Sean Christopherson <seanjc@xxxxxxxxxx> writes: > Paolo, > > The arm64 patches have been Reviewed-by Marc, and AFAICT the x86 side of > things is a go. Barring a screwup on my end, this just needs your approval. > > Assuming everything looks good, it'd be helpful to get this into kvm/next > shortly after rc1. The x86 Kconfig changes in particular create semantic > conflicts with in-flight series. > > > Add support for host userspace mapping of guest_memfd-backed memory for VM > types that do NOT use support KVM_MEMORY_ATTRIBUTE_PRIVATE (which isn't > precisely the same thing as CoCo VMs, since x86's SEV-MEM and SEV-ES have > no way to detect private vs. shared). > > mmap() support paves the way for several evolving KVM use cases: > > * Allows VMMs like Firecracker to run guests entirely backed by > guest_memfd [1]. This provides a unified memory management model for > both confidential and non-confidential guests, simplifying VMM design. > > * Enhanced Security via direct map removal: When combined with Patrick's > series for direct map removal [2], this provides additional hardening > against Spectre-like transient execution attacks by eliminating the > need for host kernel direct maps of guest memory. > > * Lays the groundwork for *restricted* mmap() support for guest_memfd-backed > memory on CoCo platforms [3] that permit in-place > sharing of guest memory with the host. > > Based on kvm/queue. > > [1] https://github.com/firecracker-microvm/firecracker/tree/feature/secret-hiding > [2] https://lore.kernel.org/all/20250221160728.1584559-1-roypat@xxxxxxxxxxxx > [3] https://lore.kernel.org/all/20250328153133.3504118-1-tabba@xxxxxxxxxx > > [...snip...] With this version, when guest_memfd memory is mmap-ed() and faulted to userspace, when there's a memory failure, the process does not get a SIGBUS. Specifically, this selftest fails with "MADV_HWPOISON should have triggered SIGBUS." diff --git i/tools/testing/selftests/kvm/guest_memfd_test.c w/tools/testing/selftests/kvm/guest_memfd_test.c index b86bf89a71e04..70ef75a23bb60 100644 --- i/tools/testing/selftests/kvm/guest_memfd_test.c +++ w/tools/testing/selftests/kvm/guest_memfd_test.c @@ -70,6 +70,10 @@ static void test_mmap_supported(int fd, size_t page_size, size_t total_size) ret = munmap(mem, total_size); TEST_ASSERT(!ret, "munmap() should succeed."); + + ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, 0, + total_size); + TEST_ASSERT(!ret, "Truncate the entire file (cleanup) should succeed."); } static sigjmp_buf jmpbuf; @@ -104,6 +108,47 @@ static void test_fault_overflow(int fd, size_t page_size, size_t total_size) ret = munmap(mem, map_size); TEST_ASSERT(!ret, "munmap() should succeed."); + + ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, 0, + total_size); + TEST_ASSERT(!ret, "Truncate the entire file (cleanup) should succeed."); +} + +static void test_memory_failure(int fd, size_t page_size, size_t total_size) +{ + struct sigaction sa_old, sa_new = { + .sa_handler = fault_sigbus_handler, + }; + void *memory_failure_addr; + char *mem; + int ret; + + mem = mmap(NULL, total_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + TEST_ASSERT(mem != MAP_FAILED, "mmap() for guest_memfd should succeed."); + + memset(mem, 0xaa, page_size); + + memory_failure_addr = mem + page_size; + sigaction(SIGBUS, &sa_new, &sa_old); + if (sigsetjmp(jmpbuf, 1) == 0) { + madvise(memory_failure_addr, page_size, MADV_HWPOISON); + TEST_ASSERT(false, "MADV_HWPOISON should have triggered SIGBUS."); + } + sigaction(SIGBUS, &sa_old, NULL); + + ret = munmap(mem, total_size); + TEST_ASSERT(!ret, "munmap() should succeed."); + + ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, 0, + total_size); + TEST_ASSERT(!ret, "Truncate the entire file (cleanup) should succeed."); } static void test_mmap_not_supported(int fd, size_t page_size, size_t total_size) @@ -286,6 +331,7 @@ static void test_guest_memfd(unsigned long vm_type) if (flags & GUEST_MEMFD_FLAG_MMAP) { test_mmap_supported(fd, page_size, total_size); test_fault_overflow(fd, page_size, total_size); + test_memory_failure(fd, page_size, total_size); } else { test_mmap_not_supported(fd, page_size, total_size); } Is this by design or should some new memory_failure handling be added?
