| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3d2d1ba4-bfab-6b3d-f0d6-ae0920ebdcb0@collabora.com>
Date: Wed, 15 Mar 2023 21:54:40 +0500
From: Muhammad Usama Anjum <usama.anjum@...labora.com>
To: Peter Xu <peterx@...hat.com>
Cc: Muhammad Usama Anjum <usama.anjum@...labora.com>,
David Hildenbrand <david@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Michał Mirosław
<emmir@...gle.com>, Andrei Vagin <avagin@...il.com>,
Danylo Mocherniuk <mdanylo@...gle.com>,
Paul Gofman <pgofman@...eweavers.com>,
Cyrill Gorcunov <gorcunov@...il.com>,
Mike Rapoport <rppt@...nel.org>, Nadav Amit <namit@...are.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Shuah Khan <shuah@...nel.org>,
Christian Brauner <brauner@...nel.org>,
Yang Shi <shy828301@...il.com>,
Vlastimil Babka <vbabka@...e.cz>,
"Liam R . Howlett" <Liam.Howlett@...cle.com>,
Yun Zhou <yun.zhou@...driver.com>,
Suren Baghdasaryan <surenb@...gle.com>,
Alex Sierra <alex.sierra@....com>,
Matthew Wilcox <willy@...radead.org>,
Pasha Tatashin <pasha.tatashin@...een.com>,
Axel Rasmussen <axelrasmussen@...gle.com>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
Dan Williams <dan.j.williams@...el.com>,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-mm@...ck.org, linux-kselftest@...r.kernel.org,
Greg KH <gregkh@...uxfoundation.org>, kernel@...labora.com
Subject: Re: [PATCH v11 4/7] fs/proc/task_mmu: Implement IOCTL to get and
optionally clear info about PTEs
On 3/15/23 8:55 PM, Peter Xu wrote:
> On Thu, Mar 09, 2023 at 06:57:15PM +0500, Muhammad Usama Anjum wrote:
>> + for (addr = start; !ret && addr < end; pte++, addr += PAGE_SIZE) {
>> + pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl);
>> +
>> + is_writ = !is_pte_uffd_wp(*pte);
>> + is_file = vma->vm_file;
>> + is_pres = pte_present(*pte);
>> + is_swap = is_swap_pte(*pte);
>> +
>> + pte_unmap_unlock(pte, ptl);
>> +
>> + ret = pagemap_scan_output(is_writ, is_file, is_pres, is_swap,
>> + p, addr, 1);
>> + if (ret)
>> + break;
>> +
>> + if (PM_SCAN_OP_IS_WP(p) && is_writ &&
>> + uffd_wp_range(walk->mm, vma, addr, PAGE_SIZE, true) < 0)
>> + ret = -EINVAL;
>> + }
>
> This is not real atomic..
>
> Taking the spinlock for eacy pte is not only overkill but wrong in
> atomicity because the pte can change right after spinlock unlocked.
Let me explain. It seems like wrong, but it isn't. In my rigorous testing,
it didn't show any side-effect. Here we are finding out if a page is
written. If page is written, only then we clear it. Lets look at the
different possibilities here:
- If a page isn't written, we'll not clear it.
- If a page is written and there isn't any race, we'll clear written-to
flag by write protecting it.
- If a page is written but before clearing it, data is written again to the
page. The page would remain written and we'll clear it.
- If a page is written but before clearing it, it gets write protected,
we'll still write protected it. There is double right protection here, but
no side-effect.
Lets turn this into a truth table for easier understanding. Here first
coulmn and thrid column represents this above code. 2nd column represents
any other thread interacting with the page.
If page is written/dirty some other task interacts wp_page
no does nothing no
no writes to page no
no wp the page no
yes does nothing yes
yes write to page yes
yes wp the page yes
As you can see there isn't any side-effect happening. We aren't over doing
the wp or under-doing the write-protect.
Even if we were doing something wrong here and I bring the lock over all of
this, the pages get become written or wp just after unlocking. It is
expected. This current implementation doesn't seem to be breaking this.
Is my understanding wrong somewhere here? Can you point out?
Previous to this current locking design were either buggy or slower when
multiple threads were working on same pages. Current implementation removes
the limitations:
- The memcpy inside pagemap_scan_output is happening with pte unlocked.
- We are only wp a page if we have noted this page to be dirty
- No mm write lock is required. Only read lock works fine just like
userfaultfd_writeprotect() takes only read lock.
There is only one con here that we are locking and unlocking the pte lock
again and again.
Please have a look at my explanation and let me know what do you think.
>
> Unfortunately you also cannot reuse uffd_wp_range() because that's not
> atomic either, my fault here. Probably I was thinking mostly from
> soft-dirty pov on batching the collect+reset.
>
> You need to take the spin lock, collect whatever bits, set/clear whatever
> bits, only until then release the spin lock.
>
> "Not atomic" means you can have some page got dirtied but you could miss
> it. Depending on how strict you want, I think it'll break apps like CRIU
> if strict atomicity needed for migrating a process. If we want to have a
> new interface anyway, IMHO we'd better do that in the strict way.
In my rigorous multi-threaded testing where a lots of threads are working
on same set of pages, we aren't losing even a single update. I can share
the test if you want.
>
> Same comment applies to the THP handling (where I cut from the context).
>
--
BR,
Muhammad Usama Anjum
Powered by blists - more mailing lists