From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC270C77B75 for ; Fri, 19 May 2023 16:20:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 122C8900004; Fri, 19 May 2023 12:20:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 0D32F900003; Fri, 19 May 2023 12:20:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EB676900004; Fri, 19 May 2023 12:20:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id DE720900003 for ; Fri, 19 May 2023 12:20:32 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 937531A08B8 for ; Fri, 19 May 2023 16:20:32 +0000 (UTC) X-FDA: 80807517504.17.AE7F865 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf11.hostedemail.com (Postfix) with ESMTP id 3F17E4000D for ; Fri, 19 May 2023 16:20:29 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=IVXVk9u2; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf11.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684513230; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=PhXJXT80hjlIVA8C9efdiNr9myekTSBO7D5CbfC3JCw=; b=a9Tyt1oOYoqL9R3u19900cqcy10wXu1QXexBgRpoxZRJtBK5m754gjiEzy9ko4nFXMo9jl +fe0/TQMnefJe3Z1TDaA+XTGzVhJacZec7xpQ6TbK815YMBkUEQ7yByekegZS6qSOqznT1 r6Qt4okM5NfUw0J3ioK3dhCQHnHKv8w= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=IVXVk9u2; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf11.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684513230; a=rsa-sha256; cv=none; b=GgCvhNkEojt5U4RQfcLiNVCsw3YuVaZs5xs6eYzrCCylhwEBTu2R84M6xo42ym+JXmO/8F 3gZ5NuXJSygWe7U9Au8IMy5ooP+2HUm8BHYbEDXy5QnxRObL6RuyB3lL90JQqdudnA169p fvIqOZSxNeJV1jWKCxLX+nhL5yzgtkc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684513229; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=PhXJXT80hjlIVA8C9efdiNr9myekTSBO7D5CbfC3JCw=; b=IVXVk9u2A1sivGIu24gmKXniGfrefnhsKok5PlbFuo7BBSg3pMDuWR9f2e2Hyg6YdlO1ce jypmB/ct2SROQJNuidIh1eHbnZMT9XoS9RmTPUJjDPHXADqsW906jzsGV0JkIQ19hAnu2V LzvCjgGDk31Gu75AQOUs/3QpB33h1hk= Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-562-ex4LXsrwNtqNBgLMttMRNw-1; Fri, 19 May 2023 12:20:28 -0400 X-MC-Unique: ex4LXsrwNtqNBgLMttMRNw-1 Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-5ea572ef499so4768806d6.1 for ; Fri, 19 May 2023 09:20:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684513228; x=1687105228; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=PhXJXT80hjlIVA8C9efdiNr9myekTSBO7D5CbfC3JCw=; b=jwA3KMpaecom2Pdi8p1zDUMuzMhrotEDiPNR0l4Afyp3IpycpY00VUObTKPh0r9mUP 2zH69lPOxOCD0Sa90nmLwJz/AArh1iZ1NXq4K04GFGHciU0qNJMT3gYJN8e0nLgMGY3I eucfHSdorKCE1xxvAbRvXzvm0qEkUFtrVzT4IxfApWB0aKlKO1ExPV/M1ufxeLK2Vh/h d830J1ztFikHf/WbuWDuaWV1+SAfu69BR4Nj9Yz0XsJwUzuuDN/RHHDCxnRqlnt1xZEr 6/+aENuPLj3QLqFLrbeK/vC7QCDK3Y0OksdrWmMU3UAxqCkjAQ3MW4+1Z1FvecS6Ey9D 7zuA== X-Gm-Message-State: AC+VfDxT4R1eIkFeuMOR8r59GikZOgQFigwkTpfE44V/GCQXQC9c6Q3n ScFSS0l9TKUx+2X4H6NKxbLeswPd+ej0zzKIaTDnO1BfEHvrnw2rfb6y6aXSimrnBktIrcQqzBK qZfXtPg8Ptbo= X-Received: by 2002:a05:6214:4009:b0:5ed:c96e:ca4a with SMTP id kd9-20020a056214400900b005edc96eca4amr5184442qvb.1.1684513227850; Fri, 19 May 2023 09:20:27 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6xd9iw24FUHoBv1Mr8oLJTlU6xLu6EjLFcB6cD+Gjyro3xcus5t+14yDAKr2/F83GAqVZi9A== X-Received: by 2002:a05:6214:4009:b0:5ed:c96e:ca4a with SMTP id kd9-20020a056214400900b005edc96eca4amr5184405qvb.1.1684513227530; Fri, 19 May 2023 09:20:27 -0700 (PDT) Received: from x1n (bras-base-aurron9127w-grc-62-70-24-86-62.dsl.bell.ca. [70.24.86.62]) by smtp.gmail.com with ESMTPSA id z24-20020a05620a101800b00751517fd46esm1211930qkj.26.2023.05.19.09.20.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 May 2023 09:20:26 -0700 (PDT) Date: Fri, 19 May 2023 12:20:25 -0400 From: Peter Xu To: Jiaqi Yan Cc: Axel Rasmussen , David Hildenbrand , James Houghton , Alexander Viro , Andrew Morton , Christian Brauner , Hongchen Zhang , Huang Ying , "Liam R. Howlett" , Miaohe Lin , "Mike Rapoport (IBM)" , Nadav Amit , Naoya Horiguchi , Shuah Khan , ZhangPeng , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, Anish Moorthy Subject: Re: [PATCH 1/3] mm: userfaultfd: add new UFFDIO_SIGBUS ioctl Message-ID: References: <20230511182426.1898675-1-axelrasmussen@google.com> <32fdc2c8-b86b-92f3-1d5e-64db6be29126@redhat.com> MIME-Version: 1.0 In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-Rspam-User: X-Stat-Signature: znoupcdyictx61fduqdpurh6zyszu6tq X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 3F17E4000D X-HE-Tag: 1684513229-615532 X-HE-Meta: U2FsdGVkX19IlJ/zh+6KyLlSzIdkSZ6wiqBjS3qN//vv7nQkmhQwflkRZsTKpErXV8KMyJtNkhMdMEFf0qUs3nCMfBjzhq5KfepVkG5/hR4RMhmZrzEA/7U9giKle97g7ouPkOH/yFBVH3Lyjkgj4YJd3eGKEk/NygvUT37w5hi1jh+3hP+4Kunz1dhSUuUVOyayUVRsDE+qBTDijweJrEVyLsFfDAPjxAn8US8TPZl2of3OXF2JfF1DkmWz+JIReBzDtcgMCyrRy8op+/QHp4dvcMA/zvXDoUXuqQ8cv5pLvBgQ9z7+1W2cKCGieMYL9Lz24igruY9gDHrGROZgxykP+j8eK8VRaCwUSwCW6jQEApbMWtZMeomMuLYXMghIBC3ckRDxxtCOwhKa7VmHUfJJFGo/0R6BYxnTAZIGdV+ZS6laLc/NNsDtqV21Jr7vTTrE8xRbWwsjhbdhKDsYABzKcta4bCBEZGwkeM8wcAT1Hg8bkJvv0qLxNzgfhbFYivfdvGFB9fwJbjk/kMFg9EwxMEGjyHAf0iaQPsLdcjIY35SKpICHluJomuFnBIlBIyVd8rzDT263NWTDEY9RTyqWl6b4aY1Bl0QXMD0U8QRPBVn6qiBKw2LqQYqeS2orBUg7dTW+rIfcCKBLruRNZq5xvc+jLzj3a87dZ1/L9WUNJq2rTMGJW+2Pj8ZVQi6pEt+rFpX8QAp0YepOta3b3odnlEtLJwHJLPK0xI3KlB8Hadc/zwS6TOdd4L/KvG8DXy+NvNI1ncdedaDWueWSTYR9Dtdonuc3ce5HyfN3osnvFwE4jgtpCb9d4V62nhaxkXmWsm5Ema8O5MAlKOiWxXRIwKsmLvmLuVchXv13isJn63Fi0b8m//FNEtoMhqhyjq22zy+ZeXjWgDP9J4UqzuYwDvWf8mSrRKVZ/lwQhFNr07a6ErmmS3FStpjdINMP+zoE9b02v5wrnbeVcuC ULhOH2pE QasjMC1OQFv+Ngxwsp+2c9xPpPgSUTnWbTr18GYL88CDu3WRUK2qttGL6UkbvhFfI0/orVUDyVDj53AO/U33xPctiprvWh/IjNWZLnQgyrK/aZdn1T4eX0rN+QhUCaj+erElswylkHRxsK0z6lT3JMllXx5vt6GUSJBmlr6UBEvTSllcTPIS4dca9Nux2sVAFCbEdcWOYLgrXBQ5J9TIElZZLDNKTdlzNZAg3HFQg6saTQGws9/vfR2ftK1HWkitzninfKQu1nmNIe59/pBNWutK/+SUxdXEwzCH6LPDcJ1nK2shd9F+GpyXpSgGbuWjr2BjLmVe3SKEBBL9yZ9vNz8C3vjK2+G2+Db1Gyzy8EMyFw6+GcTEALrMDmVGNwYlLdd3wfVkLlwsap2r7iJDZrp+osbwTkW+c1uugKVguL1fLyi6TUnenKqnC/6LC3CWohxBDN9Gm04DxUTJTDzD1JKvCe6jvo6vhr4M4p5jEpRIyZMgSd7V/ITH0ig== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi, Jiaqi, On Fri, May 19, 2023 at 08:04:09AM -0700, Jiaqi Yan wrote: > I don't think CAP_ADMIN is something we can work around: a VMM must be > a good citizen to avoid introducing any vulnerability to the host or > guest. > > On the other hand, "Userfaults allow the implementation of on-demand > paging from userland and more generally they allow userland to take > control of various memory page faults, something otherwise only the > kernel code could do." [3]. I am not familiar with the UFFD internals, > but our use case seems to match what UFFD wants to provide: without > affecting the whole world, give a specific userspace (without > CAP_ADMIN) the ability to handle page faults (indirectly emulate a > HWPOISON page (in my mind I treat it as SetHWPOISON(page) + > TestHWPOISON(page) operation in kernel's PF code)). So is it fair to > say what Axel provided here is "provide !ADMIN somehow"? > > [3]https://docs.kernel.org/admin-guide/mm/userfaultfd.html Userfault keywords on "user", IMHO. We don't strictly need userfault to resolve anything regarding CAP_ADMIN problems. MADV_DONTNEED also dosn't need CAP_ADMIN, same to any new madvise() if we want to make it useful for injecting poisoned ptes with !ADMIN and limit it within current->mm. But I think you're right that userfaultfd always tried to avoid having ADMIN and keep everything within its own scope of permissions. So again, totally no objection on make it uffd specific for now if you guys are all happy with it, but just to be clear that it's (to me) mostly for avoiding another WAKE, and afaics that's not really for solving the ADMIN issue here. Thanks, -- Peter Xu