Received: by 2002:a05:7412:6592:b0:d7:7d3a:4fe2 with SMTP id m18csp711574rdg; Thu, 10 Aug 2023 18:00:45 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFPTyPPW29VeOyJRgOcv69KlDhNmg4F/hHHMM4JkpojKKJtxufabpNwlqGCPx4/vaYvAPqs X-Received: by 2002:a05:6808:14cc:b0:3a3:6360:ffbe with SMTP id f12-20020a05680814cc00b003a36360ffbemr659646oiw.24.1691715645345; Thu, 10 Aug 2023 18:00:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691715645; cv=none; d=google.com; s=arc-20160816; b=Nj8CeH7bO7AJ73v+R3N8IRQwIfKDn0NhqNIKxgAyRhCzBaXpGeSkUP8mef1dmJoTZW pcBrH0HiHp/RoBoFxLcLJk2k2yL7WSm1nW/uMdKqmhAzO3ff6vMJ/H7JafJ6VJvZu5zc B7W1YGbCtmndqwof4D3hrbZfWuNAr6paOKJyPHHBnn5DNmWdYGgsnMznaVXAewhE4FB2 c4HhvWTrqQD3DTypvxu51qXC1Gq3yVb6cL/PukZhZMVhAxX6qyqV/Aj6qfpOOHs+tNQr X4WUQzPrqAJYfYX5k2v8md8BKDVLA2VU2gCVMdUYlnkZ/iUgbOsVnbwIbGmE0AqKpunI e0yA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=hhMgA7qBPuApMhQ4h1vJKFRA4DNp+2B2aFxUktI7jpQ=; fh=Fhcw2/cNuQNT0HgQWq2/EaBR/FeKHjg6VsjOUZWSjg0=; b=s0O06rpMbVlmDV286l2NcHUhBlZUKVNWElc+tyCH0/fKK7LpbilI20kGufEWb281u4 aKOAPtczQU1yTJmQf/4SKBHoMP3UalsugMlQk91Ufie7Rb6H4luzfslRDC+bcmVpm2YW 1W1B0wCW1M/lh+3x0ckBrYCYt5NH4mmiYSTlrIWi4aJ6FybYxyDdhkndOAwCQiO/GP1/ 1Fsb6MvKSVXq6qATGzlgmNW3L3D1d4CA725t/TruaQ9bR1dgSKPy4MV9boj1nNlzgNnf GDsWdmLov2NsqFyBalajc0FaTHciKIx/s6tnN6r7mJzXIXdQkPI8ciNnfZdKrvZ/TuSO zHiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=fSbsTlZ9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y64-20020a638a43000000b00563b0cbe820si2434619pgd.688.2023.08.10.18.00.33; Thu, 10 Aug 2023 18:00:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=fSbsTlZ9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231584AbjHJX56 (ORCPT + 99 others); Thu, 10 Aug 2023 19:57:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231745AbjHJX54 (ORCPT ); Thu, 10 Aug 2023 19:57:56 -0400 Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B853B2D52 for ; Thu, 10 Aug 2023 16:57:49 -0700 (PDT) Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-99d6d5054bcso205562066b.1 for ; Thu, 10 Aug 2023 16:57:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1691711868; x=1692316668; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hhMgA7qBPuApMhQ4h1vJKFRA4DNp+2B2aFxUktI7jpQ=; b=fSbsTlZ9eRUEq1oc0qlT9VA71infat9B81M3qAFGPQLw+6DiL/k6IQBVuLqYpfm6zc JPbbQuf/OXWE0DDR3Vty3P+Ga7xRDAZJPbwv8Rh6DllYU5zj15degN0az+fa1E+ZZKui Zid/yQ06BXhwoDugW7aU7NJA5d/c3xUSIByYDVFEbgx0r3ZtD20CbtxCBNcFSIJefMq1 tRA4cZrI4/sEiaraxlYyAq+sL65bMfdUmaPLsXuLObrwqiszX5v1AaY8IXbz4ltMaoUI FDZXJTolroDTYu55EKXzdNQ57eJWghsSQRQDYygik7m8uY2F9+yL1a51YFkAYkFi+S2u 5sVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691711868; x=1692316668; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hhMgA7qBPuApMhQ4h1vJKFRA4DNp+2B2aFxUktI7jpQ=; b=ZtaBmhkIajiGl40oyX0H3Yb4nSrwqaXURe4Qoye8Ub87egli/EU6AQ9Amu6qYgedym YWQHysaT6R70WlBgAUKkj9qdLSWO4kML2WJbq5De8x9qGxXczSY91va81yXL3GwUsu9V fvzEVFwDGKGJ02OFSogowcMFs4o+e6Pb2cLOTeW7qSGd2uaFf773/S19DK5ABjN4o+Lq C+4J8QHxMhVzE5R+K+026JubckZBc96mwzAThHuq/R+II1+TyxwyUK6Wa5bnK+3B9RB8 /Ytw2CfBVkUrLuQ4IXawGtsnTI8eBxRG8qjTV7PcrPx6D+3vg6ZnZvJei7o+e57ceOQV I38Q== X-Gm-Message-State: AOJu0YyoNLedMyRKWlg2tliuLPzQndWOegkVKLRsqbJgdnyISo3Hd/YE GfRaaXGWpmyGUfX1UIGae6N+3mEesC250PVYs+al+Q== X-Received: by 2002:a17:906:1d1:b0:99c:55c5:1c6e with SMTP id 17-20020a17090601d100b0099c55c51c6emr519636ejj.8.1691711867870; Thu, 10 Aug 2023 16:57:47 -0700 (PDT) MIME-Version: 1.0 References: <20230718234512.1690985-13-seanjc@google.com> In-Reply-To: From: Vishal Annapurve Date: Thu, 10 Aug 2023 16:57:36 -0700 Message-ID: Subject: Re: [RFC PATCH v11 12/29] KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory To: Sean Christopherson Cc: Ackerley Tng , pbonzini@redhat.com, maz@kernel.org, oliver.upton@linux.dev, chenhuacai@kernel.org, mpe@ellerman.id.au, anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, willy@infradead.org, akpm@linux-foundation.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm-riscv@lists.infradead.org, linux-riscv@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, chao.p.peng@linux.intel.com, tabba@google.com, jarkko@kernel.org, yu.c.zhang@linux.intel.com, mail@maciej.szmigiero.name, vbabka@suse.cz, david@redhat.com, qperret@google.com, michael.roth@amd.com, wei.w.wang@intel.com, liam.merwick@oracle.com, isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 8, 2023 at 2:13=E2=80=AFPM Sean Christopherson wrote: > ... > > + When binding a memslot to the file, if a kvm pointer exists, it must > > be the same kvm as the one in this binding > > + When the binding to the last memslot is removed from a file, NULL the > > kvm pointer. > > Nullifying the KVM pointer isn't sufficient, because without additional a= ctions > userspace could extract data from a VM by deleting its memslots and then = binding > the guest_memfd to an attacker controlled VM. Or more likely with TDX an= d SNP, > induce badness by coercing KVM into mapping memory into a guest with the = wrong > ASID/HKID. > TDX/SNP have mechanisms i.e. PAMT/RMP tables to ensure that the same memory is not assigned to two different VMs. Deleting memslots should also clear out the contents of the memory as the EPT tables will be zapped in the process and the host will reclaim the memory. Regards, Vishal