From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47532C77B71 for ; Fri, 14 Apr 2023 23:26:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CD6D3900003; Fri, 14 Apr 2023 19:26:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C87356B007D; Fri, 14 Apr 2023 19:26:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B4FFF900003; Fri, 14 Apr 2023 19:26:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id A5CD86B007B for ; Fri, 14 Apr 2023 19:26:45 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 695A51C62A9 for ; Fri, 14 Apr 2023 23:26:45 +0000 (UTC) X-FDA: 80681583570.27.8F3048C Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) by imf08.hostedemail.com (Postfix) with ESMTP id A4EDD160012 for ; Fri, 14 Apr 2023 23:26:43 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=bN9Dj47t; spf=pass (imf08.hostedemail.com: domain of 3MuE5ZAYKCAUxjfsohlttlqj.htrqnsz2-rrp0fhp.twl@flex--seanjc.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3MuE5ZAYKCAUxjfsohlttlqj.htrqnsz2-rrp0fhp.twl@flex--seanjc.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1681514803; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9+CdS/YAmA5S1F/LB6OGsrwDYAK7DxTDkVw+gfhAepA=; b=HkruyTcPJKNBcmPymYV7MtC+l6U9o8ob2zrko4an3lBLaR2bFc/EHORB+GEJW04ANnkdEw rq6zV/9CREPHz14bWJal3DLOj1VkfOG9DC45l86OSSzKnwiLbnhEWE+hXJ8mdryIKEkL+J 4LS6VrGrkN9uj/WfmmK6VUu3NWfrzeo= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=bN9Dj47t; spf=pass (imf08.hostedemail.com: domain of 3MuE5ZAYKCAUxjfsohlttlqj.htrqnsz2-rrp0fhp.twl@flex--seanjc.bounces.google.com designates 209.85.128.202 as permitted sender) smtp.mailfrom=3MuE5ZAYKCAUxjfsohlttlqj.htrqnsz2-rrp0fhp.twl@flex--seanjc.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1681514803; a=rsa-sha256; cv=none; b=jRM3HH3iidnuCwWrfMjro7b/ERDaIAtYCpea9ZHBiLpP3wIBt5AvXUfpy58Rm4oLttN0Ne IghwAyptRFfHlfb+vkTai3nNJrbF1M/5XIx3k6L65p2jXANwTrKevYCjgh1kCJb+dpp5i3 6dqL0cu49GW9hyb3tYGCoyKjcQAn9Pw= Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-54ee1fd7876so205174047b3.23 for ; Fri, 14 Apr 2023 16:26:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1681514803; x=1684106803; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=9+CdS/YAmA5S1F/LB6OGsrwDYAK7DxTDkVw+gfhAepA=; b=bN9Dj47tXXl1p0UF2MJFdSAVCfwn/7Zl+cOsjIPcr86N8glDbekHfW7p3TjLcoMTJ2 RprC6wFjoB2VfPQDQIf4CoVyXXY4t6NJ0hTenc3TSlt6vt/SvOi7kO5RId+CzR9TZmh4 TkpdZlxr766TnaQKMRbhEHNODBccapNyCEAvTTzYht3MGooljrpQhHuWrSC8uNroufFU DaRqnxvwUa14r7jmrqAvg5f/h8cCkpxmdAQkMQRx2J0RL4yCQiGy6fr43nsNMcMI73iq EO6WG1SmHtS9EZhxvgzHwQvJBgFbebGXwl+xFrtYGpke1LzwlzZKR3mFXTFXcEM6luYX bRjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681514803; x=1684106803; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=9+CdS/YAmA5S1F/LB6OGsrwDYAK7DxTDkVw+gfhAepA=; b=UzdaStf1uoOjQkPQW/HzVoyIqqLdeecRN6Txl0KRM1JCZarOw5fvgvewr+vYUaa0CG wtovJ9mB4d+nkvm2v5Oqp1ofCR+gD06NVTDdbXUvt3XW/wM0xJsGdydTAqKoTOTBJYrY GNSd9Wi9bXhRC2prT2Fy9/Fog5PdQbdqTUxYHdNmWTi7BlXt1WWWTVhL0ELTapMJs5rj phoSXtr6R+0Ja2tR52r7tsZJegrpSnJ41ySl8/Vjp76ppHraUUjiiCbjaBuh9ONtVjay FYSxyM/J9v6tj4R3hkDAquBvSkWsHslJ54mCZiPaQI7me74eiNnZdJf750T9N7kIY2/4 hL8Q== X-Gm-Message-State: AAQBX9fnuCxku9DpS1yqanBO5HlPJ0BDj8Ak3ZIsGFyMB53G7OyQ5sXg nhDUjinH7pt7f92+uvwOvlWiTLaYDQ4= X-Google-Smtp-Source: AKy350bfBVGyb8j5M296HHMJlDF+8v2QV+6OwIFFK8rNd9KmApATUdcntOjhB2WH/vHF6B11161fuLNJq1Q= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a0d:ec47:0:b0:54e:e490:d190 with SMTP id r7-20020a0dec47000000b0054ee490d190mr4836875ywn.4.1681514802680; Fri, 14 Apr 2023 16:26:42 -0700 (PDT) Date: Fri, 14 Apr 2023 16:26:41 -0700 In-Reply-To: Mime-Version: 1.0 References: Message-ID: Subject: Re: [PATCH v7 00/14] KVM: mm: fd-based approach for supporting KVM guest private memory From: Sean Christopherson To: Ackerley Tng Cc: brauner@kernel.org, kirill.shutemov@linux.intel.com, chao.p.peng@linux.intel.com, hughd@google.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, linux-doc@vger.kernel.org, qemu-devel@nongnu.org, linux-kselftest@vger.kernel.org, pbonzini@redhat.com, corbet@lwn.net, vkuznets@redhat.com, wanpengli@tencent.com, jmattson@google.com, joro@8bytes.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org, hpa@zytor.com, jlayton@kernel.org, bfields@fieldses.org, akpm@linux-foundation.org, shuah@kernel.org, rppt@kernel.org, steven.price@arm.com, mail@maciej.szmigiero.name, vbabka@suse.cz, vannapurve@google.com, yu.c.zhang@linux.intel.com, luto@kernel.org, jun.nakajima@intel.com, dave.hansen@intel.com, ak@linux.intel.com, david@redhat.com, aarcange@redhat.com, ddutile@redhat.com, dhildenb@redhat.com, qperret@google.com, michael.roth@amd.com, mhocko@suse.com, songmuchun@bytedance.com, pankaj.gupta@amd.com, linux-arch@vger.kernel.org, arnd@arndb.de, linmiaohe@huawei.com, naoya.horiguchi@nec.com, tabba@google.com, wei.w.wang@intel.com Content-Type: text/plain; charset="us-ascii" X-Stat-Signature: 4j7pjyki9gn15y6x9wttqqkeocq16a56 X-Rspam-User: X-Rspamd-Queue-Id: A4EDD160012 X-Rspamd-Server: rspam06 X-HE-Tag: 1681514803-770701 X-HE-Meta: U2FsdGVkX18U2v/IuxfG36g3NrHyDo920B1pjR3HOwf0rgKM0JHRmOQCTOC0fkioUPjSAqbrjAjpVDuQmL8ydnwj18sAU2Mwty5veSGcMkKzXU47hQWWajNoJtbZ304m947piNXhe0q13kT+KEEHjR23WhZ8vdNBdzX9Et+4dmT9qPxiDEKVYDWLAemu5LwfFpIv1g8drJf1S7yuGFH5cyF0SLkA6j+EgwEFcqQMh+HgBid/ZGt/sj8PGFPi1/QcHp4QS1D4BTc6p7fYXKiv1JcDbq86bnJUYu/aq2dvwUkD+ZSfXpQUb/LhAl0E2IJZ41jvGJBxUay+PJ6kRIcwVYi+0GQmAZ2tTZB3UiALzqXNBgq3opkST1odhkkgq4lFZog/PgYeum1xvPTM12T4osrj68wn/FKLE++wzVefRVeCwaC9AO9RcCIiDp1oMgmnxWYuivGkqhigHiNKOt2AKLYmQk4TKbRnzx6q1/8KSjpAP8poHSOQB/fvjv7wTEBpkicaiUdHiNT3D2hzNRksaswUkNsMZI0/ph0MHb5P3Xn+PoebfHk5bPPF+wQmtECpe/c6yle5NO5hpI+GNaXmsUO6k/z9xqANckpVmTZL4pXdINUXCuGsZFuqT5ClY0K3thwGP9z4843g/QMhrVHCwXZvhbONOyUIouBhG8X6xk42V2sEIuNrbS20FsE5XNmARhNOuW1jqZUDRHO8Yje5NdYse1cXkzWcirmMlX+uSeHznQosENhgRQ95beynoU3cC0cyAiT5RRaa7/appxASDc4a+ONW1UA8Y9usjK78PU+ncBcZUqTZcLrz8pkUGAfmaSuIVt8VP2810oDtLWHkpWjrZXXnNnAoHBrJwTf65xXuDRJ67WadBAU9aTjzrnbKLa2BgBj8vX2wRHWI/peFWLMLHARGXx4WlzKzowXfe3XmZqaeIX4oP3dDJnyY64y5krujwBY3SnYMQxwrHSg /TLSDiIo fXCs6E0FmSRl26tUYj51xPKpUtc8fCcu/DrsXLlvBTbUsZjSfcnJcIVFPFxGuMS7xf59Zj2sZqsKL6N/wOvGVRwPB18LQnzDurEdI1kF7OV7Vvdeo746wHDMX74saDrASQWsUqgjrGzf0YD5aAzjptGitHrzTBENPWAj040KTOu/2Ef44jIXqOLEVPetcfrVF7n5+T51woyTWbE/xTIWBSh2BGMU6BQxVkohYdCrqsWejx2LoOKi2B0dpuPwDhbrm1ci9CWVsR9BXaCcNWMFzmhb9crSaxop0BQKhZDh4ZbuNw1VXg6ZNtPsosp76LqTxE5sDexTnFKpGnEzhurXxaKx5D71QjZM7mA8k/+DuInytmlTNFUjfHFZ5wcIHwYXDeUo+pnPEfqI6Jo09PVDr+MgbCZ4u7QygTshEVkYYXBbdjvuC4mbrtyXjhuGgS8VpJx2T5DGww0huHusfpuQb9u1bCa1t6VjjHUdaEQoa4b5HJ7c2oxEIuG1nVMICb04DUhBBkjNDTwlgGW/6MZQPkY0gk8biq8ruUEikRsx64J7Rs1zIHQPhqX4og89XWZLcc/0iBoZtKNbzqLdqtwx1EX/V8uENSmnzkPgUVcR4U34tsVtH71Plh60MdQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Apr 14, 2023, Ackerley Tng wrote: > Sean Christopherson writes: > > > On Thu, Apr 13, 2023, Christian Brauner wrote: > > > * by a mount option to tmpfs that makes it act > > > in this restricted manner then you don't need an ioctl() and can get > > > away with regular open calls. Such a tmpfs instance would only create > > > regular, restricted memfds. > > > I'd prefer to not go this route, becuase IIUC, it would require relatively > > invasive changes to shmem code, and IIUC would require similar changes to > > other support backings in the future, e.g. hugetlbfs? And as above, I > > don't think any of the potential use cases need restrictedmem to be a > > uniquely identifiable mount. > > FWIW, I'm starting to look at extending restrictedmem to hugetlbfs and > the separation that the current implementation has is very helpful. Also > helps that hugetlbfs and tmpfs are structured similarly, I guess. > > > One of the goals (hopefully not a pipe dream) is to design restrictmem in > > such a way that extending it to support other backing types isn't terribly > > difficult. In case it's not obvious, most of us working on this stuff > > aren't filesystems experts, and many of us aren't mm experts either. The > > more we (KVM folks for the most part) can leverage existing code to do the > > heavy lifting, the better. > > > After giving myself a bit of a crash course in file systems, would > > something like the below have any chance of (a) working, (b) getting > > merged, and (c) being maintainable? > > > The idea is similar to a stacking filesystem, but instead of stacking, > > restrictedmem hijacks a f_ops and a_ops to create a lightweight shim around > > tmpfs. There are undoubtedly issues and edge cases, I'm just looking for a > > quick "yes, this might be doable" or a "no, that's absolutely bonkers, > > don't try it". > > Not an FS expert by any means, but I did think of approaching it this > way as well! > > "Hijacking" perhaps gives this approach a bit of a negative connotation. Heh, commandeer then. > I thought this is pretty close to subclassing (as in Object > Oriented Programming). When some methods (e.g. fallocate) are called, > restrictedmem does some work, and calls the same method in the > superclass. > > The existing restrictedmem code is a more like instantiating an shmem > object and keeping that object as a field within the restrictedmem > object. > > Some (maybe small) issues I can think of now: > > (1) > > One difficulty with this approach is that other functions may make > assumptions about private_data being of a certain type, or functions may > use private_data. > > I checked and IIUC neither shmem nor hugetlbfs use the private_data > field in the inode's i_mapping (also file's f_mapping). > > But there's fs/buffer.c which uses private_data, although those > functions seem to be used by FSes like ext4 and fat, not memory-backed > FSes. > > We can probably fix this if any backing filesystems of restrictedmem, > like tmpfs and future ones use private_data. Ya, if we go the route of poking into f_ops and stuff, I would want to add WARN_ON_ONCE() hardening of everything that restrictemem wants to "commandeer" ;-) > > static int restrictedmem_file_create(struct file *file) > > { > > struct address_space *mapping = file->f_mapping; > > struct restrictedmem *rm; > > > rm = kzalloc(sizeof(*rm), GFP_KERNEL); > > if (!rm) > > return -ENOMEM; > > > rm->backing_f_ops = file->f_op; > > rm->backing_a_ops = mapping->a_ops; > > rm->file = file; > > We don't really need to do this, since rm->file is already the same as > file, we could just pass the file itself when it's needed Aha! I was working on getting rid of it, but forgot to go back and do another pass. > > init_rwsem(&rm->lock); > > xa_init(&rm->bindings); > > > file->f_flags |= O_LARGEFILE; > > > file->f_op = &restrictedmem_fops; > > mapping->a_ops = &restrictedmem_aops; > > I think we probably have to override inode_operations as well, because > otherwise other methods would become available to a restrictedmem file > (like link, unlink, mkdir, tmpfile). Or maybe that's a feature instead > of a bug. I think we want those? What we want to restrict are operations that require read/write/execute access to the file, everything else should be ok. fallocate() is a special case because restrictmem needs to tell KVM to unmap the memory when a hole is punched. I assume ->setattr() needs similar treatment to handle ftruncate()? I'd love to hear Christian's input on this aspect of things. > > if (WARN_ON_ONCE(file->private_data)) { > > err = -EEXIST; > > goto err_fd; > > } > > Did you intend this as a check that the backing filesystem isn't using > the private_data field in the mapping? > > I think you meant file->f_mapping->private_data. Ya, sounds right. I should have added disclaimers that (a) I wrote this quite quickly and (b) it's compile tested only at this point. > On this note, we will probably have to fix things whenever any backing > filesystems need the private_data field. Yep. > > f = fdget_raw(mount_fd); > > if (!f.file) > > return -EBADF; ... > > /* > > * The filesystem must be mounted no-execute, executing from guest > > * private memory in the host is nonsensical and unsafe. > > */ > > if (!(mnt->mnt_sb->s_iflags & SB_I_NOEXEC)) > > goto out; Looking at this more closely, I don't think we need to require NOEXEC, things like like execve() should get squashed by virtue of not providing any read/write implementations. And dropping my misguided NOEXEC requirement means there's no reason to disallow using the kernel internal mount.