From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
To: Peter Xu <peterx@redhat.com>
Cc: Nikita Kalyazin <kalyazin@amazon.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Suren Baghdasaryan <surenb@google.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Vlastimil Babka <vbabka@suse.cz>,
Muchun Song <muchun.song@linux.dev>,
Mike Rapoport <rppt@kernel.org>, Hugh Dickins <hughd@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
James Houghton <jthoughton@google.com>,
Michal Hocko <mhocko@suse.com>,
David Hildenbrand <david@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Oscar Salvador <osalvador@suse.de>,
Axel Rasmussen <axelrasmussen@google.com>,
Ujwal Kundur <ujwal.kundur@gmail.com>
Subject: Re: [PATCH v2 1/4] mm: Introduce vm_uffd_ops API
Date: Thu, 3 Jul 2025 13:39:04 -0400 [thread overview]
Message-ID: <5ixvg4tnwj53ixh2fx26dxlctgqtayydqryqxhns6bwj3q3ies@6sttjti5dxt7> (raw)
In-Reply-To: <aGagpUkNogTxS7dk@x1.local>
* Peter Xu <peterx@redhat.com> [250703 11:24]:
> On Wed, Jul 02, 2025 at 10:00:51PM -0400, Liam R. Howlett wrote:
> > * Peter Xu <peterx@redhat.com> [250702 17:36]:
> > > On Wed, Jul 02, 2025 at 05:24:02PM -0400, Liam R. Howlett wrote:
> > > > That's because the entry point is from a function pointer, so [3] won't
> > > > help at all.
> > > >
> > > > It is recreating the situation that existed for the vma through the
> > > > vm_ops in mmap, but for uffd. And at a lower level (page tables). I do not
> > > > want to relive that experience.
> > > >
> > > > We are not doing this. It is for the benefit of everyone that we are
> > > > not doing this.
> > >
> > > Is the vma issue about "allowing vma->vm_flags to be modified anywhere"
> > > issue? Or is there a pointer to the issue being discussed if not?
> >
> > The issue is passing pointers of structs that are protected by locks or
> > ref counters into modules to do what they please.
> >
> > vma->vm_flags was an example of where we learned how wrong this can go.
> >
> > There is also the concern of the state of the folio on return from the
> > callback. The error handling gets messy quick.
> >
> > Now, imagine we have something that gets a folio, but then we find a
> > solution for contention of a lock or ref count (whatever is next), but
> > it doesn't work because the mm code has been bleeding into random
> > modules and we have no clue what that module is supposed to be doing, or
> > we can't make the necessary change because this module will break
> > userspace, or cause a performance decrease, or any other random thing
> > that we cannot work around without rewriting (probably suboptimally)
> > something we don't maintain.
> >
> > Again, these are examples of how this can go bad but not an exhaustive
> > list by any means.
> >
> > So the issue is with allowing modules to play with the folio and page
> > tables on their own.
>
> I understand the concern, however IMHO that's really why mm can be hard and
> important at the same time..
I'm glad you understand, but I think you do not understand the severity
of the concern and the repercussions.
These patches, as they exist today, are not going to be accepted.
I am not okay with it going in, and I don't see many saying differently.
I am not okay with you pushing for it any longer.
Several people have told you it is not a good idea, the people who have
to deal with the fallout of this when it goes bad - and it _will_ go
bad.
You have been given ample reasons why, technical reasons as well as real
examples of failures - and security bugs - that have resulted from the
exact same pattern in the exact same structure where you are reproducing
the patter.
Please stop trying to push this plan. It is a waste of time and energy.
We need a new plan.
>
> We definitely have driver code manipulating pgtables. We also have folios
> or pages that can be directly accessible from drivers.
>
> After all mm is the core function provider for those and there needs to be
> some API accessing them from outside.
But that's not what you are doing, you are handing out pointers and
expecting the modules to do the core function.
And the core function that was suggested in the example user already had
a ref counting issue. Bugs happen, but that sort of thing is going to
be difficult to find and it won't be the driver author hunting it down,
potentially under an embargo. And good luck validating what was done on
return from the module.
>
> I agree some protection would be nice, like what Suren did with the
> vm_flags using __private, even though it's unfortunate it only works with
> sparse not a warn/error when compiling, as vm_flags is not a pointer.
> OTOH, forbid exposing anything might be an overkill, IMHO. It stops mm
> from growing in healthy ways.
This isn't healthy, it is repeating the errors of the past and expecting
a different result.
This isn't about balance or forbidding any exposure, it's about finding
a less bug-prone way of getting your feature to work.
I'm not saying it's wrong TO do this. I'm saying these patches are the
wrong way OF doing this - from experience of dealing with the same
pattern.
Anyways, I am not spending more time fighting about this. Let me know
when you come up with an alternative approach.
Regards,
Liam
next prev parent reply other threads:[~2025-07-03 17:39 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-27 15:46 [PATCH v2 0/4] mm/userfaultfd: modulize memory types Peter Xu
2025-06-27 15:46 ` [PATCH v2 1/4] mm: Introduce vm_uffd_ops API Peter Xu
2025-06-29 8:50 ` Mike Rapoport
2025-07-02 19:30 ` Peter Xu
2025-06-30 10:15 ` Lorenzo Stoakes
2025-07-01 17:04 ` Suren Baghdasaryan
2025-07-02 15:40 ` Liam R. Howlett
2025-07-02 15:56 ` Lorenzo Stoakes
2025-07-02 17:08 ` Nikita Kalyazin
2025-07-02 17:39 ` Mike Rapoport
2025-07-02 19:46 ` Peter Xu
2025-07-03 17:48 ` Mike Rapoport
2025-07-04 9:34 ` David Hildenbrand
2025-07-04 14:59 ` Peter Xu
2025-07-04 19:39 ` Liam R. Howlett
2025-09-01 16:01 ` Nikita Kalyazin
2025-09-08 16:53 ` Liam R. Howlett
2025-09-16 20:05 ` Peter Xu
2025-09-17 15:29 ` Liam R. Howlett
2025-09-17 9:25 ` Mike Rapoport
2025-09-17 16:53 ` Liam R. Howlett
2025-09-18 8:37 ` Mike Rapoport
2025-09-18 16:47 ` Liam R. Howlett
2025-09-18 17:15 ` Nikita Kalyazin
2025-09-18 17:45 ` Lorenzo Stoakes
2025-09-18 17:53 ` David Hildenbrand
2025-09-18 18:20 ` Peter Xu
2025-09-18 19:43 ` Liam R. Howlett
2025-09-18 21:07 ` Peter Xu
2025-09-19 1:50 ` Liam R. Howlett
2025-09-19 14:16 ` Peter Xu
2025-09-19 14:34 ` Lorenzo Stoakes
2025-09-19 15:12 ` Peter Xu
2025-09-19 19:38 ` Liam R. Howlett
2025-09-22 16:33 ` Peter Xu
2025-09-22 17:20 ` David Hildenbrand
2025-09-22 18:03 ` Peter Xu
2025-09-18 17:54 ` Liam R. Howlett
2025-09-18 18:05 ` Mike Rapoport
2025-09-18 18:32 ` Liam R. Howlett
2025-09-18 19:32 ` Peter Xu
2025-09-19 9:05 ` Mike Rapoport
2025-09-16 19:55 ` Peter Xu
2025-09-19 17:22 ` Liam R. Howlett
2025-09-22 16:38 ` Peter Xu
2025-07-02 21:24 ` Liam R. Howlett
2025-07-02 21:36 ` Peter Xu
2025-07-03 2:00 ` Liam R. Howlett
2025-07-03 15:24 ` Peter Xu
2025-07-03 16:15 ` Lorenzo Stoakes
2025-07-03 17:39 ` Liam R. Howlett [this message]
2025-07-02 20:24 ` Peter Xu
2025-07-03 16:32 ` Lorenzo Stoakes
2025-07-02 18:16 ` Mike Rapoport
2025-07-02 20:22 ` Peter Xu
2025-07-03 15:01 ` Suren Baghdasaryan
2025-07-03 15:45 ` Peter Xu
2025-07-03 16:01 ` Lorenzo Stoakes
2025-06-27 15:46 ` [PATCH v2 2/4] mm/shmem: Support " Peter Xu
2025-06-29 8:51 ` Mike Rapoport
2025-06-27 15:46 ` [PATCH v2 3/4] mm/hugetlb: " Peter Xu
2025-06-29 8:52 ` Mike Rapoport
2025-06-27 15:46 ` [PATCH v2 4/4] mm: Apply vm_uffd_ops API to core mm Peter Xu
2025-06-29 8:55 ` Mike Rapoport
2025-07-02 20:38 ` Peter Xu
2025-06-30 10:29 ` [PATCH v2 0/4] mm/userfaultfd: modulize memory types Lorenzo Stoakes
2025-07-01 0:15 ` Andrew Morton
2025-07-02 20:36 ` Peter Xu
2025-07-03 15:55 ` Lorenzo Stoakes
2025-07-03 16:26 ` Peter Xu
2025-07-03 16:44 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5ixvg4tnwj53ixh2fx26dxlctgqtayydqryqxhns6bwj3q3ies@6sttjti5dxt7 \
--to=liam.howlett@oracle.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=axelrasmussen@google.com \
--cc=david@redhat.com \
--cc=hughd@google.com \
--cc=jthoughton@google.com \
--cc=kalyazin@amazon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mhocko@suse.com \
--cc=muchun.song@linux.dev \
--cc=osalvador@suse.de \
--cc=peterx@redhat.com \
--cc=rppt@kernel.org \
--cc=surenb@google.com \
--cc=ujwal.kundur@gmail.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox