Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp441982rdg;
        Tue, 10 Oct 2023 15:22:42 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGg6ziIrGvgHCnJ8Lj9UpTT+vEUMP1tRjP1lJyrHFvDHIaZZ9JO3v3kLPLc0GXUlpvZsVgi
X-Received: by 2002:a05:6830:6b91:b0:6bd:be5:daa2 with SMTP id dd17-20020a0568306b9100b006bd0be5daa2mr21250756otb.33.1696976562581;
        Tue, 10 Oct 2023 15:22:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696976562; cv=none;
        d=google.com; s=arc-20160816;
        b=sz8b4Tugf5HPxKjIRmQl2m/+xhXV5UHrIv8KwkEYyYTBpsH1bOaMyrtxaUSJm7tcpB
         DNZb36mGbVsnfKngzLEQ8dRcM5C38zjpDtK5B3+ujPiujTlSmMJ6yduX9E/HwffCeb6f
         5vSFblZ2ZqSCtCqUh/mLgtAX3qJBI7/fUl3IdIuwYqdCbD/b9yKnjDfIU7k78OD8Zk9X
         BepPwjAC0RmE9ZX5WW4x8/+xDo9cUbeCq+4VvXvAcgNQTwInhqB6pZImWH09vs+ewMKV
         DitsOMcns3x9JeD6nf9FolmO63fNeciQnzELo7evWRbaIwICToMSBUlnpYTQuMEtBGbN
         9fNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=AJR3kzvdFAtjI4futU9HjQ8SFStLu7+FAsB2B+oCyxc=;
        fh=z43y+hIeOHyp2LFVOKv61M3A+ibCSA5GxeC25mFvBSs=;
        b=Wt9opH41NX0WOT10b7Xe8I9nlkp0x/keXii2GvL/6fg/Jgk1z27U9el8A1jnnaavqA
         Bxtp8Bp0ASktnpoyJG3GjvEgX/qQwdHT/MUfIJZa5GBrkvDpP4rQv9by7kYIoob+BYiN
         Fdv4PnjPBK79UDG7WkQDc+bvF2SA7ieWdiK3Jq5t/EL7Kpl6T6MLShI2wEp04lSSn0bu
         Ntc+Roz6ERU3j6/hReFntYM0qSS4aU4EQKIwzS8G3yO1NkQiulIGFiIF4RFPjSXtwyr5
         /iRZSrtVyfd8JQVti+RRfJ26I4hxNfLAXRC4mwn2BOUBW2+YtRS8i8IeEWDMzOgjG/iC
         OFqw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=P1497PtI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33])
        by mx.google.com with ESMTPS id p21-20020a63c155000000b00578d1b590b0si11073742pgi.699.2023.10.10.15.22.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 Oct 2023 15:22:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=P1497PtI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 2E09D81603B3;
	Tue, 10 Oct 2023 15:22:40 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229932AbjJJWWM (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Tue, 10 Oct 2023 18:22:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55924 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229769AbjJJWWK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Oct 2023 18:22:10 -0400
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49A6D8F
        for <linux-kernel@vger.kernel.org>; Tue, 10 Oct 2023 15:22:08 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-32ccafde8e0so1078870f8f.1
        for <linux-kernel@vger.kernel.org>; Tue, 10 Oct 2023 15:22:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1696976527; x=1697581327; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=AJR3kzvdFAtjI4futU9HjQ8SFStLu7+FAsB2B+oCyxc=;
        b=P1497PtIUYMhMuqDYt+f1fy/SAiX1+io2/GSEU5Lpw1nRHbz3jOpH9m3TbB0pDGVr0
         Kxh2iaJSFJDG1MqBwDWS4bgO+GyFlFq3Wmz6xGwpRTOM7ZYYFIMl2hz6fGk8sbiSda9i
         LW84lpMhZLvalYnRXNeXgenIRcmyyy08xe62YwDC/nfksb5L/yVD0LvRPEDuqYtfGDg5
         dC1mBrVb108UKdlUK4XWkzOs77qLDiLPfnts8jm/mve4u40oUgZ1PjDUlIdL18LEazsW
         QUShs7mbCQa37y0WpO5TMgxCPhfVYaKfkrk3hqmW+mJY1C4IKjVD7VtPKu36sxanFROd
         IsRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696976527; x=1697581327;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=AJR3kzvdFAtjI4futU9HjQ8SFStLu7+FAsB2B+oCyxc=;
        b=JNSBZ+OnbRJ7wqpKGqcUYeYOqweeRtg5cVURghMWPYJO69rrP4PmJVNMmOFCGAgbeP
         nSw4EkecB5PnKxp+YbWyEduS7MySxOmuuYmwkjDKVDiWKWbTWEjJSlHBXxEUbBM30amV
         jqT0Vu7rtSb5ccQowi9OBJ/0ZeiKdww+dtSd1KTb4bgLrSwe1yOaJMDFfN7i3V4FwUvE
         nMLMdUPQ6slDyglQpUvED06aWiGbJKo2unyoJGi0Zf7kAIwrtop5BDiaKQBN6zs/xYZS
         QK+ZvI/GTSFT6sAAeOLKuqvmr1yWmMlX20AkcZQds6IB8oDqhOmW4llysmspOp4l82yQ
         lQuQ==
X-Gm-Message-State: AOJu0Yw/2ItCPVVQnuvbzE4XamnGG7UnSwpSZoB2DyqZyh+O6SAMPHu0
        +YH5/UguzHPTvSZelguxjFBUTAgCDb1s2+Frfj/UGQ==
X-Received: by 2002:a5d:56d0:0:b0:31c:5c77:48ec with SMTP id
 m16-20020a5d56d0000000b0031c5c7748ecmr15648255wrw.62.1696976526640; Tue, 10
 Oct 2023 15:22:06 -0700 (PDT)
MIME-Version: 1.0
References: <20230914015531.1419405-1-seanjc@google.com> <20230914015531.1419405-8-seanjc@google.com>
 <117db856-9aec-e91c-b1d4-db2b90ae563d@intel.com> <ZQ3AmLO2SYv3DszH@google.com>
 <CAF7b7mrf-y9DNdsreOAedGJueOThnYE=ascFd4=rvW0Z4rhTQg@mail.gmail.com>
 <ZRtxoaJdVF1C2Mvy@google.com> <CAF7b7mqyU059YpBBVYjTMNXf9VHSc6tbKrQ8avFXYtP6LWMh8Q@mail.gmail.com>
 <ZRyn0nPQpbVpz8ah@google.com> <CAF7b7mqYr0J-J2oaU=c-dzLys-m6Ttp7ZOb3Em7n1wUj3rhh+A@mail.gmail.com>
 <ZR88w9W62qsZDro-@google.com>
In-Reply-To: <ZR88w9W62qsZDro-@google.com>
From:   David Matlack <dmatlack@google.com>
Date:   Tue, 10 Oct 2023 15:21:37 -0700
Message-ID: <CALzav=csPcd3f5CYc=6Fa4JnsYP8UTVeSex0-7LvUBnTDpHxLQ@mail.gmail.com>
Subject: Re: [RFC PATCH v12 07/33] KVM: Add KVM_EXIT_MEMORY_FAULT exit to
 report faults to userspace
To:     Sean Christopherson <seanjc@google.com>
Cc:     Anish Moorthy <amoorthy@google.com>,
        Xiaoyao Li <xiaoyao.li@intel.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Marc Zyngier <maz@kernel.org>,
        Oliver Upton <oliver.upton@linux.dev>,
        Huacai Chen <chenhuacai@kernel.org>,
        Michael Ellerman <mpe@ellerman.id.au>,
        Anup Patel <anup@brainfault.org>, kvm@vger.kernel.org,
        kvmarm@lists.linux.dev, kvm-riscv@lists.infradead.org,
        linux-kernel@vger.kernel.org,
        Chao Peng <chao.p.peng@linux.intel.com>,
        Fuad Tabba <tabba@google.com>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Yu Zhang <yu.c.zhang@linux.intel.com>,
        Isaku Yamahata <isaku.yamahata@intel.com>,
        Xu Yilun <yilun.xu@intel.com>,
        Vlastimil Babka <vbabka@suse.cz>,
        Vishal Annapurve <vannapurve@google.com>,
        Ackerley Tng <ackerleytng@google.com>,
        Maciej Szmigiero <mail@maciej.szmigiero.name>,
        David Hildenbrand <david@redhat.com>,
        Quentin Perret <qperret@google.com>,
        Michael Roth <michael.roth@amd.com>,
        Wang <wei.w.wang@intel.com>,
        Liam Merwick <liam.merwick@oracle.com>,
        Isaku Yamahata <isaku.yamahata@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-4.8 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS,
	USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 10 Oct 2023 15:22:40 -0700 (PDT)

On Thu, Oct 5, 2023 at 3:46=E2=80=AFPM Sean Christopherson <seanjc@google.c=
om> wrote:
>
> On Thu, Oct 05, 2023, Anish Moorthy wrote:
> > On Tue, Oct 3, 2023 at 4:46=E2=80=AFPM Sean Christopherson <seanjc@goog=
le.com> wrote:
> > >
> > > The only way a KVM_EXIT_MEMORY_FAULT that actually reaches userspace =
could be
> > > "unreliable" is if something other than a memory_fault exit clobbered=
 the union,
> > > but didn't signal its KVM_EXIT_* reason.  And that would be an egregi=
ous bug that
> > > isn't unique to KVM_EXIT_MEMORY_FAULT, i.e. the same data corruption =
would affect
> > > each and every other KVM_EXIT_* reason.
> >
> > Keep in mind the case where an "unreliable" annotation sets up a
> > KVM_EXIT_MEMORY_FAULT, KVM_RUN ends up continuing, then something
> > unrelated comes up and causes KVM_RUN to EFAULT. Although this at
> > least is a case of "outdated" information rather than blatant
> > corruption.
>
> Drat, I managed to forget about that.
>
> > IIRC the last time this came up we said that there's minimal harm in
> > userspace acting on the outdated info, but it seems like another good
> > argument for just restricting the annotations to paths we know are
> > reliable. What if the second EFAULT above is fatal (as I understand
> > all are today) and sets up subsequent KVM_RUNs to crash and burn
> > somehow? Seems like that'd be a safety issue.
>
> For your series, let's omit
>
>   KVM: Annotate -EFAULTs from kvm_vcpu_read/write_guest_page
>
> and just fill memory_fault for the page fault paths.  That will be easier=
 to
> document too since we can simply say that if the exit reason is KVM_EXIT_=
MEMORY_FAULT,
> then run->memory_fault is valid and fresh.

+1

And from a performance perspective, I don't think we care about
kvm_vcpu_read/write_guest_page(). Our (Google) KVM Demand Paging
implementation just sends any kvm_vcpu_read/write_guest_page()
requests through the netlink socket, which is just a poor man's
userfaultfd. So I think we'll be fine sending these callsites through
uffd instead of exiting out to userspace.

And with that out of the way, is there any reason to keep tying
KVM_EXIT_MEMORY_FAULT to -EFAULT? As mentioned in the patch at the top
of this thread, -EFAULT is just a hack to allow the emulator paths to
return out to userspace. But that's no longer necessary. I just find
it odd that some KVM_EXIT_* correspond with KVM_RUN returning an error
and others don't. The exit_reason is sufficient to tell userspace
what's going on and has a firm contract, unlike -EFAULT which anything
KVM calls into can return.

>
> Adding a flag or whatever to mark the data as trustworthy would be the al=
ternative,
> but that's effectively adding ABI that says "KVM is buggy, sorry".
>
> My dream of having KVM always return useful information for -EFAULT will =
have to
> wait for another day.