Re: [PATCH 2/2] mm: adds NOSIGBUS extension for out-of-band shmem read

[Hugh Dickins]

On Thu, 3 Jun 2021, Linus Torvalds wrote:
> On Wed, Jun 2, 2021 at 5:46 PM Hugh Dickins <hughd@xxxxxxxxxx> wrote:
> >
> > Ideally you can simply call do_anonymous_page() from __do_fault()
> > in the VM_FAULT_SIGBUS on VM_NOSIGBUS case.
> 
> Heh.
> 
> We're actually then back to my original patch.
> 
> That one doesn't handle shared mappings (even read-only ones), for the
> simple reason that do_anonymous_page() refuses to insert anonymous
> pages into a shared mapping, and has
> 
>         /* File mapping without ->vm_ops ? */
>         if (vma->vm_flags & VM_SHARED)
>                 return VM_FAULT_SIGBUS;
> 
> at the very top.
> 
> But yes, if we just remove that check, I think my original patch
> should actually "JustWork(tm)".

But no!

Sorry, I don't have time for this at present, so haven't looked at
your original patch.

But the point that we've arrived at, that I'm actually now fairly
happy with, is do *not* permit MAP_NOSIGBUS on MAP_SHARED mappings.

I didn't check the placement yet, easy to get wrong, but I believe
Ming Lin is now enforcing that over at the mmap() end.

On a MAP_PRIVATE mapping, the nasty opaque blob of zeroes can
claim some precedent in what already happens with COW'ed pages.

Which leaves MAP_NOSIGBUS on MAP_SHARED as currently unsupported,
perhaps never supported on anything, perhaps one day supported on
shmem; but if it's ever supported then that one will naturally be
transparent to future changes in page cache - we call that "shared".

Of course, internally, there's the in-between case of MAP_SHARED
without PROT_WRITE and without writable fd: VM_MAYSHARE without
VM_SHARED or VM_MAYWRITE.  We *could* let that one accept
MAP_NOSIGBUS, but who wants to write the manpage for it?

Please stick to MAP_PRIVATE: that's good enough.

> 
> I'm attaching it again, with old name and old commentary (ie that
> 
>     /* FIXME! We don't have a VM_NOFAULT bit */
> 
> should just be replaced with that VM_NOSIGBUS bit instead, and the
> #if'ed out region should be enabled.
> 
> Oh, and we need to think hard about one more case: mprotect().
> 
> In particular, I think the attached patch fails horribly for the case
> of a shared mapping that starts out read-only, then inserts a zero
> page, then somebody does mprotect(MAP_WRITE), and then writes to the
> page. I haven't checked what the write protect fault handler does, but
> I think that for a shared mapping it will just make the page dirty and
> writable.

Obviously the finished patch will need to be scrutinized carefully, but
I think the mprotect() questions vanish when restricted to MAP_PRIVATE.

> 
> Which would be horribly wrong for VM_NOSIGBUS.
> 
> So that support infrastructure that adds MAP_NOSIGBUS, and checks that
> it is only done on a read-only mapping, also has to make sure that it
> clears the VM_MAYWRITE bit when it sets VM_NOSIGBUS.
> 
> That way mprotect can't then later make it writable.
> 
> Hugh, comments on this approach?

Comments above, just stick to MAP_PRIVATE.

Hugh

> 
> Again: this patch is my *OLD* one, I didn't try to update it to the
> new world order. It requires
> 
>  - Ming's MAP_NOSIGBUS ccode
> 
>  - removal of that "File mapping without ->vm_ops" case
> 
>  - that FIXME fixed and name updated
> 
>  - and that VM_MAYWRITE clearing if VM_NOSIGBUS is set, to avoid the
> mprotect issue.
> 
> Hmm?
> 
>                   Linus