On 11/22/21 7:23 AM, Brijesh Singh wrote: > Thank you for starting the thread; based on the discussion, I am keeping > the current implementation as-is and *not* going with the auto > conversion from private to shared. To summarize what we are doing in the > current SNP series: > > - If userspace accesses guest private memory, it gets SIGBUS. > - If kernel accesses[*] guest private memory, it does panic. There's a subtlety here, though. There are really three *different* kinds of kernel accesses that matter: 1. Kernel bugs. Kernel goes off and touches some guest private memory when it didn't mean to. Say, it runs off the end of a slab page and runs into a guest page. panic() is expected here. 2. Kernel accesses guest private memory via a userspace mapping, in a place where it is known to be accessing userspace and is prepared to fault. copy_to_user() is the most straightforward example. Kernel must *not* panic(). Returning an error to the syscall is a good way to handle these (if in a syscall). 3. Kernel accesses guest private memory via a kernel mapping. This one is tricky. These probably *do* result in a panic() today, but ideally shouldn't. Could you explicitly clarify what the current behavior is?
