On Wed, May 20, 2026, Fuad Tabba wrote: > On Thu, 7 May 2026 at 21:22, Ackerley Tng via B4 Relay > <[email protected]> wrote: > > > > From: Sean Christopherson <[email protected]> > > > > Implement kvm_gmem_get_memory_attributes() for guest_memfd to allow the KVM > > core and architecture code to query per-GFN memory attributes. > > > > kvm_gmem_get_memory_attributes() finds the memory slot for a given GFN and > > queries the guest_memfd file's to determine if the page is marked as > > private. > > > > If vm_memory_attributes is not enabled, there is no shared/private tracking > > at the VM level. Install the guest_memfd implementation as long as > > guest_memfd is enabled to give guest_memfd a chance to respond on > > attributes. > > > > guest_memfd should look up attributes regardless of whether this memslot is > > gmem-only since attributes are now tracked by gmem regardless of whether > > mmap() is enabled. > > > > Signed-off-by: Sean Christopherson <[email protected]> > > Co-developed-by: Ackerley Tng <[email protected]> > > Signed-off-by: Ackerley Tng <[email protected]> > > --- > > include/linux/kvm_host.h | 2 ++ > > virt/kvm/guest_memfd.c | 31 +++++++++++++++++++++++++++++++ > > virt/kvm/kvm_main.c | 3 +++ > > 3 files changed, 36 insertions(+) > > > > diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h > > index c5ba2cb34e45c..28a54298d27db 100644 > > --- a/include/linux/kvm_host.h > > +++ b/include/linux/kvm_host.h > > @@ -2557,6 +2557,8 @@ bool kvm_arch_post_set_memory_attributes(struct kvm > > *kvm, > > struct kvm_gfn_range *range); > > #endif /* CONFIG_KVM_VM_MEMORY_ATTRIBUTES */ > > > > +unsigned long kvm_gmem_get_memory_attributes(struct kvm *kvm, gfn_t gfn); > > + > > #ifdef CONFIG_KVM_GUEST_MEMFD > > int kvm_gmem_get_pfn(struct kvm *kvm, struct kvm_memory_slot *slot, > > gfn_t gfn, kvm_pfn_t *pfn, struct page **page, > > diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c > > index 5011d38820d0d..f055e058a3f28 100644 > > --- a/virt/kvm/guest_memfd.c > > +++ b/virt/kvm/guest_memfd.c > > @@ -509,6 +509,37 @@ static int kvm_gmem_mmap(struct file *file, struct > > vm_area_struct *vma) > > return 0; > > } > > > > +unsigned long kvm_gmem_get_memory_attributes(struct kvm *kvm, gfn_t gfn) > > +{ > > + struct kvm_memory_slot *slot = gfn_to_memslot(kvm, gfn); > > + struct inode *inode; > > + > > + /* > > + * If this gfn has no associated memslot, there's no chance of the > > gfn > > + * being backed by private memory, since guest_memfd must be used > > for > > + * private memory, and guest_memfd must be associated with some > > memslot. > > + */ > > + if (!slot) > > + return 0; > > + > > + CLASS(gmem_get_file, file)(slot); > > + if (!file) > > + return 0; > > + > > + inode = file_inode(file); > > + > > + /* > > + * Rely on the maple tree's internal RCU lock to ensure a > > + * stable result. This result can become stale as soon as the > > + * lock is dropped, so the caller _must_ still protect > > + * consumption of private vs. shared by checking > > + * mmu_invalidate_retry_gfn() under mmu_lock to serialize > > + * against ongoing attribute updates. > > + */ > > + return kvm_gmem_get_attributes(inode, kvm_gmem_get_index(slot, > > gfn)); > > +} > > Doesn't this imply that all consumers of kvm_mem_is_private() should > validate the result using mmu_lock and the invalidation sequence? > sev_handle_rmp_fault() calls kvm_mem_is_private() without holding > mmu_lock and without any retry mechanism. Is that a problem?
Yes, but my understanding is that sev_handle_rmp_fault() can tolerate false positives and false negatives. It's not optimal, but it's "fine", and already KVM's existing behavior, e.g. KVM gets the PFN and then smashes the RMP, without ensuring the PFN is fresh. Mike, is that all correct?
