Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp441982rdg; Tue, 10 Oct 2023 15:22:42 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGg6ziIrGvgHCnJ8Lj9UpTT+vEUMP1tRjP1lJyrHFvDHIaZZ9JO3v3kLPLc0GXUlpvZsVgi X-Received: by 2002:a05:6830:6b91:b0:6bd:be5:daa2 with SMTP id dd17-20020a0568306b9100b006bd0be5daa2mr21250756otb.33.1696976562581; Tue, 10 Oct 2023 15:22:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696976562; cv=none; d=google.com; s=arc-20160816; b=sz8b4Tugf5HPxKjIRmQl2m/+xhXV5UHrIv8KwkEYyYTBpsH1bOaMyrtxaUSJm7tcpB DNZb36mGbVsnfKngzLEQ8dRcM5C38zjpDtK5B3+ujPiujTlSmMJ6yduX9E/HwffCeb6f 5vSFblZ2ZqSCtCqUh/mLgtAX3qJBI7/fUl3IdIuwYqdCbD/b9yKnjDfIU7k78OD8Zk9X BepPwjAC0RmE9ZX5WW4x8/+xDo9cUbeCq+4VvXvAcgNQTwInhqB6pZImWH09vs+ewMKV DitsOMcns3x9JeD6nf9FolmO63fNeciQnzELo7evWRbaIwICToMSBUlnpYTQuMEtBGbN 9fNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=AJR3kzvdFAtjI4futU9HjQ8SFStLu7+FAsB2B+oCyxc=; fh=z43y+hIeOHyp2LFVOKv61M3A+ibCSA5GxeC25mFvBSs=; b=Wt9opH41NX0WOT10b7Xe8I9nlkp0x/keXii2GvL/6fg/Jgk1z27U9el8A1jnnaavqA Bxtp8Bp0ASktnpoyJG3GjvEgX/qQwdHT/MUfIJZa5GBrkvDpP4rQv9by7kYIoob+BYiN Fdv4PnjPBK79UDG7WkQDc+bvF2SA7ieWdiK3Jq5t/EL7Kpl6T6MLShI2wEp04lSSn0bu Ntc+Roz6ERU3j6/hReFntYM0qSS4aU4EQKIwzS8G3yO1NkQiulIGFiIF4RFPjSXtwyr5 /iRZSrtVyfd8JQVti+RRfJ26I4hxNfLAXRC4mwn2BOUBW2+YtRS8i8IeEWDMzOgjG/iC OFqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=P1497PtI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id p21-20020a63c155000000b00578d1b590b0si11073742pgi.699.2023.10.10.15.22.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 15:22:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=P1497PtI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 2E09D81603B3; Tue, 10 Oct 2023 15:22:40 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229932AbjJJWWM (ORCPT + 99 others); Tue, 10 Oct 2023 18:22:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229769AbjJJWWK (ORCPT ); Tue, 10 Oct 2023 18:22:10 -0400 Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49A6D8F for ; Tue, 10 Oct 2023 15:22:08 -0700 (PDT) Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-32ccafde8e0so1078870f8f.1 for ; Tue, 10 Oct 2023 15:22:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696976527; x=1697581327; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=AJR3kzvdFAtjI4futU9HjQ8SFStLu7+FAsB2B+oCyxc=; b=P1497PtIUYMhMuqDYt+f1fy/SAiX1+io2/GSEU5Lpw1nRHbz3jOpH9m3TbB0pDGVr0 Kxh2iaJSFJDG1MqBwDWS4bgO+GyFlFq3Wmz6xGwpRTOM7ZYYFIMl2hz6fGk8sbiSda9i LW84lpMhZLvalYnRXNeXgenIRcmyyy08xe62YwDC/nfksb5L/yVD0LvRPEDuqYtfGDg5 dC1mBrVb108UKdlUK4XWkzOs77qLDiLPfnts8jm/mve4u40oUgZ1PjDUlIdL18LEazsW QUShs7mbCQa37y0WpO5TMgxCPhfVYaKfkrk3hqmW+mJY1C4IKjVD7VtPKu36sxanFROd IsRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696976527; x=1697581327; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AJR3kzvdFAtjI4futU9HjQ8SFStLu7+FAsB2B+oCyxc=; b=JNSBZ+OnbRJ7wqpKGqcUYeYOqweeRtg5cVURghMWPYJO69rrP4PmJVNMmOFCGAgbeP nSw4EkecB5PnKxp+YbWyEduS7MySxOmuuYmwkjDKVDiWKWbTWEjJSlHBXxEUbBM30amV jqT0Vu7rtSb5ccQowi9OBJ/0ZeiKdww+dtSd1KTb4bgLrSwe1yOaJMDFfN7i3V4FwUvE nMLMdUPQ6slDyglQpUvED06aWiGbJKo2unyoJGi0Zf7kAIwrtop5BDiaKQBN6zs/xYZS QK+ZvI/GTSFT6sAAeOLKuqvmr1yWmMlX20AkcZQds6IB8oDqhOmW4llysmspOp4l82yQ lQuQ== X-Gm-Message-State: AOJu0Yw/2ItCPVVQnuvbzE4XamnGG7UnSwpSZoB2DyqZyh+O6SAMPHu0 +YH5/UguzHPTvSZelguxjFBUTAgCDb1s2+Frfj/UGQ== X-Received: by 2002:a5d:56d0:0:b0:31c:5c77:48ec with SMTP id m16-20020a5d56d0000000b0031c5c7748ecmr15648255wrw.62.1696976526640; Tue, 10 Oct 2023 15:22:06 -0700 (PDT) MIME-Version: 1.0 References: <20230914015531.1419405-1-seanjc@google.com> <20230914015531.1419405-8-seanjc@google.com> <117db856-9aec-e91c-b1d4-db2b90ae563d@intel.com> In-Reply-To: From: David Matlack Date: Tue, 10 Oct 2023 15:21:37 -0700 Message-ID: Subject: Re: [RFC PATCH v12 07/33] KVM: Add KVM_EXIT_MEMORY_FAULT exit to report faults to userspace To: Sean Christopherson Cc: Anish Moorthy , Xiaoyao Li , Paolo Bonzini , Marc Zyngier , Oliver Upton , Huacai Chen , Michael Ellerman , Anup Patel , kvm@vger.kernel.org, kvmarm@lists.linux.dev, kvm-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, Chao Peng , Fuad Tabba , Jarkko Sakkinen , Yu Zhang , Isaku Yamahata , Xu Yilun , Vlastimil Babka , Vishal Annapurve , Ackerley Tng , Maciej Szmigiero , David Hildenbrand , Quentin Perret , Michael Roth , Wang , Liam Merwick , Isaku Yamahata Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-4.8 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 10 Oct 2023 15:22:40 -0700 (PDT) On Thu, Oct 5, 2023 at 3:46=E2=80=AFPM Sean Christopherson wrote: > > On Thu, Oct 05, 2023, Anish Moorthy wrote: > > On Tue, Oct 3, 2023 at 4:46=E2=80=AFPM Sean Christopherson wrote: > > > > > > The only way a KVM_EXIT_MEMORY_FAULT that actually reaches userspace = could be > > > "unreliable" is if something other than a memory_fault exit clobbered= the union, > > > but didn't signal its KVM_EXIT_* reason. And that would be an egregi= ous bug that > > > isn't unique to KVM_EXIT_MEMORY_FAULT, i.e. the same data corruption = would affect > > > each and every other KVM_EXIT_* reason. > > > > Keep in mind the case where an "unreliable" annotation sets up a > > KVM_EXIT_MEMORY_FAULT, KVM_RUN ends up continuing, then something > > unrelated comes up and causes KVM_RUN to EFAULT. Although this at > > least is a case of "outdated" information rather than blatant > > corruption. > > Drat, I managed to forget about that. > > > IIRC the last time this came up we said that there's minimal harm in > > userspace acting on the outdated info, but it seems like another good > > argument for just restricting the annotations to paths we know are > > reliable. What if the second EFAULT above is fatal (as I understand > > all are today) and sets up subsequent KVM_RUNs to crash and burn > > somehow? Seems like that'd be a safety issue. > > For your series, let's omit > > KVM: Annotate -EFAULTs from kvm_vcpu_read/write_guest_page > > and just fill memory_fault for the page fault paths. That will be easier= to > document too since we can simply say that if the exit reason is KVM_EXIT_= MEMORY_FAULT, > then run->memory_fault is valid and fresh. +1 And from a performance perspective, I don't think we care about kvm_vcpu_read/write_guest_page(). Our (Google) KVM Demand Paging implementation just sends any kvm_vcpu_read/write_guest_page() requests through the netlink socket, which is just a poor man's userfaultfd. So I think we'll be fine sending these callsites through uffd instead of exiting out to userspace. And with that out of the way, is there any reason to keep tying KVM_EXIT_MEMORY_FAULT to -EFAULT? As mentioned in the patch at the top of this thread, -EFAULT is just a hack to allow the emulator paths to return out to userspace. But that's no longer necessary. I just find it odd that some KVM_EXIT_* correspond with KVM_RUN returning an error and others don't. The exit_reason is sufficient to tell userspace what's going on and has a firm contract, unlike -EFAULT which anything KVM calls into can return. > > Adding a flag or whatever to mark the data as trustworthy would be the al= ternative, > but that's effectively adding ABI that says "KVM is buggy, sorry". > > My dream of having KVM always return useful information for -EFAULT will = have to > wait for another day.