From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 752E2C636CC for ; Mon, 13 Feb 2023 21:11:22 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A5F736B0072; Mon, 13 Feb 2023 16:11:21 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 9E91D280001; Mon, 13 Feb 2023 16:11:21 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 862DA6B0075; Mon, 13 Feb 2023 16:11:21 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 6FC556B0072 for ; Mon, 13 Feb 2023 16:11:21 -0500 (EST) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 13AB01209AD for ; Mon, 13 Feb 2023 21:11:21 +0000 (UTC) X-FDA: 80463514362.21.D5E40E5 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf05.hostedemail.com (Postfix) with ESMTP id DC696100173 for ; Mon, 13 Feb 2023 21:11:15 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=jGFln04o; spf=pass (imf05.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1676322675; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=XiJVIcYvNscRtU3tTbpdym+x/nlMCndCxJHWfBusVBY=; b=x6paRlcI18HqRjze4EFmiRopxw43EHt9HKN6rkxplo+guVblJETq/DOoBR4TjlD3iqT+8r VVGlEmldFrHmvrsrgTsBfp2Df13nW/7F/FSnGSsClIt5RF1aVu3i/iCTg3x3qS/zsBqalG e+hlTtiG/x0939vIKfNgwlv8BfASsR0= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=jGFln04o; spf=pass (imf05.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1676322675; a=rsa-sha256; cv=none; b=r1Rxlg+XNpmyUpLXoC5CbvdlCnLQJqEw4+kiN9B+SmkeH7fQeaM2ZjzJlfxmPZUVkuzneL Kvq4y0S4dVQmx8pH+ZFf+fkHahCz2wiVR1cjbmUQHpDlLtfcc1FBx1wld6pxGMZt3DTwB2 E3wRvHR1p2g5S3+JwLjFtgu2aRnq0KU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1676322675; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XiJVIcYvNscRtU3tTbpdym+x/nlMCndCxJHWfBusVBY=; b=jGFln04okta/PPuZlebfl71MlhdEjZTb6Sj4bL/dbspFwJakvdA6D/+M9Otv61z8Ko5iOf IopTRO2qTWMvCu/ub4lM+DEjlS/45svDLEeooKCOKYUb5j3NUIUHqMxt2jUxXzunJe316z n5AFK3kdYRUtJL8wbwKk/3ixAhjbgyw= Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com [209.85.222.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-122-7cX_cGbEPum9ErVpYY1uMA-1; Mon, 13 Feb 2023 16:11:14 -0500 X-MC-Unique: 7cX_cGbEPum9ErVpYY1uMA-1 Received: by mail-qk1-f200.google.com with SMTP id g6-20020ae9e106000000b00720f9e6e3e2so8324248qkm.13 for ; Mon, 13 Feb 2023 13:11:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XiJVIcYvNscRtU3tTbpdym+x/nlMCndCxJHWfBusVBY=; b=BdzD+ZB+/iBI+KIbkXyyUnSlCRQG9IHBT/HMksrhfjE+copmhC+9cneeIqpg5jxUjz VKivsqAWv53wqtgIhaHgEnrGXCGI5x7LLXasiRgDG7qOHbbEznN9bRmC7VhcFE2S3Gw9 KIVJeFMCC07ozsYRg7z8dmiMWMP+LjLW0XflIjHjik23AkA6HoS/iSL3GyWB1xKmLEeF kmrErdG0fekBCC5hnft+I0rztrYGOGBpZjsKxeNgVE9kldqdUyC+Pzcwe8lD/LBDYNpA lYTlQwYyeBMd+BqHbL/YIGwQHbAbqIsV1WRf6Of1Ly2YcSVbjbNrxzxNsGc0V8z/mgfp Wdiw== X-Gm-Message-State: AO0yUKW/4VamLt3015TglwsD+W8XVspN+DL/SRW/wmb3FxbtU2kYJc84 kIUayeySpwteIK8GAKnkuYWr7Kfsm5iW2/Z9KcpQdypDwJGt1JrIuzu8Nm+WTcFh1De+4Q2Mlx1 XpRT2Wrwje04= X-Received: by 2002:ac8:5e11:0:b0:3b9:fc92:a6 with SMTP id h17-20020ac85e11000000b003b9fc9200a6mr48707388qtx.6.1676322673483; Mon, 13 Feb 2023 13:11:13 -0800 (PST) X-Google-Smtp-Source: AK7set8sSrs7hORs24WhXhw32Ev+Zs22yA69THTIL/t2cxEqBzMSvFcHbAuV4vp/ndv4tFzVWQMPew== X-Received: by 2002:ac8:5e11:0:b0:3b9:fc92:a6 with SMTP id h17-20020ac85e11000000b003b9fc9200a6mr48707348qtx.6.1676322673086; Mon, 13 Feb 2023 13:11:13 -0800 (PST) Received: from x1n (bras-base-aurron9127w-grc-56-70-30-145-63.dsl.bell.ca. [70.30.145.63]) by smtp.gmail.com with ESMTPSA id i9-20020ac80049000000b003b646123691sm9966107qtg.31.2023.02.13.13.11.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Feb 2023 13:11:12 -0800 (PST) Date: Mon, 13 Feb 2023 16:11:11 -0500 From: Peter Xu To: Muhammad Usama Anjum Cc: david@redhat.com, Andrew Morton , kernel@collabora.com, Paul Gofman , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 1/2] mm/userfaultfd: Support WP on multiple VMAs Message-ID: References: <20230213163124.2850816-1-usama.anjum@collabora.com> <9f0278d7-54f1-960e-ffdf-eeb2572ff6d1@collabora.com> MIME-Version: 1.0 In-Reply-To: <9f0278d7-54f1-960e-ffdf-eeb2572ff6d1@collabora.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Stat-Signature: o7bi3ayzoxm4h7tzbe3u4bah37q7dxp7 X-Rspam-User: X-Rspamd-Queue-Id: DC696100173 X-Rspamd-Server: rspam06 X-HE-Tag: 1676322675-993887 X-HE-Meta: U2FsdGVkX18pc/OVL5ymYrb+L0gbz2n4QTojQ5Xbhr03IIvmEb429p+LjIxL8nwKEdYXRvwfZgO6fCRXNMgPmp3aG7KKFpHVqRbLWJ3z/wNG8dRZaVy2IO7vPpY71YmdbTKkMNrxDtUrauBPa29T4tZJu1y2T9/P46m3T8HtuBI1HmbZvRafLTJHdV01nrILqG/StQ4J0U++zwoP27gk7Jyx5y1AuK4KzQu4Lu+aBrHKo49jFQD7LNFm+BObogVC5FRgq+CzedT/BkBS4g5HzUO4crEJPjTmJs+au2CqSAkzVlBwWteI/9GOTyEwrDYd2FPR7Xa9pTh7Qf6PjBlrEm+C5GoVx3ADDq8TwJLBmcKf2m+DX6yVE2+cS/cssC9VMjaMcLx3UqSVtAJXRVYH53sxF70+Yfoil/X2odImmKibPgcdC0/grv0woVmKCraDzVi5eCt+RLOjNjCSYVCANkW9PdlCAmRiNnAdE68u2BM/MLgCZEmM031/fyvBw/cO+Qbcb8G+Au0Yq4+X5VarQ+n4Qsdm6EySlg1R0nVKgS+IvHs80XgeY5cnSQ6JsHmtLKTz3sjUs4oKebO3EIuk9lK2DkkYyLvbtAJIIDKAu5p4ZnsHETisvJ+vWHX9osmTHVV3AGojPyNFcS7WQoMwQ6GE42wm1tK/5/m0itjLitatvAs3Up0Ie6WRBEp0KCAJr+JdMr4nFJJFdVW/HmC7UKrYWYDrlSYocEzo+13o2rY2yVQ6dZngNqdvZdqrxPMoejnaIbKg8tnZm417s5OTX5ABRnS3CboAUoZAGGRcF2rJDiwCD0gB+QKmN14c5od1Io8Q9ybn2AtRWI2X+mYN7/p7pVMgyObH5N+NqzQSfP1UVBQNU67EMZEEC4BL7uPhlGxM4U/Y/kkDFn/6/BdQZq+/Yaknks67r0DOMmWIMg+Fx3JBwNAkh3s+yEs1zL/LHtuqyT7rf0BZzmDVRsx ILKuxaL9 fPRTt1RAwWyNLb9BmpzNygzU53zryaf1JJtsQFPyIS+jE5+j1EXAr4QtQOx7AumOigRNztiMl87iSWqmZogEnk86LjVBlHZb7HJ0AXLSOPP6W7WMH7VQ9vcQ4EhnXmqAHk7z50KqfOpYOqcj/swLjP3CcwkjM5a/kkKV5vP+CaRErJC3wpFqN7PxAEmGRRR7YQ68JaBpkMUhMfwwwy1fLpOvJQvtt9YR/j89/IApfhTlKMMqZRLrwJwopQ/0YhXmnXkoqsDqPbnsxGcJhjZWQNdVAS78jRUmipilKJVpcOciaHY1kbjZ18GnbcCkythP02o3yDd6ECASzMVfz5TEb0xT2akre7NQdNiTci8xDfDbtV9l8kT7FlAF9v2ZnCAMNR7wKjjUYrDIXfaAhGftqnd7/+Vn+13aleDHB8qYvnj47Z2CFFzqs8uuVV09dj9Z082nMy3RRgguceqG+7M1O9n76FaAhGWh+griJyT20sxfJW3gvv6Z5SBjdCg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Feb 13, 2023 at 10:50:39PM +0500, Muhammad Usama Anjum wrote: > On 2/13/23 9:54 PM, Peter Xu wrote: > > On Mon, Feb 13, 2023 at 09:31:23PM +0500, Muhammad Usama Anjum wrote: > >> mwriteprotect_range() errors out if [start, end) doesn't fall in one > >> VMA. We are facing a use case where multiple VMAs are present in one > >> range of interest. For example, the following pseudocode reproduces the > >> error which we are trying to fix: > >> > >> - Allocate memory of size 16 pages with PROT_NONE with mmap > >> - Register userfaultfd > >> - Change protection of the first half (1 to 8 pages) of memory to > >> PROT_READ | PROT_WRITE. This breaks the memory area in two VMAs. > >> - Now UFFDIO_WRITEPROTECT_MODE_WP on the whole memory of 16 pages errors > >> out. > >> > >> This is a simple use case where user may or may not know if the memory > >> area has been divided into multiple VMAs. > >> > >> Reported-by: Paul Gofman > >> Signed-off-by: Muhammad Usama Anjum > >> --- > >> Changes since v1: > >> - Correct the start and ending values passed to uffd_wp_range() > >> --- > >> mm/userfaultfd.c | 38 ++++++++++++++++++++++---------------- > >> 1 file changed, 22 insertions(+), 16 deletions(-) > >> > >> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c > >> index 65ad172add27..bccea08005a8 100644 > >> --- a/mm/userfaultfd.c > >> +++ b/mm/userfaultfd.c > >> @@ -738,9 +738,12 @@ int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start, > >> unsigned long len, bool enable_wp, > >> atomic_t *mmap_changing) > >> { > >> + unsigned long end = start + len; > >> + unsigned long _start, _end; > >> struct vm_area_struct *dst_vma; > >> unsigned long page_mask; > >> int err; > > > > I think this needs to be initialized or it can return anything when range > > not mapped. > It is being initialized to -EAGAIN already. It is not visible in this patch. I see, though -EAGAIN doesn't look suitable at all. The old retcode for !vma case is -ENOENT, so I think we'd better keep using it if we want to have this patch. > > > > >> + VMA_ITERATOR(vmi, dst_mm, start); > >> > >> /* > >> * Sanitize the command parameters: > >> @@ -762,26 +765,29 @@ int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start, > >> if (mmap_changing && atomic_read(mmap_changing)) > >> goto out_unlock; > >> > >> - err = -ENOENT; > >> - dst_vma = find_dst_vma(dst_mm, start, len); > >> + for_each_vma_range(vmi, dst_vma, end) { > >> + err = -ENOENT; > >> > >> - if (!dst_vma) > >> - goto out_unlock; > >> - if (!userfaultfd_wp(dst_vma)) > >> - goto out_unlock; > >> - if (!vma_can_userfault(dst_vma, dst_vma->vm_flags)) > >> - goto out_unlock; > >> + if (!dst_vma->vm_userfaultfd_ctx.ctx) > >> + break; > >> + if (!userfaultfd_wp(dst_vma)) > >> + break; > >> + if (!vma_can_userfault(dst_vma, dst_vma->vm_flags)) > >> + break; > >> > >> - if (is_vm_hugetlb_page(dst_vma)) { > >> - err = -EINVAL; > >> - page_mask = vma_kernel_pagesize(dst_vma) - 1; > >> - if ((start & page_mask) || (len & page_mask)) > >> - goto out_unlock; > >> - } > >> + if (is_vm_hugetlb_page(dst_vma)) { > >> + err = -EINVAL; > >> + page_mask = vma_kernel_pagesize(dst_vma) - 1; > >> + if ((start & page_mask) || (len & page_mask)) > >> + break; > >> + } > >> > >> - uffd_wp_range(dst_mm, dst_vma, start, len, enable_wp); > >> + _start = (dst_vma->vm_start > start) ? dst_vma->vm_start : start; > >> + _end = (dst_vma->vm_end < end) ? dst_vma->vm_end : end; > >> > >> - err = 0; > >> + uffd_wp_range(dst_mm, dst_vma, _start, _end - _start, enable_wp); > >> + err = 0; > >> + } > >> out_unlock: > >> mmap_read_unlock(dst_mm); > >> return err; > > > > This whole patch also changes the abi, so I'm worried whether there can be > > app that relies on the existing behavior. > Even if a app is dependent on it, this change would just don't return error > if there are multiple VMAs under the hood and handle them correctly. Most > apps wouldn't care about VMAs anyways. I don't know if there would be any > drastic behavior change, other than the behavior becoming nicer. So this logic existed since the initial version of uffd-wp. It has a good thing that it strictly checks everything and it makes sense since uffd-wp is per-vma attribute. In short, the old code fails clearly. While the new proposal is not: if -ENOENT we really have no idea what happened at all; some ranges can be wr-protected but we don't know where starts to go wrong. Now I'm looking at the original problem.. - Allocate memory of size 16 pages with PROT_NONE with mmap - Register userfaultfd - Change protection of the first half (1 to 8 pages) of memory to PROT_READ | PROT_WRITE. This breaks the memory area in two VMAs. - Now UFFDIO_WRITEPROTECT_MODE_WP on the whole memory of 16 pages errors out. Why the user app should wr-protect 16 pages at all? If so, uffd_wp_range() will be ran upon a PROT_NONE range which doesn't make sense at all, no matter whether the user is aware of vma concept or not... because it's destined that it's a vain effort. So IMHO it's the user app needs fixing here, not the interface? I think it's the matter of whether the monitor is aware of mprotect() being invoked. In short, I hope we're working on things that helps at least someone, and we should avoid working on things that does not have clear benefit yet. With the WP_ENGAGE new interface being proposed, I just didn't see any benefit of changing the current interface, especially if the change can bring uncertainties itself (e.g., should we fail upon !uffd-wp vmas, or should we skip?). > > > > > Is this for the new pagemap effort? Can this just be done in the new > > interface rather than changing the old? > We found this bug while working on pagemap patches. It is already being > handled in the new interface. We just thought that this use case can happen > pretty easily and unknowingly. So the support should be added. Thanks. My understanding is that it would have been reported if it affected any existing uffd-wp user. > > Also mwriteprotect_range() gives a pretty straight forward way to WP or > un-WP a range. Async WP can be used in coordination with pagemap file > (PM_UFFD_WP flag in PTE) as well. There may be use cases for it. On another > note, I don't see any use cases of WP async and PM_UFFD_WP flag as > !PM_UFFD_WP flag doesn't give direct information if the page is written for > !present pages. Currently we do maintain PM_UFFD_WP even for swap entries, so if it was written then I think we'll know even if the page was swapped out: } else if (is_swap_pte(pte)) { if (pte_swp_uffd_wp(pte)) flags |= PM_UFFD_WP; if (pte_marker_entry_uffd_wp(entry)) flags |= PM_UFFD_WP; So it's working? > > > > > Side note: in your other pagemap series, you can optimize "WP_ENGAGE && > > !GET" to not do generic pgtable walk at all, but use what it does in this > > patch for the initial round or wr-protect. > Yeah, it is implemented with some optimizations. IIUC in your latest public version is not optimized, but I can check the new version when it comes. Thanks, -- Peter Xu