Re: [PATCH v6 0/8] KVM: mm: fd-based approach for supporting KVM guest private memory
From: Sean Christopherson <seanjc@google.com>
Date: 2022-06-15 14:29:55
Also in:
kvm, linux-doc, linux-fsdevel, linux-mm, lkml, qemu-devel
On Wed, Jun 15, 2022, Chao Peng wrote:
On Tue, Jun 14, 2022 at 01:59:41PM -0700, Andy Lutomirski wrote:quoted
On Tue, Jun 14, 2022 at 12:09 PM Sean Christopherson [off-list ref] wrote:quoted
On Tue, Jun 14, 2022, Andy Lutomirski wrote:quoted
This patch series is fairly close to implementing a rather more efficient solution. I'm not familiar enough with hypervisor userspace to really know if this would work, but: What if shared guest memory could also be file-backed, either in the same fd or with a second fd covering the shared portion of a memslot? This would allow changes to the backing store (punching holes, etc) to be some without mmap_lock or host-userspace TLB flushes? Depending on what the guest is doing with its shared memory, userspace might need the memory mapped or it might not.That's what I'm angling for with the F_SEAL_FAULT_ALLOCATIONS idea. The issue, unless I'm misreading code, is that punching a hole in the shared memory backing store doesn't prevent reallocating that hole on fault, i.e. a helper process that keeps a valid mapping of guest shared memory can silently fill the hole. What we're hoping to achieve is a way to prevent allocating memory without a very explicit action from userspace, e.g. fallocate().Ah, I misunderstood. I thought your goal was to mmap it and prevent page faults from allocating.
I don't think you misunderstood, that's also one of the goals. The use case is that multiple processes in the host mmap() guest memory, and we'd like to be able to punch a hole without having to rendezvous with all processes and also to prevent an unintentional re-allocation.
I think we still need the mmap, but want to prevent allocating when userspace touches previously mmaped area that has never filled the page.
Yes, or if a chunk was filled at some point but then was removed via PUNCH_HOLE.
I don't have clear answer if other operations like read/write should be also prevented (probably yes). And only after an explicit fallocate() to allocate the page these operations would act normally.
I always forget about read/write. I believe reads should be ok, the semantics of holes are that they return zeros, i.e. can use ZERO_PAGE() and not allocate a new backing page. Not sure what to do about writes though. Allocating on direct writes might be ok for our use case, but that could also result in a rather wierd API.
quoted
It is indeed the case (and has been since before quite a few of us were born) that a hole in a sparse file is logically just a bunch of zeros. A way to make a file for which a hole is an actual hole seems like it would solve this problem nicely. It could also be solved more specifically for KVM by making sure that the private/shared mode that userspace programs is strict enough to prevent accidental allocations -- if a GPA is definitively private, shared, neither, or (potentially, on TDX only) both, then a page that *isn't* shared will never be accidentally allocated by KVM.KVM is clever enough to not allocate since it knows a GPA is shared or not. This case it's the host userspace that can cause the allocating and is too complex to check on every access from guest.
Yes, KVM is not in the picture at all. KVM won't trigger allocation, but KVM also is not in a position to prevent userspace from touching memory.
quoted
If the shared backing is not mmapped, it also won't be accidentally allocated by host userspace on a stray or careless write.As said above, mmap is still prefered, otherwise too many changes are needed for usespace VMM.
Forcing userspace to change doesn't bother me too much, the biggest concern is having to take mmap_lock for write in a per-host process.