Am 29.03.23 um 19:39 schrieb Sean Christopherson:
On Wed, Mar 29, 2023, Christian K�nig wrote:
Am 29.03.23 um 19:22 schrieb Sean Christopherson:
+David
On Wed, Mar 29, 2023, Paolo Bonzini wrote:
On 3/29/23 18:43, Christian K�nig wrote:
3) other uses of kmap() must switch to MMU-notifier protection.
I would rather suggest to return the page additionally to the pfn from
hva_to_pfn() when the function was able to grab a reference to it.
When the page is then not available you can't call kmap() on that either.
If the DRM people are okay with SetPageReserved() as a temporary
hack, we can change or remove the WARN in kvm_is_zone_device_page(),
since that is what you are referring to in the commit message.
Adding Daniel for additional comments on this, but essentially we have
changed quite some infrastructure to make sure that everybody uses
VM_PFNMAP to prevent stuff like this from happening.
I would really prefer a proper solution in KVM instead.
Hmm... Now that I think about it that would be
https://lore.kernel.org/kvm/Yc4H+dGfK83BaGpC@xxxxxxxxxx/t/
Time to resurrect that work.
Ya. I had previously asked David to first eliminated the usage that isn't
protected by mmu_notifiers, but after seeing the resulting complexity, I had a
change of heart[2]. Can you weigh in on the latter thread, specifically my
proposal of using a module param to let the admin opt-in to "unsafe" kmap usage.
I don't think that this is something an admin should be able to decide.
Why not? Assuming the admin has CAP_SYS_ADMIN, they can reboot the host in a
myriad of ways. The idea with the KVM module param is to allow curated setups
where the userspace VMM is trusted to a large extent, e.g. AWS' Nitro, to opt-in
to the unsafe behavior. I.e. by enabling the flag, the admin is acknowledging
that bad things can happen if untrusted/compromised userspace gets ahold of
/dev/kvm.
Well exactly that's the point, you don't need untrusted/compromised
userspace the system could just go spontaneously into nirvana during
normal operation.
This would result in very very hard to debug problems since the issues
only happen rather rarely.
On the other hand why do you need the kmap() in the first place?
Regards,
Christian.
x86 system are rather grateful, but if you kmap() pages accessed by GPUs on
ARM the system might just reboot spontaneously.
FWIW, the dangers of an unsafe kmap() are arguably far worse than spontaneous
reboots, e.g. there's potential for use-after-free and possibly even write access
to arbitrary memory.