lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJHvVcgXynHcuoS6eCfOAB2SgzqYy_zMGrRMR2kFuxOtSdUwvQ@mail.gmail.com>
Date:   Wed, 17 May 2023 15:28:36 -0700
From:   Axel Rasmussen <axelrasmussen@...gle.com>
To:     Peter Xu <peterx@...hat.com>
Cc:     James Houghton <jthoughton@...gle.com>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Christian Brauner <brauner@...nel.org>,
        David Hildenbrand <david@...hat.com>,
        Hongchen Zhang <zhanghongchen@...ngson.cn>,
        Huang Ying <ying.huang@...el.com>,
        "Liam R. Howlett" <Liam.Howlett@...cle.com>,
        Miaohe Lin <linmiaohe@...wei.com>,
        "Mike Rapoport (IBM)" <rppt@...nel.org>,
        Nadav Amit <namit@...are.com>,
        Naoya Horiguchi <naoya.horiguchi@....com>,
        Shuah Khan <shuah@...nel.org>,
        ZhangPeng <zhangpeng362@...wei.com>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org, linux-kselftest@...r.kernel.org,
        Anish Moorthy <amoorthy@...gle.com>,
        Jiaqi Yan <jiaqiyan@...gle.com>
Subject: Re: [PATCH 1/3] mm: userfaultfd: add new UFFDIO_SIGBUS ioctl

On Wed, May 17, 2023 at 3:20 PM Peter Xu <peterx@...hat.com> wrote:
>
> On Wed, May 17, 2023 at 06:12:33PM -0400, Peter Xu wrote:
> > On Thu, May 11, 2023 at 03:00:09PM -0700, James Houghton wrote:
> > > On Thu, May 11, 2023 at 11:24 AM Axel Rasmussen
> > > <axelrasmussen@...gle.com> wrote:
> > > >
> > > > So the basic way to use this new feature is:
> > > >
> > > > - On the new host, the guest's memory is registered with userfaultfd, in
> > > >   either MISSING or MINOR mode (doesn't really matter for this purpose).
> > > > - On any first access, we get a userfaultfd event. At this point we can
> > > >   communicate with the old host to find out if the page was poisoned.
> > > > - If so, we can respond with a UFFDIO_SIGBUS - this places a swap marker
> > > >   so any future accesses will SIGBUS. Because the pte is now "present",
> > > >   future accesses won't generate more userfaultfd events, they'll just
> > > >   SIGBUS directly.
> > >
> > > I want to clarify the SIGBUS mechanism here when KVM is involved,
> > > keeping in mind that we need to be able to inject an MCE into the
> > > guest for this to be useful.
> > >
> > > 1. vCPU gets an EPT violation --> KVM attempts GUP.
> > > 2. GUP finds a PTE_MARKER_UFFD_SIGBUS and returns VM_FAULT_SIGBUS.
> > > 3. KVM finds that GUP failed and returns -EFAULT.
> > >
> > > This is different than if GUP found poison, in which case KVM will
> > > actually queue up a SIGBUS *containing the address of the fault*, and
> > > userspace can use it to inject an appropriate MCE into the guest. With
> > > UFFDIO_SIGBUS, we are missing the address!
> > >
> > > I see three options:
> > > 1. Make KVM_RUN queue up a signal for any VM_FAULT_SIGBUS. I think
> > > this is pointless.
> > > 2. Don't have UFFDIO_SIGBUS install a PTE entry, but instead have a
> > > UFFDIO_WAKE_MODE_SIGBUS, where upon waking, we return VM_FAULT_SIGBUS
> > > instead of VM_FAULT_RETRY. We will keep getting userfaults on repeated
> > > accesses, just like how we get repeated signals for real poison.
> > > 3. Use this in conjunction with the additional KVM EFAULT info that
> > > Anish proposed (the first part of [1]).
> > >
> > > I think option 3 is fine. :)
> >
> > Or... option 4) just to use either MADV_HWPOISON or hwpoison-inject? :)
>
> I just remember Axel mentioned this in the commit message, and just in case
> this is why option 4) was ruled out:
>
>         They expect that once poisoned, pages can never become
>         "un-poisoned". So, when we live migrate the VM, we need to preserve
>         the poisoned status of these pages.
>
> Just to supplement on this point: we do have unpoison (echoing to
> "debug/hwpoison/hwpoison_unpoison"), or am I wrong?
>
> >
> > Besides what James mentioned on "missing addr", I didn't quickly see what's
> > the major difference comparing to the old hwpoison injection methods even
> > without the addr requirement. If we want the addr for MCE then it's more of
> > a question to ask.
> >
> > I also didn't quickly see why for whatever new way to inject a pte error we
> > need to have it registered with uffd.  Could it be something like
> > MADV_PGERR (even if MADV_HWPOISON won't suffice) so you can inject even
> > without an userfault context (but still usable when uffd registered)?
> >
> > And it'll be alawys nice to have a cover letter too (if there'll be a new
> > version) explaining the bits.

I do plan a v2, if for no other reason than to update the
documentation. Happy to add a cover letter with it as well.

+Jiaqi back to CC, this is one piece of a larger memory poisoning /
recovery design Jiaqi is working on, so he may have some ideas why
MADV_HWPOISON or MADV_PGER will or won't work.

One idea is, at least for our use case, we have to have the range be
userfaultfd registered, because we need to intercept the first access
and check at that point whether or not it should be poisoned. But, I
think in principle a scheme like this could work:

1. Intercept first access with UFFD
2. Issue MADV_HWPOISON or MADV_PGERR or etc to put a pte denoting the
poisoned page in place
3. UFFDIO_WAKE to have the faulting thread retry, see the new entry, and SIGBUS

It's arguably slightly weird, since normally UFFD events are resolved
with UFFDIO_* operations, but I don't see why it *couldn't* work.

Then again I am not super familiar with MADV_HWPOISON, I will have to
do a bit of reading to understand if its semantics are the same
(future accesses to this address get SIGBUS).


> >
> > Thanks,
> >
> > --
> > Peter Xu
>
> --
> Peter Xu
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ