From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13B29FA373E for ; Fri, 21 Oct 2022 16:19:28 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8DECF8E0002; Fri, 21 Oct 2022 12:19:27 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 88E638E0001; Fri, 21 Oct 2022 12:19:27 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7562D8E0002; Fri, 21 Oct 2022 12:19:27 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 652AB8E0001 for ; Fri, 21 Oct 2022 12:19:27 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 33F421608F7 for ; Fri, 21 Oct 2022 16:19:27 +0000 (UTC) X-FDA: 80045466774.29.C53DFC3 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf12.hostedemail.com (Postfix) with ESMTP id 7D6E04002F for ; Fri, 21 Oct 2022 16:19:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1666369165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7omGD/0SJwSkQLjHKwNQQMkdkZvhNZfSs8OhzyUT+G8=; b=N09wYBU96jRkghA+ulYH+EtCzw+zqIvCdnb3MRmreXoFSzEYcWgUL3NsVz3xNOfD7vWFY0 KyeQMKbtWeLuRrl/3Zzx7ZWa6VE/8nlHcSEocYbcGvrHkTxhEOmhfJkw48lj6/lnc4Enml atUAhr41q5WsOvXvN8/WJctw7q3ZVcA= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-641-jQiF_E4FN7SRTVBPFSLExw-1; Fri, 21 Oct 2022 12:19:24 -0400 X-MC-Unique: jQiF_E4FN7SRTVBPFSLExw-1 Received: by mail-wr1-f71.google.com with SMTP id b10-20020adfc74a000000b002365575a405so703822wrh.6 for ; Fri, 21 Oct 2022 09:19:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7omGD/0SJwSkQLjHKwNQQMkdkZvhNZfSs8OhzyUT+G8=; b=hOyqV7sFgbQOFHhg0hJVbDbP/HEoknP8Ri9tU8Z2sLFPgLuFj5yjK1oLN05zgm02pR eTdhNUel2cl5ZsAwgdZtxskujna4JzD0m1X5POdCLTg3vbeum11/DhGxyDWNTWWcZdbf mmF5DlMZf8yn+yR8mMjMP0x5h1/3hjVzHcT01OM7a1We/jpBwl06L10t1OjygvpHJjde /QrtxtsWMBWiaDYB8Xh5zZoM2HLE/s9Qr/JUe31/kObgAIiR3GUBxvJyglJnp2ieq628 v4P8CVvbbLhI5qPFYJzBRWHZRJ0I9u56coF/QzWZefqtRp4mQaUhNtusThT5HVt7Mq8T bnNw== X-Gm-Message-State: ACrzQf1PKBuHZD87qhycepw2bm2dSqqw4/1Lra5vZfFmlximliazCva3 KXYEeyVHfssuaNM2cc5I/fUevl1KCG7XAQiCztFk+7jKl7SiDCSmSA+7t8zTsdSMu8mHzforiqL qybicQkuvGhc= X-Received: by 2002:a7b:c4cb:0:b0:3c6:f83e:cf79 with SMTP id g11-20020a7bc4cb000000b003c6f83ecf79mr13860627wmk.112.1666369163012; Fri, 21 Oct 2022 09:19:23 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5oAhBqAf9dvxwdUEwkLu7yQXNjbQkbgohUDVnjJt6LhKTkgXJQTsGZJduoHnwgYjQyuN2Q/g== X-Received: by 2002:a7b:c4cb:0:b0:3c6:f83e:cf79 with SMTP id g11-20020a7bc4cb000000b003c6f83ecf79mr13860608wmk.112.1666369162575; Fri, 21 Oct 2022 09:19:22 -0700 (PDT) Received: from ?IPV6:2003:cb:c708:1700:e40d:574c:c991:5f78? (p200300cbc7081700e40d574cc9915f78.dip0.t-ipconnect.de. [2003:cb:c708:1700:e40d:574c:c991:5f78]) by smtp.gmail.com with ESMTPSA id l35-20020a05600c1d2300b003b477532e66sm10893014wms.2.2022.10.21.09.19.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 21 Oct 2022 09:19:22 -0700 (PDT) Message-ID: Date: Fri, 21 Oct 2022 18:19:21 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Subject: Re: Avoiding allocation of unused shmem page To: Peter Xu Cc: Matthew Wilcox , linux-mm@kvack.org, Hugh Dickins References: <4e1f4fb4-559e-2be3-c091-40ce0130b6c3@redhat.com> <3b19120b-05f6-10b8-c1af-67d8eb60fea0@redhat.com> From: David Hildenbrand Organization: Red Hat In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666369166; a=rsa-sha256; cv=none; b=30czoczpXseb5l+n2mx1L/B5QhKyLj/LN2qUS8gxMrvQrrusCdz8LnSo1bTuidbgm2CWRC +GgT8eVNuyCi/L/WVPJ4PequZJfYY89vwB/vNv0Cj7recQdeHY8GRCC+WeitbzMu03bCKJ mioktaPABfLhTrwNUYNr4vzLwrSpmho= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=N09wYBU9; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf12.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1666369166; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7omGD/0SJwSkQLjHKwNQQMkdkZvhNZfSs8OhzyUT+G8=; b=GOSh/nDQrucGGMnb9wnSUAdPWK5Kpek4Z5AhSBd203FowNAgdpKb9DTOwEv5dZ3NCbDjex Sy/9b+/x7UvDhD5N4Kfwi/rK96+/k2UCDx93+gsoaaXLUeVlEt93TsqJuUa3ULaIyQyGIC KnYHOpXRvlTdcH8R8iu3hyNfaeSSH20= Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=N09wYBU9; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf12.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com X-Rspamd-Server: rspam04 X-Rspam-User: X-Stat-Signature: kk3dmy91pcxq33dnz1fqd4a5xj5pcaea X-Rspamd-Queue-Id: 7D6E04002F X-HE-Tag: 1666369166-873776 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 21.10.22 18:01, Peter Xu wrote: > On Fri, Oct 21, 2022 at 05:17:08PM +0200, David Hildenbrand wrote: >> On 21.10.22 17:08, Peter Xu wrote: >>> On Fri, Oct 21, 2022 at 04:45:27PM +0200, David Hildenbrand wrote: >>>> On 21.10.22 16:28, Peter Xu wrote: >>>>> On Fri, Oct 21, 2022 at 04:10:41PM +0200, David Hildenbrand wrote: >>>>>> On 21.10.22 16:01, Peter Xu wrote: >>>>>>> On Fri, Oct 21, 2022 at 09:23:00AM +0200, David Hildenbrand wrote: >>>>>>>> On 20.10.22 23:10, Peter Xu wrote: >>>>>>>>> On Thu, Oct 20, 2022 at 09:14:09PM +0100, Matthew Wilcox wrote: >>>>>>>>>> In yesterday's call, David brought up the case where we fallocate a file >>>>>>>>>> in shmem, call mmap(MAP_PRIVATE) and then store to a page which is over >>>>>>>>>> a hole. That currently causes shmem to allocate a page, zero-fill it, >>>>>>>>>> then COW it, resulting in two pages being allocated when only the >>>>>>>>>> COW page really needs to be allocated. >>>>>>>>>> >>>>>>>>>> The path we currently take through the MM when we take the page fault >>>>>>>>>> looks like this (correct me if I'm wrong ...): >>>>>>>>>> >>>>>>>>>> handle_mm_fault() >>>>>>>>>> __handle_mm_fault() >>>>>>>>>> handle_pte_fault() >>>>>>>>>> do_fault() >>>>>>>>>> do_cow_fault() >>>>>>>>>> __do_fault() >>>>>>>>>> vm_ops->fault() >>>>>>>>>> >>>>>>>>>> ... which is where we come into shmem_fault(). Apart from the >>>>>>>>>> horrendous hole-punch handling case, shmem_fault() is quite simple: >>>>>>>>>> >>>>>>>>>> err = shmem_get_folio_gfp(inode, vmf->pgoff, &folio, SGP_CACHE, >>>>>>>>>> gfp, vma, vmf, &ret); >>>>>>>>>> if (err) >>>>>>>>>> return vmf_error(err); >>>>>>>>>> vmf->page = folio_file_page(folio, vmf->pgoff); >>>>>>>>>> return ret; >>>>>>>>>> >>>>>>>>>> What we could do here is detect this case. Something like: >>>>>>>>>> >>>>>>>>>> enum sgp_type sgp = SGP_CACHE; >>>>>>>>>> >>>>>>>>>> if ((vmf->flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) >>>>>>>>>> sgp = SGP_READ; >>>>>>>>> >>>>>>>>> Yes this will start to save the space, but just to mention this may start >>>>>>>>> to break anything that will still depend on the pagecache to work. E.g., >>>>>>>>> it'll change behavior if the vma is registered with uffd missing mode; >>>>>>>>> we'll start to lose MISSING events for these private mappings. Not sure >>>>>>>>> whether there're other side effects. >>>>>>>> >>>>>>>> I don't follow, can you elaborate? >>>>>>>> >>>>>>>> hugetlb doesn't perform this kind of unnecessary allocation and should be fine in regards to uffd. Why should it matter here and how exactly would a problematic sequence look like? >>>>>>> >>>>>>> Hugetlb is special because hugetlb detects pte first and relies on pte at >>>>>>> least for uffd. shmem is not. >>>>>>> >>>>>>> Feel free to also reference the recent fix which relies on the stable >>>>>>> hugetlb pte with commit 2ea7ff1e39cbe375. >>>>>> >>>>>> Sorry to be dense here, but I don't follow how that relates. >>>>>> >>>>>> Assume we have a MAP_PRIVATE shmem mapping and someone registers uffd >>>>>> missing events on that mapping. >>>>>> >>>>>> Assume we get a page fault on a hole. We detect no page is mapped and check >>>>>> if the page cache has a page mapped -- which is also not the case, because >>>>>> there is a hole. >>>>>> >>>>>> So we notify uffd. >>>>>> >>>>>> Uffd will place a page. It should *not* touch the page cache and only insert >>>>>> that page into the page table -- otherwise we'd be violating MAP_PRIVATE >>>>>> semantics. >>>>> >>>>> That's actually exactly what we do right now... we insert into page cache >>>>> for the shmem. See shmem_mfill_atomic_pte(). >>>>> >>>>> Why it violates MAP_PRIVATE? Private pages only guarantee the exclusive >>>>> ownership of pages, I don't see why it should restrict uffd behavior. Uffd >>>>> missing mode (afaiu) is defined to resolve page cache missings in this >>>>> case. Hugetlb is special but not shmem IMO comparing to most of the rest >>>>> of the file systems. >>>> >>>> If a write (or uffd placement) via a MAP_PRIVATE mapping results in other >>>> shared/private mappings from observing these modifications, you have a clear >>>> violation of MAP_PRIVATE semantics. >>> >>> I think I understand what you meant, but just to mention again that I think >>> it's a matter of how we defined the uffd missing semantics when shmem >>> missing mode was introduced years ago. It does not need to be the same >>> semantic as writting directly to a private mapping. >>> >> >> I think uffd does exactly the right thing in mfill_atomic_pte: >> >> /* >> * The normal page fault path for a shmem will invoke the >> * fault, fill the hole in the file and COW it right away. The >> * result generates plain anonymous memory. So when we are >> * asked to fill an hole in a MAP_PRIVATE shmem mapping, we'll >> * generate anonymous memory directly without actually filling >> * the hole. For the MAP_PRIVATE case the robustness check >> * only happens in the pagetable (to verify it's still none) >> * and not in the radix tree. >> */ >> if (!(dst_vma->vm_flags & VM_SHARED)) { >> if (mode == MCOPY_ATOMIC_NORMAL) >> err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma, >> dst_addr, src_addr, page, >> wp_copy); >> else >> err = mfill_zeropage_pte(dst_mm, dst_pmd, >> dst_vma, dst_addr); >> } else { >> err = shmem_mfill_atomic_pte(dst_mm, dst_pmd, dst_vma, >> dst_addr, src_addr, >> mode != MCOPY_ATOMIC_NORMAL, >> wp_copy, page); >> } >> >> Unless we have a writable shared mapping, we end up not touching the pagecache. >> >> After what I understand from your last message (maybe I understood it wrong), >> I tried exploiting uffd behavior by writing into a hole of a file without >> write permissions using uffd. I failed because it does the right thing ;) > > Very interesting to learn this, thanks for the pointer, David. :) > Definitely helpful to me on knowing better on the vma security model. > > Though note that it'll be a different topic if we go back to the original > problem we're discussing - the fake-read approach of shmem will still keep > the hole in file which will still change the behavior of missing messages > from generating. > > Said that, I don't really know whether there can be a real impact on any > uffd users, or anything else that similarly access the file cache. One odd behavior I could think of is if one would have someone a process A that uses uffd on a MAP_SHARED shmem and someone other process B (e.g., with read-only permissions) have a MAP_PRIVATE mapping on the same file. A read (or a write) from process B to the private mapping would result in process A not receiving uffd events. Of course, the same would happen if you have multiple MAP_SHARED mappings as well ... but it feels a bit weird being able to do that without write permissions to the file. -- Thanks, David / dhildenb