On Sat, Jun 17, 2023, Yu Zhang wrote: > > > > > and the backing page is being reclaimed in L0? I saw > > > nested_get_vmcs12_pages() will check vmcs12 and set the APIC access address > > > in VMCS02, but not sure if this routine will be triggered by the mmu > > > notifier... > > > > Pages from vmcs12 that are referenced by physical address in the VMCS are pinned > > (where "pinned" means KVM holds a reference to the page) by kvm_vcpu_map(). I.e. > > the page will not be migrated, and if userspace unmaps the page, userspace might > > break its VM, but that's true for any guest memory that userspace unexpectedly > > unmaps, and there won't be any no use-after-free issues. > > > Thanks, Sean. > > About the kvm_vcpu_map(), is it necessary for APIC access address? No, not strictly necessary. > L0 only needs to get its pfn, and does not care about the hva or struct page. Could > we just use gfn_to_pfn() to retrieve the pfn, and kvm_release_pfn_clean() to > unpin it later? Yep, that would suffice. The main reason I converted the APIC access page to use kvm_vcpu_map()[1] was that it was easiest way to play nice with struct page memory. I don't think this is worth doing right now, as the practical downside is really just that setups that hide memory from the kernel do an unnecessary memremap(). I'd much prefer to "fix" this wart when we (hopefully) overhaul all these APIs[2]. [1] fe1911aa443e ("KVM: nVMX: Use kvm_vcpu_map() to get/pin vmcs12's APIC-access page") [2] https://lore.kernel.org/all/ZGvUsf7lMkrNDHuE@xxxxxxxxxx