Re: [PATCH v8 23/46] KVM: TDX: Make source page optional for KVM_TDX_INIT_MEM_REGION
From: Yan Zhao <hidden>
Date: 2026-06-30 02:09:39
Also in:
kvm, linux-doc, linux-kselftest, linux-mm, linux-trace-kernel, lkml
On Mon, Jun 29, 2026 at 05:00:02PM -0700, Ackerley Tng wrote:
quoted
quoted
quoted
The original uAPI did not explicitly define 0 as an invalid uaddr. Whether 0 was rejected depended on whether the user mmap()'d address 0. If 0 was a valid mapping, populate() could proceed. commit 2a62345b3052 ("KVM: guest_memfd: GUP source pages prior to populating guest memory") changed the behavior though. It would return -EOPNOTSUPP for a 0 uaddr.I see, I only looked at this after commit 2a62345b3052.quoted
But if a user configures 0 uaddr as valid, writes to it, and then passes 0 as source_addr(not from gmem), I'm not sure if it's good for the kernel to silently treat 0 uaddr as an identifier for in-place copy from the private PFN in gmem.I'd say the original uAPI perhaps just didn't document 0 as an unsupported uaddr. Given that commit 2a62345b3052 already merged, uAPI was perhaps accidentally changed and no customer complained, I think we can move forward with 0 as an invalid src_address? I wouldn't think anyone relies on 0 intentionally being a valid address. I could document that, if it helps?What about just documenting that 0 is an unsupported uaddr which will be re-purposed as an indicator to use the target pfn as the source, regardless of whether gmem_in_place_conversion is true? i.e., if (!src_page) src_page = pfn_to_page(pfn); I don't get why the two scenarios should be treated differently: 1. gmem_in_place_conversion==true, shared memory is not from gmem 2. gmem_in_place_conversion==false, shared memory is not from gmem In both case, a 0 uaddr could be mapped to a valid page not from gmem.This is true, but this check isn't about whether the page is from gmem.
Hmm. TDX's in-place add does not rely on gmem in-place conversion, which means when gmem_in_place_conversion==false, TDX's in-place add can still be successful. Since checking gmem_in_place_conversion==true also can't guarantee the share memory is from gmem, it makes me feel odd to reject scenario 2 while turning scenario 1 to in-place add.
quoted
So why not update the uAPI to handle both cases consistently? :)Wait, but before this series, if region.src_address = 0, src_page = NULL and that's not supported so it returns -EOPNOTSUPP.
As in our previous discussion, no customer complaining about the previous change to -EOPNOTSUPP means no one uses 0 uaddr today.
If that's dropped, then suddenly if region.src_address = 0 and
!gmem_in_place_conversion, tdx_gmem_post_populate() will now load the
memory (zeroed) after [1] into the guest? I don't think we want to
change that behavior.
I could document that 0 is an unsupported uaddr only for TDX, and only
when gmem_in_place_conversion = false.
Since it is unsupported only when gmem_in_place_conversion = false, the
check two lines marked with <<==== can't go away?
if (!src_page) {
if (!gmem_in_place_conversion) <<====
return -EOPNOTSUPP; <<====This rejecting scenario 2.
src_page = pfn_to_page(pfn);
This turning scenario 1 to in-place add.
} Also, for SNP, src_address == 0 is permitted (and desired, I believe, to avoid a pointless kernel memcpy) if the type of population is KVM_SEV_SNP_PAGE_TYPE_ZERO.quoted
quoted
quoted
quoted
quoted
quoted
getting pfn" patch, ends up with the guest silently having a zero page? I think that would be found quite early in userspace VMM testing...[...snip...]