 05618a4abf7e..b75af0f9ba55 100644 > --- a/include/uapi/linux/kvm.h > +++ b/include/uapi/linux/kvm.h > @@ -1423,6 +1423,7 @@ struct kvm_s390_ucas_mapping { > /* Available with KVM_CAP_PMU_EVENT_FILTER */ > #define KVM_SET_PMU_EVENT_FILTER _IOW(KVMIO, 0xb2, struct kvm_pmu_event_filter) > #define KVM_PPC_SVM_OFF _IO(KVMIO, 0xb3) > +#define KVM_ARM_MTE_COPY_TAGS _IOR(KVMIO, 0xb4, struct kvm_arm_copy_mte_tags) > > /* ioctl for vm fd */ > #define KVM_CREATE_DEVICE _IOWR(KVMIO, 0xe0, struct kvm_create_device) > -- > 2.20.1 > > Thanks, M. -- Without deviation from the norm, progress is not possible.