Skip to content

[WIP] fix(vmm): Do not store UFFD handle in VMM #5341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

[WIP] fix(vmm): Do not store UFFD handle in VMM #5341

wants to merge 2 commits into from

Conversation

kalyazin
Copy link
Contributor

@kalyazin kalyazin commented Jul 31, 2025
edited
Loading

Changes

Do not store UFFD handle in VMM. The UFFD object gets dropped as soon as the last reference to it (in the handler) goes away.

Reason

This is required to make sure no further UFFD messages will be sent to the handler that is no longer available to avoid an infinite lockup.

This is relevant for Secret Free VMs, because the UFFD handler uses write instead of UFFDIO_COPY to prepopulate guest memory and is not required to preinstall userspace page tables while doing it.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • [ ] I have run tools/devtool checkbuild --all to verify that the PR passes
    build checks on all supported architectures.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • [ ] I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • [ ] I have mentioned all user-facing changes in CHANGELOG.md.
  • [ ] If a specific issue led to this PR, this PR closes the issue.
  • [ ] When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • [ ] I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • [ ] I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@codecov Codecov
Copy link

codecov bot commented Jul 31, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.91%. Comparing base (0c80a95) to head (84c4313).

Files with missing lines Patch % Lines
src/vmm/src/persist.rs 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@                    Coverage Diff                    @@
##           feature/secret-hiding    #5341      +/-   ##
=========================================================
- Coverage                  81.96%   81.91%   -0.06%     
=========================================================
  Files                        250      250              
  Lines                      27570    27571       +1     
=========================================================
- Hits                       22599    22584      -15     
- Misses                      4971     4987      +16
Flag Coverage Δ
5.10-c5n.metal 82.10% <50.00%> (-0.07%) ⬇️
5.10-m5n.metal 82.10% <50.00%> (-0.02%) ⬇️
5.10-m6a.metal 81.26% <50.00%> (-0.03%) ⬇️
5.10-m6g.metal 77.92% <50.00%> (-0.02%) ⬇️
5.10-m6i.metal 82.09% <50.00%> (-0.03%) ⬇️
5.10-m7a.metal-48xl 81.25% <50.00%> (-0.02%) ⬇️
5.10-m7g.metal 77.92% <50.00%> (-0.02%) ⬇️
5.10-m7i.metal-24xl 82.05% <50.00%> (-0.04%) ⬇️
5.10-m7i.metal-48xl 82.05% <50.00%> (-0.04%) ⬇️
5.10-m8g.metal-24xl 77.92% <50.00%> (-0.02%) ⬇️
5.10-m8g.metal-48xl 77.92% <50.00%> (-0.02%) ⬇️
6.1-c5n.metal 82.14% <50.00%> (-0.02%) ⬇️
6.1-m5n.metal 82.14% <50.00%> (-0.02%) ⬇️
6.1-m6a.metal 81.30% <50.00%> (-0.03%) ⬇️
6.1-m6g.metal 77.92% <50.00%> (-0.02%) ⬇️
6.1-m6i.metal 82.13% <50.00%> (-0.03%) ⬇️
6.1-m7a.metal-48xl 81.29% <50.00%> (-0.03%) ⬇️
6.1-m7g.metal 77.92% <50.00%> (-0.02%) ⬇️
6.1-m7i.metal-24xl 82.15% <50.00%> (-0.02%) ⬇️
6.1-m7i.metal-48xl 82.15% <50.00%> (-0.02%) ⬇️
6.1-m8g.metal-24xl 77.92% <50.00%> (-0.02%) ⬇️
6.1-m8g.metal-48xl 77.92% <50.00%> (-0.02%) ⬇️
6.16-c5n.metal 82.18% <50.00%> (-0.02%) ⬇️
6.16-m5n.metal 82.18% <50.00%> (-0.02%) ⬇️
6.16-m6a.metal 81.35% <50.00%> (-0.03%) ⬇️
6.16-m6g.metal 77.96% <50.00%> (-0.02%) ⬇️
6.16-m6i.metal 82.17% <50.00%> (-0.03%) ⬇️
6.16-m7a.metal-48xl 81.33% <50.00%> (-0.03%) ⬇️
6.16-m7g.metal 77.96% <50.00%> (-0.02%) ⬇️
6.16-m7i.metal-24xl 82.19% <50.00%> (-0.03%) ⬇️
6.16-m7i.metal-48xl 82.19% <50.00%> (-0.03%) ⬇️
6.16-m8g.metal-24xl 77.96% <50.00%> (-0.02%) ⬇️
6.16-m8g.metal-48xl 77.96% <50.00%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@roypat roypat force-pushed the feature/secret-hiding branch from e296ba2 to 0c80a95 Compare August 1, 2025 10:30
@kalyazin kalyazin force-pushed the kill_fault_all branch 2 times, most recently from bbb0dee to efff1a4 Compare August 1, 2025 10:55
@kalyazin kalyazin changed the title [WIP] fault_all_handler_exit Drop UFFD handle on handler disconnect Aug 1, 2025
@kalyazin kalyazin marked this pull request as ready for review August 1, 2025 11:26
@kalyazin kalyazin force-pushed the kill_fault_all branch 3 times, most recently from 5611b1f to 5775fb4 Compare August 1, 2025 11:30
kalyazin added 2 commits August 1, 2025 13:44
@kalyazin
fix(vmm): do not store uffd handle in vmm
32687f5 
This is to unregister all UFFD ranges when the UFFD handler is
disconnected so that no further UFFD message is sent if the handler is
not longer available.
@kalyazin
test(uffd): add test_fault_all_handler_exit
84c4313 
The test verifies that if the fault-all handler exits, the VM is still
functional.  THe test is mostly relevant to Secret Free VMs.

Signed-off-by: Nikita Kalyazin <[email protected]>
@kalyazin kalyazin changed the title Drop UFFD handle on handler disconnect fix(vmm): Do not store UFFD handle in VMM Aug 1, 2025
@kalyazin kalyazin marked this pull request as draft August 1, 2025 16:13
@kalyazin kalyazin changed the title fix(vmm): Do not store UFFD handle in VMM [WIP] fix(vmm): Do not store UFFD handle in VMM Aug 1, 2025
@kalyazin
Copy link
Contributor Author

kalyazin commented Aug 4, 2025

We can't do that for functional and security reasons, see the comment for test_malicious_handler.

@kalyazin kalyazin closed this Aug 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kalyazin