From patchwork Tue May  7 18:07:21 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paolo Bonzini <pbonzini@redhat.com>
X-Patchwork-Id: 13657517
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4DAE0C10F1A
	for <linux-mm@archiver.kernel.org>; Tue,  7 May 2024 18:07:36 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id D68656B0093; Tue,  7 May 2024 14:07:35 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id CF1FA6B0095; Tue,  7 May 2024 14:07:35 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B929E6B0096; Tue,  7 May 2024 14:07:35 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com
 [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 947896B0093
	for <linux-mm@kvack.org>; Tue,  7 May 2024 14:07:35 -0400 (EDT)
Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 5A8EC409D6
	for <linux-mm@kvack.org>; Tue,  7 May 2024 18:07:35 +0000 (UTC)
X-FDA: 82092382470.09.1DF3F0C
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by imf28.hostedemail.com (Postfix) with ESMTP id 8B568C0026
	for <linux-mm@kvack.org>; Tue,  7 May 2024 18:07:33 +0000 (UTC)
Authentication-Results: imf28.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=duNLNPng;
	spf=pass (imf28.hostedemail.com: domain of pbonzini@redhat.com designates
 170.10.129.124 as permitted sender) smtp.mailfrom=pbonzini@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1715105253;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=POOqEjjvAisilBRWkZv/6Psur3AbWbqixz2YRu4q4B8=;
	b=AsdGcnu1AcV9p/OZN65FL33eOXbqFr8lASw6cjnFpN5P+lQ2Cgi2l8Wz6iZE5yTKBsd5/l
	KhZDZx2Fyd1+Hh9VV8HNDN3GnJhdO6krg3ArxZ6Rlfep37gO2mO0mdDzqRbul2Hg7/QmM7
	j0phVLytlXIAV3qxIaR3MDAAoc+KeUw=
ARC-Authentication-Results: i=1;
	imf28.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=duNLNPng;
	spf=pass (imf28.hostedemail.com: domain of pbonzini@redhat.com designates
 170.10.129.124 as permitted sender) smtp.mailfrom=pbonzini@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1715105253; a=rsa-sha256;
	cv=none;
	b=Z/Gme4GDN+GrmGOSHfgIyHW9DfJECiAu436yD2M6I7aCX4ruuwRGy7//PXgkzMQOHTpBWt
	2DJLRORMshVLIt67fcJdJwUCIdEG9fAOcG3TDRlLdKA7EevIWrGz07ORij/XLmiITmRjQC
	58tU/64zVFf+kkbejgGAkZRXLVRh2ns=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1715105252;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=POOqEjjvAisilBRWkZv/6Psur3AbWbqixz2YRu4q4B8=;
	b=duNLNPnglGLAZ1U8/hxmP4qG0Tn05zGToHiq6eu7SJrwu98b094EhN2rWBclMTqcvLaZVF
	NWwKcfRb7yS/YnMNg8eD1cYKJ2tt2JParcNNgb5QIvlIbS+S0kTV0grug0hk/7YtXs7aN6
	CJmVK56tGo78Xpro2dBsbCiNZPAMRPs=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-663-yZBbjYNhNH6xlKT3EqkXqw-1; Tue,
 07 May 2024 14:07:31 -0400
X-MC-Unique: yZBbjYNhNH6xlKT3EqkXqw-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6CB793C3D0CB;
	Tue,  7 May 2024 18:07:30 +0000 (UTC)
Received: from virtlab701.virt.lab.eng.bos.redhat.com
 (virtlab701.virt.lab.eng.bos.redhat.com [10.19.152.228])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 216FA40C6EB7;
	Tue,  7 May 2024 18:07:30 +0000 (UTC)
From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org,
	kvm@vger.kernel.org
Cc: vbabka@suse.cz,
	isaku.yamahata@intel.com,
	xiaoyao.li@intel.com,
	binbin.wu@linux.intel.com,
	seanjc@google.com,
	rick.p.edgecombe@intel.com,
	michael.roth@amd.com,
	yilun.xu@intel.com,
	Matthew Wilcox <willy@infradead.org>,
	linux-mm@kvack.org
Subject: [PATCH 1/9] mm: Introduce AS_INACCESSIBLE for encrypted/confidential
 memory
Date: Tue,  7 May 2024 14:07:21 -0400
Message-ID: <20240507180729.3975856-2-pbonzini@redhat.com>
In-Reply-To: <20240507180729.3975856-1-pbonzini@redhat.com>
References: <20240507180729.3975856-1-pbonzini@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2
X-Stat-Signature: s13ahwk7sprak1m3ta3sds6xhdumznna
X-Rspamd-Queue-Id: 8B568C0026
X-Rspamd-Server: rspam10
X-Rspam-User: 
X-HE-Tag: 1715105253-663884
X-HE-Meta: 
 U2FsdGVkX1/IIY9ha70b2jo0FTevjzSeq2KuvJtbTN6HmnRJ9hm9Nqa/1+4/NPfWiqk8+HXKwXGZznn2tvNRgAnkkaRg3jk8OulQA4w4v8crNJ/T8Wy1tKS5ubCx3qyMBpGpdgkYZ+5ovRg5wVUTHvpcBWij8oQxx/M6yUnqnU/zs0Qy9bRQeC+2M2N/PvnasL7OEfkWC3y2iimpm5QsB0RHG/guIsOCJlsEZGPw5PdtZCWT2/kPlXystjuuL0Di+/8xRMorcFIOmoN68FxYe1j6FB+BissVsskMjN52LSM5Losf7rF7CD4pfedVFTJvA7FnHMdSuOp6rWJTcr2XlYsn4tek8M7C92Av3f097/5S20bF5zGEL7EcIabOR1aGe/T8f0g8sVSHLIzcA3alPXPqVPoJLTrPUr1toyUd0vPYpHryIwmZz8voS8zqAk8ZjlPJWA2k2Pq34n+2ghtMqMQNp8OGwuyHbxiGfEj7PU2NZijgsIwDfkgN8BMSQNdW+/N40+LeZZAZVO4xtCUY0V7csCtxs1Y7ZoK0GrPHwMO+uRtALDiKPk29rUUGbcNuT8nPnE8TdMomgs4vBybDnjt+VOc0Xt+YYlhcaijmXDuBe01WO58agkNr6cjLKcN7W6vly7jYDM8GcK4fxCIg2u0vMOf7640XIE1Et+QD4EJFNoxL2GX0OILATENvONRNZxe8Yn+a9SWn97A8O1eLhNEDNXT6ZZ6qWmVZx65sXGLoGeCtYlfsfiS1umkhiAtC7oC+Td4d8Fjs69HJ7LQX9Fpuh4EKAToM4A6R9DUy3ezGos3lX0T1EYgi3ojWQOGcVI3yPe1Dgf36F46+PYUN6iemVqt0jkENxvrtczM0wo28FwSE1/v9pZiJwqGS6hSGJEElZ81cc1UAGAcdiXOjEokoYAzS+Kgiz8HCYn33PRfDQLiAFAeGIvDz/1mUBNKXXmLeqCOkJR13TMCeHaa
 roIaLw7+
 TRlegXmyyuX0oHJG5UkUaVxp0abwpo5BcGXMAz81YCk3y6zzTNqwTi8gDvf1ZowUsANF8uT6LvP+X9voVYNqk69MwlZ4MurMTo5FmO8Q3GWgPO06qCA/YN5tdc5PTHYcvedbWDqmy1UGMy5wA0RtP7sfgTKhBI0abG9L/Xwt4V3yrpdnAy4uAmPiCCXSt8kpRAkLT0Ce2TDO0+I4NALgvYcEYF3cjdKB4RMREK0auk8mSgkQTlocH1FuxHN5cEct0j6vzsi/ktDs/anvkpIuax3SIjzOJUCekQefxb4yg8/1N0XFD3dj7wVY1D1EznYxufglQ19xR6KsWK8ShDsr5b5yd6KoUnSgH5T3rpP7PQ0JfunbzdspPs8aIabrwKwWY7hgk23OTAOudplhvWUwXfXJREl5UEA8wOgb7c2zNC7OIyWWcDINovMPXRtcpYiV2QEsD
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

From: Michael Roth <michael.roth@amd.com>

filemap users like guest_memfd may use page cache pages to
allocate/manage memory that is only intended to be accessed by guests
via hardware protections like encryption. Writes to memory of this sort
in common paths like truncation may cause unexpected behavior such as
writing garbage instead of zeros when attempting to zero pages, or
worse, triggering hardware protections that are considered fatal as far
as the kernel is concerned.

Introduce a new address_space flag, AS_INACCESSIBLE, and use this
initially to prevent zero'ing of pages during truncation, with the
understanding that it is up to the owner of the mapping to handle this
specially if needed.

This is admittedly a rather blunt solution, but it seems like
there are no other places that should take into account the
flag to keep its promise.

Link: https://lore.kernel.org/lkml/ZR9LYhpxTaTk6PJX@google.com/
Cc: Matthew Wilcox <willy@infradead.org>
Cc: linux-mm@kvack.org
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
Message-ID: <20240329212444.395559-5-michael.roth@amd.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 include/linux/pagemap.h | 1 +
 mm/truncate.c           | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
index 2df35e65557d..f879c1d54da7 100644
--- a/include/linux/pagemap.h
+++ b/include/linux/pagemap.h
@@ -207,6 +207,7 @@ enum mapping_flags {
 	AS_STABLE_WRITES,	/* must wait for writeback before modifying
 				   folio contents */
 	AS_UNMOVABLE,		/* The mapping cannot be moved, ever */
+	AS_INACCESSIBLE,	/* Do not attempt direct R/W access to the mapping */
 };
 
 /**
diff --git a/mm/truncate.c b/mm/truncate.c
index 725b150e47ac..c501338c7ebd 100644
--- a/mm/truncate.c
+++ b/mm/truncate.c
@@ -233,7 +233,8 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end)
 	 * doing a complex calculation here, and then doing the zeroing
 	 * anyway if the page split fails.
 	 */
-	folio_zero_range(folio, offset, length);
+	if (!(folio->mapping->flags & AS_INACCESSIBLE))
+		folio_zero_range(folio, offset, length);
 
 	if (folio_has_private(folio))
 		folio_invalidate(folio, offset, length);