> > > >> Yan, Yilun, would it work if, on conversion, > > > >> > > > >> 1. guest_memfd notifies IOMMU that a conversion is about to happen for a > > > >> PFN range > > > > > > > > It is the Guest fw call to release the pinning. > > > > > > I see, thanks for explaining. > > > > > > > By the time VMM get the > > > > conversion requirement, the page is already physically unpinned. So I > > > > agree with Jason the pinning doesn't have to reach to iommu from SW POV. > > > > > > > > > > If by the time KVM gets the conversion request, the page is unpinned, > > > then we're all good, right? > > > > Yes, unless guest doesn't unpin the page first by mistake. > > Or maliciously? :-( Yes. > > My initial response to this was that this is a bug and we don't need to be > concerned with it. However, can't this be a DOS from one TD to crash the > system if the host uses the private page for something else and the > machine #MC's? I think we are already doing something to prevent vcpus from executing then destroy VM, so no further TD accessing. But I assume there is concern a TD could just leak a lot of resources, and we are investigating if host can reclaim them. Thanks, Yilun
