| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <39c5ef18-1138-c879-2c6d-c013c79fa335@redhat.com>
Date: Thu, 29 Sep 2022 19:24:31 +0200
From: David Hildenbrand <david@...hat.com>
To: Chih-En Lin <shiyn.lin@...il.com>
Cc: Nadav Amit <namit@...are.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Qi Zheng <zhengqi.arch@...edance.com>,
Matthew Wilcox <willy@...radead.org>,
Christophe Leroy <christophe.leroy@...roup.eu>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
Luis Chamberlain <mcgrof@...nel.org>,
Kees Cook <keescook@...omium.org>,
Iurii Zaikin <yzaikin@...gle.com>,
Vlastimil Babka <vbabka@...e.cz>,
William Kucharski <william.kucharski@...cle.com>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
Peter Xu <peterx@...hat.com>,
Suren Baghdasaryan <surenb@...gle.com>,
Arnd Bergmann <arnd@...db.de>,
Tong Tiangen <tongtiangen@...wei.com>,
Pasha Tatashin <pasha.tatashin@...een.com>,
Li kunyu <kunyu@...china.com>,
Anshuman Khandual <anshuman.khandual@....com>,
Minchan Kim <minchan@...nel.org>,
Yang Shi <shy828301@...il.com>, Song Liu <song@...nel.org>,
Miaohe Lin <linmiaohe@...wei.com>,
Thomas Gleixner <tglx@...utronix.de>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Andy Lutomirski <luto@...nel.org>,
Fenghua Yu <fenghua.yu@...el.com>,
Dinglan Peng <peng301@...due.edu>,
Pedro Fonseca <pfonseca@...due.edu>,
Jim Huang <jserv@...s.ncku.edu.tw>,
Huichun Feng <foxhoundsk.tw@...il.com>
Subject: Re: [RFC PATCH v2 9/9] mm: Introduce Copy-On-Write PTE table
>> IMHO, a relaxed form that focuses on only the memory consumption reduction
>> could *possibly* be accepted upstream if it's not too invasive or complex.
>> During fork(), we'd do exactly what we used to do to PTEs (increment
>> mapcount, refcount, trying to clear PageAnonExclusive, map the page R/O,
>> duplicate swap entries; all while holding the page table lock), however,
>> sharing the prepared page table with the child process using COW after we
>> prepared it.
>>
>> Any (most once we want to *optimize* rmap handling) modification attempts
>> require breaking COW -- copying the page table for the faulting process. But
>> at that point, the PTEs are already write-protected and properly accounted
>> (refcount/mapcount/PageAnonExclusive).
>>
>> Doing it that way might not require any questionable GUP hacks and swapping,
>> MMU notifiers etc. "might just work as expected" because the accounting
>> remains unchanged" -- we simply de-duplicate the page table itself we'd have
>> after fork and any modification attempts simply replace the mapped copy.
>
> Agree.
> However for GUP hacks, if we want to do the COW to page table, we still
> need the hacks in this patch (using the COW_PTE_OWN_EXCLUSIVE flag to
> check whether the PTE table is available or not before we do the COW to
> the table). Otherwise, it will be more complicated since it might need
> to handle situations like while preparing the COW work, it just figuring
> out that it needs to duplicate the whole table and roll back (recover
> the state and copy it to new table). Hopefully, I'm not wrong here.
The nice thing is that GUP itself *usually* doesn't modify page tables.
One corner case is follow_pfn_pte(). All other modifications should
happen in the actual fault handler that has to deal with such kind of
unsharing either way when modifying the PTE.
If the pages are already in a COW-ed pagetable in the desired "shared"
state (e.g., PageAnonExclusive cleared on an anonymous page), R/O
pinning of such pages will just work as expected and we shouldn't be
surprised by another set of GUP+COW CVEs.
We'd really only deduplicate the page table and not play other tricks
with the actual page table content that differ from the existing way of
handling fork().
I don't immediately see why we need COW_PTE_OWN_EXCLUSIVE in GUP code
when not modifying the page table. I think we only need "we have to
unshare this page table now" in follow_pfn_pte() and inside the fault
handling when GUP triggers a fault.
I hope my assumption is correct, or am I missing something?
>
>> But devil is in the detail (page table lock, TLB flushing).
>
> Sure, it might be an overhead in the page fault and needs to be handled
> carefully. ;)
>
>> "will make fork() even have more overhead" is not a good excuse for such
>> complexity/hacks -- sure, it will make your benchmark results look better in
>> comparison ;)
>
> ;);)
> I think that, even if we do the accounting with the COW page table, it
> still has a little bit improve.
:)
My gut feeling is that this is true. While we have to do a pass over the
parent page table during fork and wrprotect all PTEs etc., we don't have
to duplicate the page table content and allocate/free memory for that.
One interesting case is when we cannot share an anon page with the child
process because it maybe pinned -- and we have to copy it via
copy_present_page(). In that case, the page table between the parent and
the child would differ and we'd not be able to share the page table.
That case could be caught in copy_pte_range(): in case we'd have to
allocate a page via page_copy_prealloc(), we'd have to fall back to the
ordinary "separate page table for the child" way of doing things.
But that looks doable to me.
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists