On Thu, Feb 13, 2020 at 09:13:35PM +0100, Christian Borntraeger wrote: > > On 13.02.20 20:56, Sean Christopherson wrote: > > On Mon, Feb 10, 2020 at 06:27:04PM +0100, Christian Borntraeger wrote: > > Am I missing a need to do this for the swap/reclaim case? Or is there a > > completely different use case I'm overlooking? > > This is actually to protect the host against a malicious user space. For > example a bad QEMU could simply start direct I/O on such protected memory. > We do not want userspace to be able to trigger I/O errors and thus we > implemented the logic to "whenever somebody accesses that page (gup) or > doing I/O, make sure that this page can be accessed. When the guest tries > to access that page we will wait in the page fault handler for writeback to > have finished and for the page_ref to be the expected value. Ah. I was assuming the pages would unmappable by userspace, enforced by some other mechanism > > > > Tangentially related, hooks here could be quite useful for sanity checking > > the kernel/KVM and/or debugging kernel/KVM bugs. Would it make sense to > > pass a param to arch_make_page_accessible() to provide some information as > > to why the page needs to be made accessible? > > Some kind of enum that can be used optionally to optimize things? Not just optimize, in the case above it'd probably preferable for us to reject a userspace mapping outright, e.g. return -EFAULT if called from gup()/follow(). Debug scenarios might also require differentiating between writeback and "other".
