Re: [PATCH RFC 00/24] userfaultfd: write protection support
From: David Hildenbrand
Date: Mon Jan 21 2019 - 09:33:34 EST
On 21.01.19 08:56, Peter Xu wrote:
> Hi,
>
> This series implements initial write protection support for
> userfaultfd. Currently both shmem and hugetlbfs are not supported
> yet, but only anonymous memory.
>
> To be simple, either "userfaultfd-wp" or "uffd-wp" might be used in
> later paragraphs.
>
> The whole series can also be found at:
>
> https://github.com/xzpeter/linux/tree/uffd-wp-merged
>
> Any comment would be greatly welcomed. Thanks.
>
> Overview
> ====================
>
> The uffd-wp work was initialized by Shaohua Li [1], and later
> continued by Andrea [2]. This series is based upon Andrea's latest
> userfaultfd tree, and it is a continuous works from both Shaohua and
> Andrea. Many of the follow up ideas come from Andrea too.
>
> Besides the old MISSING register mode of userfaultfd, the new uffd-wp
> support provides another alternative register mode called
> UFFDIO_REGISTER_MODE_WP that can be used to listen to not only missing
> page faults but also write protection page faults, or even they can be
> registered together. At the same time, the new feature also provides
> a new userfaultfd ioctl called UFFDIO_WRITEPROTECT which allows the
> userspace to write protect a range or memory or fixup write permission
> of faulted pages.
>
> Please refer to the document patch "userfaultfd: wp:
> UFFDIO_REGISTER_MODE_WP documentation update" for more information on
> the new interface and what it can do.
>
> The major workflow of an uffd-wp program should be:
>
> 1. Register a memory region with WP mode using UFFDIO_REGISTER_MODE_WP
>
> 2. Write protect part of the whole registered region using
> UFFDIO_WRITEPROTECT, passing in UFFDIO_WRITEPROTECT_MODE_WP to
> show that we want to write protect the range.
>
> 3. Start a working thread that modifies the protected pages,
> meanwhile listening to UFFD messages.
>
> 4. When a write is detected upon the protected range, page fault
> happens, a UFFD message will be generated and reported to the
> page fault handling thread
>
> 5. The page fault handler thread resolves the page fault using the
> new UFFDIO_WRITEPROTECT ioctl, but this time passing in
> !UFFDIO_WRITEPROTECT_MODE_WP instead showing that we want to
> recover the write permission. Before this operation, the fault
> handler thread can do anything it wants, e.g., dumps the page to
> a persistent storage.
>
> 6. The worker thread will continue running with the correctly
> applied write permission from step 5.
>
> Currently there are already two projects that are based on this new
> userfaultfd feature.
>
> QEMU Live Snapshot: The project provides a way to allow the QEMU
> hypervisor to take snapshot of VMs without
> stopping the VM [3].
>
> LLNL umap library: The project provides a mmap-like interface and
> "allow to have an application specific buffer of
> pages cached from a large file, i.e. out-of-core
> execution using memory map" [4][5].
>
> Before posting the patchset, this series was smoke tested against QEMU
> live snapshot and the LLNL umap library (by doing parallel quicksort
> using 128 sorting threads + 80 uffd servicing threads). My sincere
> thanks to Marty Mcfadden and Denis Plotnikov for the help along the
> way.
>
> Implementation
> ==============
>
> Patch 1-4: The whole uffd-wp requires the kernel page fault path to
> take more than one retries. In the previous works starting
> from Shaohua, a new fault flag FAULT_FLAG_ALLOW_UFFD_RETRY
> was introduced for this [6]. However in this series we have
> dropped that patch, instead the whole work is based on the
> recent series "[PATCH RFC v3 0/4] mm: some enhancements to
> the page fault mechanism" [7] which removes the assuption
> that VM_FAULT_RETRY can only happen once. This four
> patches are identital patches but picked up here. Please
> refer to the cover letter [7] for more information. More
> discussion upstream shows that this work could even benefit
> existing use case [8] so please help justify whether
> patches 1-4 can be consider to be accepted even earlier
> than the rest of the series.
>
> Patch 5-21: Implements the uffd-wp logic. To avoid collision with
> existing write protections (e.g., an private anonymous
> page can be write protected if it was shared between
> multiple processes), a new PTE bit (_PAGE_UFFD_WP) was
> introduced to explicitly mark a PTE as userfault
> write-protected. A similar bit was also used in the
> swap/migration entry (_PAGE_SWP_UFFD_WP) to make sure
> even if the pages were swapped or migrated, the uffd-wp
> tracking information won't be lost. When resolving a
> page fault, we'll do a page copy before hand if the page
> was COWed to make sure we won't corrupt any shared
> pages. Etc. Please see separated patches for more
> details.
>
> Patch 22: Documentation update for uffd-wp
>
> Patch 23,24: Uffd-wp selftests
>
> TODO
> =============
>
> - hugetlbfs/shmem support
> - performance
> - more architectures
> - ...
>
> References
> ==========
>
> [1] https://lwn.net/Articles/666187/
> [2] https://git.kernel.org/pub/scm/linux/kernel/git/andrea/aa.git/log/?h=userfault
> [3] https://github.com/denis-plotnikov/qemu/commits/background-snapshot-kvm
> [4] https://github.com/LLNL/umap
> [5] https://llnl-umap.readthedocs.io/en/develop/
> [6] https://git.kernel.org/pub/scm/linux/kernel/git/andrea/aa.git/commit/?h=userfault&id=b245ecf6cf59156966f3da6e6b674f6695a5ffa5
> [7] https://lkml.org/lkml/2018/11/21/370
> [8] https://lkml.org/lkml/2018/12/30/64
>
> Andrea Arcangeli (5):
> userfaultfd: wp: add the writeprotect API to userfaultfd ioctl
> userfaultfd: wp: hook userfault handler to write protection fault
> userfaultfd: wp: add WP pagetable tracking to x86
> userfaultfd: wp: userfaultfd_pte/huge_pmd_wp() helpers
> userfaultfd: wp: add UFFDIO_COPY_MODE_WP
>
> Martin Cracauer (1):
> userfaultfd: wp: UFFDIO_REGISTER_MODE_WP documentation update
>
> Peter Xu (15):
> mm: gup: rename "nonblocking" to "locked" where proper
> mm: userfault: return VM_FAULT_RETRY on signals
> mm: allow VM_FAULT_RETRY for multiple times
> mm: gup: allow VM_FAULT_RETRY for multiple times
> mm: merge parameters for change_protection()
> userfaultfd: wp: apply _PAGE_UFFD_WP bit
> mm: export wp_page_copy()
> userfaultfd: wp: handle COW properly for uffd-wp
> userfaultfd: wp: drop _PAGE_UFFD_WP properly when fork
> userfaultfd: wp: add pmd_swp_*uffd_wp() helpers
> userfaultfd: wp: support swap and page migration
> userfaultfd: wp: don't wake up when doing write protect
> khugepaged: skip collapse if uffd-wp detected
> userfaultfd: selftests: refactor statistics
> userfaultfd: selftests: add write-protect test
>
> Shaohua Li (3):
> userfaultfd: wp: add helper for writeprotect check
> userfaultfd: wp: support write protection for userfault vma range
> userfaultfd: wp: enabled write protection in userfaultfd API
>
> Documentation/admin-guide/mm/userfaultfd.rst | 51 +++++
> arch/alpha/mm/fault.c | 4 +-
> arch/arc/mm/fault.c | 12 +-
> arch/arm/mm/fault.c | 17 +-
> arch/arm64/mm/fault.c | 11 +-
> arch/hexagon/mm/vm_fault.c | 3 +-
> arch/ia64/mm/fault.c | 3 +-
> arch/m68k/mm/fault.c | 5 +-
> arch/microblaze/mm/fault.c | 3 +-
> arch/mips/mm/fault.c | 3 +-
> arch/nds32/mm/fault.c | 7 +-
> arch/nios2/mm/fault.c | 5 +-
> arch/openrisc/mm/fault.c | 3 +-
> arch/parisc/mm/fault.c | 4 +-
> arch/powerpc/mm/fault.c | 9 +-
> arch/riscv/mm/fault.c | 9 +-
> arch/s390/mm/fault.c | 14 +-
> arch/sh/mm/fault.c | 5 +-
> arch/sparc/mm/fault_32.c | 4 +-
> arch/sparc/mm/fault_64.c | 4 +-
> arch/um/kernel/trap.c | 6 +-
> arch/unicore32/mm/fault.c | 10 +-
> arch/x86/Kconfig | 1 +
> arch/x86/include/asm/pgtable.h | 67 ++++++
> arch/x86/include/asm/pgtable_64.h | 8 +-
> arch/x86/include/asm/pgtable_types.h | 11 +-
> arch/x86/mm/fault.c | 13 +-
> arch/xtensa/mm/fault.c | 4 +-
> fs/userfaultfd.c | 110 +++++----
> include/asm-generic/pgtable.h | 1 +
> include/asm-generic/pgtable_uffd.h | 66 ++++++
> include/linux/huge_mm.h | 2 +-
> include/linux/mm.h | 21 +-
> include/linux/swapops.h | 2 +
> include/linux/userfaultfd_k.h | 41 +++-
> include/trace/events/huge_memory.h | 1 +
> include/uapi/linux/userfaultfd.h | 28 ++-
> init/Kconfig | 5 +
> mm/gup.c | 61 ++---
> mm/huge_memory.c | 28 ++-
> mm/hugetlb.c | 8 +-
> mm/khugepaged.c | 23 ++
> mm/memory.c | 28 ++-
> mm/mempolicy.c | 2 +-
> mm/migrate.c | 7 +
> mm/mprotect.c | 99 +++++++--
> mm/rmap.c | 6 +
> mm/userfaultfd.c | 92 +++++++-
> tools/testing/selftests/vm/userfaultfd.c | 222 ++++++++++++++-----
> 49 files changed, 898 insertions(+), 251 deletions(-)
> create mode 100644 include/asm-generic/pgtable_uffd.h
>
Does this series fix the "false positives" case I experienced on early
prototypes of uffd-wp? (getting notified about a write access although
it was not a write access?)
--
Thanks,
David / dhildenb