On Wed, May 28, 2025, Oliver Upton wrote:
> On Tue, May 06, 2025 at 05:05:50PM -0700, Sean Christopherson wrote:
> > > + if ((old_flags ^ new_flags) & KVM_MEM_USERFAULT &&
> > > + (change == KVM_MR_FLAGS_ONLY)) {
> > > + if (old_flags & KVM_MEM_USERFAULT)
> > > + kvm_mmu_recover_huge_pages(kvm, new);
> > > + else
> > > + kvm_arch_flush_shadow_memslot(kvm, old);
> >
> > The call to kvm_arch_flush_shadow_memslot() should definitely go in common code.
> > The fancy recovery logic is arch specific, but blasting the memslot when userfault
> > is toggled on is not.
>
> Not like anything in KVM is consistent but sprinkling translation
> changes / invalidations between arch and generic code feels
> error-prone.
Eh, leaving critical operations to arch code isn't exactly error free either :-)
> Especially if there isn't clear ownership of a particular flag, e.g. 0 -> 1
> transitions happen in generic code and 1 -> 0 happens in arch code.
The difference I see is that removing access to the memslot on 0=>1 is mandatory,
whereas any action on 1=>0 is not. So IMO it's not arbitrary sprinkling of
invalidations, it's deliberately putting the common, mandatory logic in generic
code, while leaving optional performance tweaks to arch code.
> Even in the case of KVM_MEM_USERFAULT, an architecture could potentially
> preserve the stage-2 translations but reap access permissions without
> modifying page tables / TLBs.
Yes, but that wouldn't be strictly unique to KVM_MEM_USERFAULT.
E.g. for NUMA balancing faults (or rather, the PROT_NONE conversions), KVM could
handle the mmu_notifier invalidations by removing access while keeping the PTEs,
so that faulting the memory back would be a lighter weight operation. Ditto for
reacting to other protection changes that come through mmu_notifiers.
If we want to go down that general path, my preference would be to put the control
logic in generic code, and then call dedicated arch APIs for removing protections.
> I'm happy with arch interfaces that clearly express intent (make this
> memslot inaccessible), then the architecture can make an informed
> decision about how to best achieve that. Otherwise we're always going to
> use the largest possible hammer potentially overinvalidate.
Yeah, definitely no argument there given x86's history in this area. Though if
we want to tackle that problem straightaway, I think I'd vote to add the
aforementioned dedicated APIs for removing protections, with a generic default
implementation that simply invokes kvm_arch_flush_shadow_memslot().
