From: Quentin Perret <qperret@google.com>
To: Christoph Hellwig <hch@infradead.org>,
Will Deacon <will@kernel.org>,
Chris Goldsworthy <quic_cgoldswo@quicinc.com>,
Android KVM <android-kvm@google.com>,
Patrick Daly <quic_pdaly@quicinc.com>,
Alex Elder <elder@linaro.org>,
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
Murali Nalajal <quic_mnalajal@quicinc.com>,
Trilok Soni <quic_tsoni@quicinc.com>,
Srivatsa Vaddagiri <quic_svaddagi@quicinc.com>,
Carl van Schaik <quic_cvanscha@quicinc.com>,
Philip Derrin <quic_pderrin@quicinc.com>,
Prakruthi Deepak Heragu <quic_pheragu@quicinc.com>,
Jonathan Corbet <corbet@lwn.net>,
Rob Herring <robh+dt@kernel.org>,
Krzysztof Kozlowski <krzysztof.kozlowski+dt@linaro.org>,
Conor Dooley <conor+dt@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Konrad Dybcio <konrad.dybcio@linaro.org>,
Bjorn Andersson <andersson@kernel.org>,
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>,
Fuad Tabba <tabba@google.com>,
Sean Christopherson <seanjc@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-arm-msm@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, devicetree@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org
Subject: Re: Re: [PATCH v17 19/35] arch/mm: Export direct {un,}map functions
Date: Mon, 4 Mar 2024 13:10:48 +0000 [thread overview]
Message-ID: <ZeXIWBLVWzVycm0r@google.com> (raw)
In-Reply-To: <20240223071006483-0800.eberman@hu-eberman-lv.qualcomm.com>
On Friday 23 Feb 2024 at 16:37:23 (-0800), Elliot Berman wrote:
> On Thu, Feb 22, 2024 at 11:09:40PM -0800, Christoph Hellwig wrote:
> > On Thu, Feb 22, 2024 at 03:16:42PM -0800, Elliot Berman wrote:
> > > Firmware and hypervisor drivers can donate system heap memory to their
> > > respective firmware/hypervisor entities. Those drivers should unmap the
> > > pages from the kernel's logical map before doing so.
> > >
> > > Export can_set_direct_map, set_direct_map_invalid_noflush, and
> > > set_direct_map_default_noflush.
> >
> > Err, not they should not. And not using such super low-level interfaces
> > from modular code.
>
> Hi Cristoph,
>
> We've observed a few times that Linux can unintentionally access a page
> we've unmapped from host's stage 2 page table via an unaligned load from
> an adjacent page. The stage 2 is managed by Gunyah. There are few
> scenarios where even though we allocate and own a page from buddy,
> someone else could try to access the page without going through the
> hypervisor driver. One such instance we know about is
> load_unaligned_zeropad() via pathlookup_at() [1].
>
> load_unaligned_zeropad() could be called near the end of a page. If the
> next page isn't mapped by the kernel in the stage one page tables, then
> the access from to the unmapped page from load_unaligned_zeropad() will
> land in __do_kernel_fault(), call fixup_exception(), and fill the
> remainder of the load with zeroes. If the page in question is mapped in
> stage 1 but was unmapped from stage 2, then the access lands back in
> Linux in do_sea(), leading to a panic().
>
> Our preference would be to add fixup_exception() to S2 PTW errors for
> two reasons:
> 1. It's cheaper to do performance wise: we've already manipulated S2
> page table and prevent intentional access to the page because
> pKVM/Gunyah drivers know that access to the page has been lost.
> 2. Page-granular S1 mappings only happen on arm64 with rodata=full.
>
> In an off-list discussion with the Android pkvm folks, their preference
> was to have the pages unmapped from stage 1. I've gone with that
> approach to get started but welcome discussion on the best approach.
>
> The Android (downstream) implementation of arm64 pkvm is currently
> implementing a hack where s2 ptw faults are given back to the host as s1
> ptw faults (i.e. __do_kernel_fault() gets called and not do_sea()) --
> allowing the kernel to fixup the exception.
>
> arm64 pKVM will also face this issue when implementing guest_memfd or
> when donating more memory to the hyp for s2 page tables, etc. As far as
> I can tell, this isn't an issue for arm64 pKVM today because memory
> isn't being dynamically donated to the hypervisor.
FWIW pKVM already donates memory dynamically to the hypervisor, to store
e.g. guest VM metadata and page-tables, and we've never seen that
problem as far as I can recall.
A key difference is that pKVM injects a data abort back into the kernel
in case of a stage-2 fault, so the whole EXTABLE trick/hack in
load_unaligned_zeropad() should work fine out of the box.
As discussed offline, Gunyah injecting an SEA into the kernel is
questionable, but I understand that the architecture is a bit lacking in
this department, and that's probably the next best thing.
Could the Gunyah driver allocate from a CMA region instead? That would
surely simplify unmapping from EL1 stage-1 (similar to how drivers
usually donate memory to TZ).
Thanks,
Quentin
next prev parent reply other threads:[~2024-03-04 13:10 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-22 23:16 [PATCH v17 00/35] Drivers for Gunyah hypervisor Elliot Berman
2024-02-22 23:16 ` [PATCH v17 01/35] docs: gunyah: Introduce Gunyah Hypervisor Elliot Berman
2024-03-05 10:53 ` Pavan Kondeti
2024-03-07 15:37 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 02/35] dt-bindings: Add binding for gunyah hypervisor Elliot Berman
2024-02-22 23:16 ` [PATCH v17 03/35] gunyah: Common types and error codes for Gunyah hypercalls Elliot Berman
2024-02-22 23:16 ` [PATCH v17 04/35] virt: gunyah: Add hypercalls to identify Gunyah Elliot Berman
2024-02-22 23:16 ` [PATCH v17 05/35] virt: gunyah: Add hypervisor driver Elliot Berman
2024-02-23 21:10 ` Konrad Dybcio
2024-02-23 22:58 ` Elliot Berman
2024-02-23 23:46 ` Konrad Dybcio
2024-03-07 15:38 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 06/35] virt: gunyah: msgq: Add hypercalls to send and receive messages Elliot Berman
2024-02-22 23:16 ` [PATCH v17 07/35] gunyah: rsc_mgr: Add resource manager RPC core Elliot Berman
2024-03-07 15:38 ` Srivatsa Vaddagiri
2024-03-07 16:41 ` Elliot Berman
2024-02-22 23:16 ` [PATCH v17 08/35] gunyah: vm_mgr: Introduce basic VM Manager Elliot Berman
2024-03-07 15:39 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 09/35] gunyah: rsc_mgr: Add VM lifecycle RPC Elliot Berman
2024-03-07 15:39 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 10/35] gunyah: vm_mgr: Add VM start/stop Elliot Berman
2024-03-11 5:38 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 11/35] virt: gunyah: Translate gh_rm_hyp_resource into gunyah_resource Elliot Berman
2024-03-11 5:39 ` Srivatsa Vaddagiri
2024-03-11 17:19 ` Elliot Berman
2024-04-05 3:10 ` Pavan Kondeti
2024-04-05 15:18 ` Elliot Berman
2024-02-22 23:16 ` [PATCH v17 12/35] virt: gunyah: Add resource tickets Elliot Berman
2024-03-11 5:38 ` Srivatsa Vaddagiri
2024-03-11 17:13 ` Elliot Berman
2024-02-22 23:16 ` [PATCH v17 13/35] gunyah: vm_mgr: Add framework for VM Functions Elliot Berman
2024-03-13 9:20 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 14/35] virt: gunyah: Add hypercalls for running a vCPU Elliot Berman
2024-03-13 9:21 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 15/35] virt: gunyah: Add proxy-scheduled vCPUs Elliot Berman
2024-03-13 9:21 ` Srivatsa Vaddagiri
2024-04-24 9:39 ` Srivatsa Vaddagiri
2024-04-24 17:01 ` Elliot Berman
2024-02-22 23:16 ` [PATCH v17 16/35] gunyah: Add hypercalls for demand paging Elliot Berman
2024-03-13 15:35 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 17/35] gunyah: rsc_mgr: Add memory parcel RPC Elliot Berman
2024-03-14 14:02 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 18/35] mm/interval_tree: Export iter_first/iter_next Elliot Berman
2024-02-22 23:16 ` [PATCH v17 19/35] arch/mm: Export direct {un,}map functions Elliot Berman
2024-02-23 7:09 ` Christoph Hellwig
2024-02-24 0:37 ` Elliot Berman
2024-02-26 11:06 ` Christoph Hellwig
2024-02-26 11:53 ` David Hildenbrand
2024-02-26 17:27 ` Elliot Berman
2024-02-27 9:49 ` David Hildenbrand
2024-03-01 1:35 ` Elliot Berman
2024-03-04 13:10 ` Quentin Perret [this message]
2024-03-04 23:37 ` Elliot Berman
2024-03-05 15:30 ` Quentin Perret
2024-03-05 20:26 ` Elliot Berman
2024-03-06 12:05 ` Quentin Perret
2024-03-08 19:55 ` Elliot Berman
2024-02-22 23:16 ` [PATCH v17 20/35] virt: gunyah: Add interfaces to map memory into guest address space Elliot Berman
2024-02-22 23:16 ` [PATCH v17 21/35] gunyah: rsc_mgr: Add platform ops on mem_lend/mem_reclaim Elliot Berman
2024-02-22 23:16 ` [PATCH v17 22/35] virt: gunyah: Add Qualcomm Gunyah platform ops Elliot Berman
2024-02-22 23:16 ` [PATCH v17 23/35] virt: gunyah: Implement guestmemfd Elliot Berman
2024-02-22 23:16 ` [PATCH v17 24/35] virt: gunyah: Add ioctl to bind guestmem to VMs Elliot Berman
2024-02-22 23:16 ` [PATCH v17 25/35] virt: gunyah: guestmem: Initialize RM mem parcels from guestmem Elliot Berman
2024-02-22 23:16 ` [PATCH v17 26/35] virt: gunyah: Share guest VM dtb configuration to Gunyah Elliot Berman
2024-02-22 23:16 ` [PATCH v17 27/35] gunyah: rsc_mgr: Add RPC to enable demand paging Elliot Berman
2024-02-22 23:16 ` [PATCH v17 28/35] virt: gunyah: Enable " Elliot Berman
2024-02-22 23:16 ` [PATCH v17 29/35] gunyah: rsc_mgr: Add RPC to set VM boot context Elliot Berman
2024-03-14 14:02 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 30/35] virt: gunyah: Allow userspace to initialize context of primary vCPU Elliot Berman
2024-03-14 14:03 ` Srivatsa Vaddagiri
2024-02-22 23:16 ` [PATCH v17 31/35] virt: gunyah: Add hypercalls for sending doorbell Elliot Berman
2024-02-22 23:16 ` [PATCH v17 32/35] virt: gunyah: Add irqfd interface Elliot Berman
2024-02-22 23:16 ` [PATCH v17 33/35] virt: gunyah: Add IO handlers Elliot Berman
2024-02-22 23:16 ` [PATCH v17 34/35] virt: gunyah: Add ioeventfd Elliot Berman
2024-02-22 23:16 ` [PATCH v17 35/35] MAINTAINERS: Add Gunyah hypervisor drivers section Elliot Berman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZeXIWBLVWzVycm0r@google.com \
--to=qperret@google.com \
--cc=akpm@linux-foundation.org \
--cc=andersson@kernel.org \
--cc=android-kvm@google.com \
--cc=catalin.marinas@arm.com \
--cc=conor+dt@kernel.org \
--cc=corbet@lwn.net \
--cc=devicetree@vger.kernel.org \
--cc=dmitry.baryshkov@linaro.org \
--cc=elder@linaro.org \
--cc=hch@infradead.org \
--cc=konrad.dybcio@linaro.org \
--cc=krzysztof.kozlowski+dt@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=quic_cgoldswo@quicinc.com \
--cc=quic_cvanscha@quicinc.com \
--cc=quic_mnalajal@quicinc.com \
--cc=quic_pdaly@quicinc.com \
--cc=quic_pderrin@quicinc.com \
--cc=quic_pheragu@quicinc.com \
--cc=quic_svaddagi@quicinc.com \
--cc=quic_tsoni@quicinc.com \
--cc=robh+dt@kernel.org \
--cc=seanjc@google.com \
--cc=srinivas.kandagatla@linaro.org \
--cc=tabba@google.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).