lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABb0KFE4ruptVXDpCk5MB6nkh9WeKTcKfROnx0ecoy-k1eCKCw@mail.gmail.com>
Date:   Thu, 6 Apr 2023 22:00:19 +0200
From:   Michał Mirosław <emmir@...gle.com>
To:     Muhammad Usama Anjum <usama.anjum@...labora.com>,
        Mike Rapoport <rppt@...nel.org>
Cc:     Peter Xu <peterx@...hat.com>, David Hildenbrand <david@...hat.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Andrei Vagin <avagin@...il.com>,
        Danylo Mocherniuk <mdanylo@...gle.com>,
        Paul Gofman <pgofman@...eweavers.com>,
        Cyrill Gorcunov <gorcunov@...il.com>,
        Nadav Amit <namit@...are.com>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Shuah Khan <shuah@...nel.org>,
        Christian Brauner <brauner@...nel.org>,
        Yang Shi <shy828301@...il.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        "Liam R . Howlett" <Liam.Howlett@...cle.com>,
        Yun Zhou <yun.zhou@...driver.com>,
        Suren Baghdasaryan <surenb@...gle.com>,
        Alex Sierra <alex.sierra@....com>,
        Matthew Wilcox <willy@...radead.org>,
        Pasha Tatashin <pasha.tatashin@...een.com>,
        Axel Rasmussen <axelrasmussen@...gle.com>,
        "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        Dan Williams <dan.j.williams@...el.com>,
        linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-mm@...ck.org, linux-kselftest@...r.kernel.org,
        Greg KH <gregkh@...uxfoundation.org>, kernel@...labora.com
Subject: Re: [PATCH v12 2/5] fs/proc/task_mmu: Implement IOCTL to get and
 optionally clear info about PTEs

On Thu, 6 Apr 2023 at 19:58, Muhammad Usama Anjum
<usama.anjum@...labora.com> wrote:
> Hello,
>
> Thank you so much for the review. Do you have any thoughts on the build
> error on arc architecture?
> https://lore.kernel.org/all/e3c82373-256a-6297-bcb4-5e1179a2cbe2@collabora.com

Maybe copy HPAGE_* defines from x86 and key on CONFIG_PGTABLE_LEVELS >
2? I don't know much about arc arch, though.

> On 4/6/23 8:52 PM, Michał Mirosław wrote:
> > On Thu, 6 Apr 2023 at 09:40, Muhammad Usama Anjum
> > <usama.anjum@...labora.com> wrote:>
[...]
> >> +#define PM_SCAN_BITMAP(wt, file, present, swap)        \
> >> +       (wt | file << 1 | present << 2 | swap << 3)
> > Please parenthesize macro arguments ("(wt)", "(file)", etc.) to not
> > have to worry about operator precedence when passed a complex
> > expression.
> Like this?
> #define PM_SCAN_BITMAP(wt, file, present, swap) \
>         ((wt) | (file << 1) | (present << 2) | (swap << 3))

The value would be:
 ( (wt) | ((file) << 1) | ... )
IOW, each parameter should have parentheses around its name.

[...]
> >> +               cur->len += n_pages;
> >> +               p->found_pages += n_pages;
> >> +
> >> +               if (p->max_pages && (p->found_pages == p->max_pages))
> >> +                       return PM_SCAN_FOUND_MAX_PAGES;
> >> +
> >> +               return 0;
> >> +       }
> >> +
> >> +       if (!p->vec_index || ((p->vec_index + 1) < p->vec_len)) {
> >
> > It looks that `if (p->vec_index < p->vec_len)` is enough here - if we
> > have vec_len == 0 here, then we'd not fit the entry in the userspace
> > buffer anyway. Am I missing something?
> No. I'd explained it with diagram last time:
> https://lore.kernel.org/all/3c8d9ea0-1382-be0c-8dd2-d490eedd3b55@collabora.com
>
> I'll add a concise comment here.

So it seems, but I think the code changed a bit and maybe could be
simplified now? Since p->vec_len == 0 is currently not valid, the
field could count only the entries available in p->vec[] -- IOW: not
include p->cur in the count.

BTW, `if (no space) return -ENOSPC` will avoid additional indentation
for the non-merging case.

[...]
> >> +static inline int pagemap_scan_deposit(struct pagemap_scan_private *p,
> >> +                                      struct page_region __user *vec,
> >> +                                      unsigned long *vec_index)
> >
> > ..._deposit() is used only in single place - please inline.
> It is already inline.

Sorry. I mean: please paste the code in place of the single call.

[...]
> >> +               /*
> >> +                * Break huge page into small pages if the WP operation need to
> >> +                * be performed is on a portion of the huge page or if max_pages
> >> +                * pages limit would exceed.
> >
> > BTW, could the `max_pages` limit be relaxed a bit (in that it would be
> > possible to return more pages if they all merge into the last vector
> > entry) so that it would not need to split otherwise-matching huge
> > page? It would remove the need for this special handling in the kernel
> > and splitting the page by this read-only-appearing ioctl?
> No, this cannot be done. Otherwise we'll not be able to emulate Windows
> syscall GetWriteWatch() which specifies the exact number of pages. Usually
> in most of cases, either user will not use THP or not perform the operation
> on partial huge page. So this part is only there to keep things correct for
> those users who do use THP and partial pagemap_scan operations.

I see that `GetWriteWatch` returns a list of pages not ranges of
pages. That makes sense (more or less). (BTW, It could be emulated in
userspace by caching the last not-fully-consumed range.)

> >> +                */
> >> +               if (is_written && PM_SCAN_OP_IS_WP(p) &&
> >> +                   ((end - start < HPAGE_SIZE) ||
> >> +                    (p->max_pages &&
> >> +                     (p->max_pages - p->found_pages) < n_pages))) {
> >> +
> >> +                       split_huge_pmd(vma, pmd, start);
> >> +                       goto process_smaller_pages;
> >> +               }
> >> +
> >> +               if (p->max_pages &&
> >> +                   p->found_pages + n_pages > p->max_pages)
> >> +                       n_pages = p->max_pages - p->found_pages;
> >> +
> >> +               ret = pagemap_scan_output(is_written, is_file, is_present,
> >> +                                         is_swap, p, start, n_pages);
> >> +               if (ret < 0)
> >> +                       return ret;

So let's simplify this:

if (p->max_pages && n_pages > max_pages - found_pages)
  n_pages = max_pages - found_pages;

if (is_written && DO_WP && n_pages != HPAGE_SIZE / PAGE_SIZE) {
  split_thp();
  goto process_smaller_pages;
}

BTW, THP handling could be extracted to a function that would return
-EAGAIN if it has split the page or it wasn't a THP -- and that would
mean `goto process_smaller_pages`.

> > Why not propagate the error from uffd_wp_range()?
> uffd_wp_range() returns status in long variable. We cannot return long in
> this function. So intead of type casting long to int and then return I've
> used -EINVAL. Would following be more suitable?
>
> long ret2 = uffd_wp_range(vma, start, HPAGE_SIZE, true);
> if (ret2 < 0)
>         return (int)ret2;

I think it's ok, since negative values are expected to be error codes.
And since you can't overflow int with HPAGE_SIZE pages, then I
wouldn't use `ret2` but cast the return and add a comment why it's
safe.

[...]
> >> +       start = (unsigned long)untagged_addr(arg.start);
> >> +       vec = (struct page_region *)(unsigned long)untagged_addr(arg.vec);
> >
> > Is the inner cast needed?
> arg.vec remains 64-bit on 32-bit systems. So casting 64bit value directly
> to struct page_region pointer errors out. So I've added specific casting to
> unsigned long first before casting to pointers.

I see. So to convey the intention, the `arg.start` and `arg.vec`
should be casted to unsigned long, not the `untagged_addr()` return
values.

> >> +       ret = pagemap_scan_args_valid(&arg, start, vec);
> >> +       if (ret)
> >> +               return ret;
> >> +
> >> +       end = start + arg.len;
> >> +       p.max_pages = arg.max_pages;
> >> +       p.found_pages = 0;
> >> +       p.flags = arg.flags;
> >> +       p.required_mask = arg.required_mask;
> >> +       p.anyof_mask = arg.anyof_mask;
> >> +       p.excluded_mask = arg.excluded_mask;
> >> +       p.return_mask = arg.return_mask;
> >> +       p.cur.len = 0;
> >> +       p.cur.start = 0;
> >> +       p.vec = NULL;
> >> +       p.vec_len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
> >
> > Nit: parentheses are not needed here, please remove.
> Will do.
>
> >
> >> +
> >> +       /*
> >> +        * Allocate smaller buffer to get output from inside the page walk
> >> +        * functions and walk page range in PAGEMAP_WALK_SIZE size chunks. As
> >> +        * we want to return output to user in compact form where no two
> >> +        * consecutive regions should be continuous and have the same flags.
> >> +        * So store the latest element in p.cur between different walks and
> >> +        * store the p.cur at the end of the walk to the user buffer.
> >> +        */
> >> +       p.vec = kmalloc_array(p.vec_len, sizeof(struct page_region),
> >> +                             GFP_KERNEL);
> >> +       if (!p.vec)
> >> +               return -ENOMEM;
> >> +
> >> +       walk_start = walk_end = start;
> >> +       while (walk_end < end && !ret) {
> >
> > The loop will stop if a previous iteration returned ENOSPC (and the
> > error will be lost) - is it intended?
> It is intentional. -ENOSPC means that the user buffer is full even though
> there was more memory to walk over. We don't treat this error. So when
> buffer gets full, we stop walking over further as user buffer has gotten
> full and return as success.

Thanks. What's the difference between -ENOSPC and
PM_SCAN_FOUND_MAX_PAGES? They seem to result in the same effect (code
flow).

[...]
> >> --- a/include/linux/userfaultfd_k.h
> >> +++ b/include/linux/userfaultfd_k.h
> >> @@ -210,6 +210,14 @@ extern bool userfaultfd_wp_async(struct vm_area_struct *vma);
> >>
> >>  #else /* CONFIG_USERFAULTFD */
> >>
> >> +static inline long uffd_wp_range(struct mm_struct *dst_mm,
> >> +                                struct vm_area_struct *vma,
> >> +                                unsigned long start, unsigned long len,
> >> +                                bool enable_wp)
> >> +{
> >> +       return 0;
> >> +}
[...]
> > Shouldn't this part be in the patch introducing uffd_wp_range()?
> We have not added uffd_wp_range() in previous patches. We just need this
> stub for this patch for the case when CONFIG_USERFAULTFD isn't enabled.
>
> I'd this as separate patch before this patch. Mike asked me to merge it
> with this patch in order not to break bisectability.
>[1] https://lore.kernel.org/all/ZBK+86eMMazwfhdx@kernel.org

I would understand the reply [1] to mean that the uffd_wp_range() stub
should go in the same patch where uffd_wp_range() is implemented. But
uffd_wp_range() is already in (since f369b07c86140) so I don't see how
having the stub in a separate commit sequenced before this one could
break bisect?

Best Regards
Michał Mirosław

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ