From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B982C433ED for ; Tue, 27 Apr 2021 08:25:16 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id D333760234 for ; Tue, 27 Apr 2021 08:25:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D333760234 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=emersion.fr Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 2CD456B0071; Tue, 27 Apr 2021 04:25:15 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 27CF16B0073; Tue, 27 Apr 2021 04:25:15 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 11F716B0074; Tue, 27 Apr 2021 04:25:15 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0094.hostedemail.com [216.40.44.94]) by kanga.kvack.org (Postfix) with ESMTP id E4F276B0071 for ; Tue, 27 Apr 2021 04:25:14 -0400 (EDT) Received: from smtpin33.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id A36044DDD for ; Tue, 27 Apr 2021 08:25:14 +0000 (UTC) X-FDA: 78077462148.33.4DEDEDD Received: from mail-40136.protonmail.ch (mail-40136.protonmail.ch [185.70.40.136]) by imf03.hostedemail.com (Postfix) with ESMTP id D13A8C0007E5 for ; Tue, 27 Apr 2021 08:25:07 +0000 (UTC) Date: Tue, 27 Apr 2021 08:24:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emersion.fr; s=protonmail3; t=1619511910; bh=4HSy2peeOUh+Sk0/LYpC/GuLIdId71wOZKqgB55PQe8=; h=Date:To:From:Cc:Reply-To:Subject:From; b=IH1gMJIkBL6Rq7XG2TuitQx8L+5vdyeKrcgfGpQugBovC9zRchEZQ+5VydqO6BanU 4rYc2FNQAIOIZgJI3LLEfKbwLAG9uKoI5fLXKbbFonuquWKKeqI2Hf92z63xoB2X0U SQBS0sb2jDbym2sB5fUt/RJ0zTBRygDuf+p2KdW878rylJ8DDyuwOX1lgsLkMSwlbi gs9mgQ5UU1TRtcHY9iVQgz+TZJyBWO0JV+DoJZPuLpuymKRlPymkmm6QhYMeUQv/db QpyrapM5OY53c4g+vZHEjSOScTVjdbfsL2EAGcVLJYfVA+A2RbanplJ5/xgegDfx3s gSPEE4BBkDs+Q== To: Linux Kernel Mailing List From: Simon Ser Cc: David Herrmann , "linux-mm@kvack.org" , Greg Kroah-Hartman , Linus Torvalds , "tytso@mit.edu" Reply-To: Simon Ser Subject: Sealed memfd & no-fault mmap Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Stat-Signature: obi8csiqkzeheoa615kwgcpubw19975o X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: D13A8C0007E5 Received-SPF: none (emersion.fr>: No applicable sender policy available) receiver=imf03; identity=mailfrom; envelope-from=""; helo=mail-40136.protonmail.ch; client-ip=185.70.40.136 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1619511907-919299 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi all, I'm a user-space developer working on Wayland compositors. Back in 2014, David Herrmann has posted a patchset [1] to introduce memfd and file sealing. The patchset reads: > 1) Graphics Compositors > If a graphics client creates a memory-backed render-buffer and passe= s a > file-decsriptor to it to the graphics server for display, the server > _has_ to setup SIGBUS handlers whenever mapping the given file. Othe= rwise, > the client might run ftruncate() or O_TRUNC on the on file in parall= el, > thus crashing the server. > With sealing, a compositor can reject any incoming file-descriptor t= hat > does _not_ have SEAL_SHRINK set. This way, any memory-mappings are > guaranteed to stay accessible. Furthermore, we still allow clients t= o > increase the buffer-size in case they want to resize the render-buff= er for > the next frame. We also allow parallel writes so the client can rend= er new > frames into the same buffer (client is responsible of never renderin= g into > a front-buffer if you want to avoid artifacts). > > Real use-case: Wayland wl_shm buffers can be transparently converted Fast-forward to 7 years later, and notice that there doesn't exist a single Wayland compositor that enforces file sealing for its clients. The reason is that there will always exist clients which are either old (and predate file sealing) or refuse to use Linux-only APIs (they don't use memfd and file sealing, instead they use e.g. shm_open). Requiring sealed memfds in compositors would break these clients. I don't believe the situation is about to change. Rather than requiring changes in all compositors *and* clients, can we maybe only require changes in compositors? For instance, OpenBSD has a __MAP_NOFAULT flag. When passed to mmap, it means that out-of-bound accesses will read as zeroes instead of triggering SIGBUS. Such a flag would be very helpful to unblock the annoying SIGBUS situation. Would something among these lines be welcome in the Linux kernel? Thanks, Simon [1]: https://lwn.net/Articles/591108/