Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5050680rdb; Tue, 12 Dec 2023 18:23:05 -0800 (PST) X-Google-Smtp-Source: AGHT+IF9RLFaiF+SWkCGhntslmQmJ5YtfvRt5S7QZH/LKFnChZiV0eUl3+pm6v6gMbLd5GSE9d59 X-Received: by 2002:a9d:6185:0:b0:6d9:e28c:28ef with SMTP id g5-20020a9d6185000000b006d9e28c28efmr6441305otk.55.1702434184974; Tue, 12 Dec 2023 18:23:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702434184; cv=none; d=google.com; s=arc-20160816; b=x5LdwICPoebF7ms39J7Tgzu6e/lYZuHQgBb+xjG8lyc3epCalFGerwlzSi7YRlpxOS jBmadiwTHRVmSt/QMDznpcurbWg0bckYCmiNIQ77JCK5idkUrNTISMRbNwJqQMNXC95U woqV4gTi6KPXxYITpY5njWebHvKtFY8aJzNcdow+S4lOhZy4lY42fnXVzb185CizSVAs ZQ0pNYYu/bNyevhusL2ROSho0SEpECSpLdb/InKznBW6xhKH0SzQ2efC+1rVP0Bklakq h5CvJYafYtIf2F6fkHB9S5Mxq6bWaoYF9mh1WSH52hA23lxy8q/OqCcrDmK34HSWejYN eMyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=H3dbLwG3pwrVNc+flPqWL0ROEahdeYkxOItBObS2igQ=; fh=AghDzVtIMQbD5leC+cJqzX02jv06w/vPh/87V9gVQzM=; b=HCSlZfcGgSBA8qbmJfkRUSzvoPtSI0fZ1Ea6zJ4Tq6QeVOY1/w1foK7mxFzpUeKwVr 3zagWZlHpYn4NRD/xnwSOfIsarKivI0o5l8pWfkEW7MhFJDGWJR2nfcO16/WrZUoWYGp 52x8U78lTjD2xMj1+wqV7yrbehcLN8SuBYa/9qRMUv+mSoro95fE2yaFRkap7buakR3v Z8jbuAFBXJ1KmRz02fI+wcK0/VUkRhet+JuzOWL1oI30aK/C2YAf1+exl3P/x/jwWgCl rVDIgCriprD7KUyP5q5jTY4uteJ3bmrSDIoTtzdoBn+iUf4gOnrPN/c8RgZvxZ3RW+6b 8h7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=JgIXZoDt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id eb14-20020a056a004c8e00b0068fe12b361dsi8761263pfb.249.2023.12.12.18.23.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Dec 2023 18:23:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=JgIXZoDt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 4BAA38076CA5; Tue, 12 Dec 2023 18:23:02 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378381AbjLMCWt (ORCPT + 99 others); Tue, 12 Dec 2023 21:22:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60360 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1378388AbjLMCWf (ORCPT ); Tue, 12 Dec 2023 21:22:35 -0500 Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com [IPv6:2607:f8b0:4864:20::1049]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E03719E for ; Tue, 12 Dec 2023 18:22:02 -0800 (PST) Received: by mail-pj1-x1049.google.com with SMTP id 98e67ed59e1d1-2869cdac540so3623361a91.0 for ; Tue, 12 Dec 2023 18:22:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1702434121; x=1703038921; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=H3dbLwG3pwrVNc+flPqWL0ROEahdeYkxOItBObS2igQ=; b=JgIXZoDtL3tsFLv7qXcdYmyIY4JX6Us/RJNjjPcsYQgoVqqPtWXuTdGM9ZM9epPRzL JCF0opJNtwOo9BeYMrPCVpoqRclCy0FykrgMtLYWTLnC0vAy7WAqSkqYF3O5Tg2Kqusi O/7Vsng5r+NqZ2Yi0yT3nnOnRWRUXV9P7P2qtPvOKmkgB0r2mik7SMgBkA7wFkvq4w1G h4EvY4rkTAzycB9gODo5QcqoH3NBJXYU/Kq0orHH9ATUmJFQoJOeg1H4zO3r32R1vVxM deZJfzg/fgVegdjMrBmw3nfKcNZOZ+UXuq81MVLAWMM0wVyCl94UDcWbT0lC4dcX+OtN 98Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702434121; x=1703038921; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=H3dbLwG3pwrVNc+flPqWL0ROEahdeYkxOItBObS2igQ=; b=Q0weWPhmOz/y9fggevMnDV661/lxPG1zSTItS127Wkiy9BJ99KFN2WfhM/tA7PBtjz 0KADVeSPj1HG5KaUmKI4ojDq6bI48TMEJaEQqUGCqIGJnE3UyrZ7Zw591gwZO9SsF0sD j6BktAZ+gFTdPko8AtwOkoVV+XU0bF0/gEuuReK4wXCNIcrrbTHouTKDwIw09fzLmVal bT8hXJRdx6/WeejY1lt3oiNB+Iy78mGPnMWuIts1o6AhudI97EgB8nRVYqWreEVNkgQH mT7tPllPZRIZrrbJHH5ol8ggXGN/3H6mILnZWn5ibttc9jRBxhuUrk8qft9Dc9ODIuYd Tdrw== X-Gm-Message-State: AOJu0Yy8zvz6Zbn75h7y623Qfs2dntu9tKV1yisN2UzAfjurcOFPK4qG QMidgX7KFRJj19pBvoJLMdXyR94Ft0w= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a17:903:41c9:b0:1d0:cd87:64dd with SMTP id u9-20020a17090341c900b001d0cd8764ddmr52067ple.3.1702434121579; Tue, 12 Dec 2023 18:22:01 -0800 (PST) Date: Tue, 12 Dec 2023 18:22:00 -0800 In-Reply-To: <20231203140756.GI1489931@ziepe.ca> Mime-Version: 1.0 References: <20230916003118.2540661-1-seanjc@google.com> <20230916003118.2540661-6-seanjc@google.com> <20230918152110.GI13795@ziepe.ca> <20230918160258.GL13795@ziepe.ca> <20231203140756.GI1489931@ziepe.ca> Message-ID: Subject: Re: [PATCH 05/26] vfio: KVM: Pass get/put helpers from KVM to VFIO, don't do circular lookup From: Sean Christopherson To: Jason Gunthorpe Cc: Catalin Marinas , Will Deacon , Marc Zyngier , Oliver Upton , Huacai Chen , Michael Ellerman , Anup Patel , Paul Walmsley , Palmer Dabbelt , Albert Ou , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Janosch Frank , Claudio Imbrenda , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, Peter Zijlstra , Arnaldo Carvalho de Melo , Paolo Bonzini , Tony Krowiak , Halil Pasic , Jason Herne , Harald Freudenberger , Alex Williamson , Andy Lutomirski , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-mips@vger.kernel.org, kvm@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm-riscv@lists.infradead.org, linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, Anish Ghulati , Venkatesh Srinivas , Andrew Thornton Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 12 Dec 2023 18:23:02 -0800 (PST) On Sun, Dec 03, 2023, Jason Gunthorpe wrote: > On Fri, Dec 01, 2023 at 04:51:55PM -0800, Sean Christopherson wrote: > > > There's one more wrinkle: this patch is buggy in that it doesn't ensure the liveliness > > of KVM-the-module, i.e. nothing prevents userspace from unloading kvm.ko while VFIO > > still holds a reference to a kvm structure, and so invoking ->put_kvm() could jump > > into freed code. To fix that, KVM would also need to pass along a module pointer :-( > > Maybe we should be refcounting the struct file not the struct kvm? > > Then we don't need special helpers and it keeps the module alive correctly. Huh. It took my brain a while to catch up, but this seems comically obvious in hindsight. I *love* this approach, both conceptually and from a code perspective. Handing VFIO (and any other external entities) a file makes it so that KVM effectively interacts with users via files, regardless of whether the user lives in userspace or the kernel. That makes it easier to reason about the safety of operations, e.g. in addition to ensuring KVM-the-module is pinned, having a file pointer allows KVM to verify that the incoming pointer does indeed represent a VM. Which isn't necessary by any means, but it's a nice sanity check. From a code perspective, it's far cleaner than manually grabbing module references, and having only a file pointers makes it a wee bit harder for non-KVM code to poke into KVM, e.g. keeps us honest. Assuming nothing blows up in testing, I'll go this route for v2. Thanks!