From: John Hubbard <jhubbard@nvidia.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
<linux-next@vger.kernel.org>, <akpm@linux-foundation.org>
Cc: <david@redhat.com>, <aarcange@redhat.com>, <linux-mm@kvack.org>,
<frankja@linux.ibm.com>, <sfr@canb.auug.org.au>,
<linux-kernel@vger.kernel.org>, <linux-s390@vger.kernel.org>,
Will Deacon <will@kernel.org>
Subject: Re: [RFC v1 2/2] mm/gup/writeback: add callbacks for inaccessible pages
Date: Fri, 28 Feb 2020 16:08:23 -0800 [thread overview]
Message-ID: <ff35804f-81ef-a245-01d9-1f9b525e3410@nvidia.com> (raw)
In-Reply-To: <2e3bf1a2-b672-68e0-97b6-42f08133e077@de.ibm.com>
On 2/28/20 8:08 AM, Christian Borntraeger wrote:
> Andrew,
>
> while patch 1 is a fixup for the FOLL_PIN work in your patch queue,
> I would really love to see this patch in 5.7. The exploitation code
> of kvm/s390 is in Linux next also scheduled for 5.7.
>
> Christian
>
> On 28.02.20 16:43, Claudio Imbrenda wrote:
>> With the introduction of protected KVM guests on s390 there is now a
>> concept of inaccessible pages. These pages need to be made accessible
>> before the host can access them.
>>
>> While cpu accesses will trigger a fault that can be resolved, I/O
>> accesses will just fail. We need to add a callback into architecture
>> code for places that will do I/O, namely when writeback is started or
>> when a page reference is taken.
>>
>> This is not only to enable paging, file backing etc, it is also
>> necessary to protect the host against a malicious user space. For
>> example a bad QEMU could simply start direct I/O on such protected
>> memory. We do not want userspace to be able to trigger I/O errors and
>> thus we the logic is "whenever somebody accesses that page (gup) or
I actually kind of like the sound of that: "We the logic of the kernel,
in order to form a more perfect computer..." :)
Probably this wording is what you want, though:
"thus the logic is "whenever somebody (gup) accesses that page or"
...
>> @@ -458,7 +457,6 @@ static struct page *follow_page_pte(struct vm_area_struct *vma,
>> }
>>
>> if (flags & FOLL_SPLIT && PageTransCompound(page)) {
>> - int ret;
>> get_page(page);
>> pte_unmap_unlock(ptep, ptl);
>> lock_page(page);
>> @@ -475,6 +473,14 @@ static struct page *follow_page_pte(struct vm_area_struct *vma,
>> page = ERR_PTR(-ENOMEM);
>> goto out;
>> }
>> + if (flags & FOLL_PIN) {
What about FOLL_GET? Unless your calling code has some sort of BUG_ON(flags & FOLL_GET),
I'm not sure it's a good idea to leave that case unhandled.
>> + ret = arch_make_page_accessible(page);
>> + if (ret) {
>> + unpin_user_page(page);
>> + page = ERR_PTR(ret);
>> + goto out;
>> + }
>> + }
>> if (flags & FOLL_TOUCH) {
>> if ((flags & FOLL_WRITE) &&
>> !pte_dirty(pte) && !PageDirty(page))
>> @@ -2143,6 +2149,13 @@ static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
>>
>> VM_BUG_ON_PAGE(compound_head(page) != head, page);
>>
>> + if (flags & FOLL_PIN) {
>> + ret = arch_make_page_accessible(page);
>> + if (ret) {
>> + unpin_user_page(page);
Same concern as above, about leaving FOLL_GET unhandled.
thanks,
--
John Hubbard
NVIDIA
next prev parent reply other threads:[~2020-02-29 0:08 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-28 15:43 [RFC v1 0/2] add callbacks for inaccessible pages Claudio Imbrenda
2020-02-28 15:43 ` [RFC v1 1/2] fixup for 9947ea2c1e608e32669d5caeb67b3e3fba3309e8 "mm/gup: track FOLL_PIN pages" Claudio Imbrenda
2020-02-28 15:45 ` Claudio Imbrenda
2020-02-28 15:43 ` [RFC v1 1/2] mm/gup: fixup for 9947ea2c1e608e32 " Claudio Imbrenda
2020-02-28 23:08 ` John Hubbard
2020-02-29 10:51 ` Claudio Imbrenda
2020-02-29 20:09 ` John Hubbard
2020-03-02 13:46 ` Michal Hocko
2020-02-28 15:43 ` [RFC v1 2/2] mm/gup/writeback: add callbacks for inaccessible pages Claudio Imbrenda
2020-02-28 16:08 ` Christian Borntraeger
2020-02-29 0:08 ` John Hubbard [this message]
2020-02-29 10:49 ` Claudio Imbrenda
2020-02-29 20:07 ` John Hubbard
2020-03-01 3:47 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ff35804f-81ef-a245-01d9-1f9b525e3410@nvidia.com \
--to=jhubbard@nvidia.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=borntraeger@de.ibm.com \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=imbrenda@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-next@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=sfr@canb.auug.org.au \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).