| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Aug 2023 21:26:10 +0200
From: Michał Mirosław <emmir@...gle.com>
To: Muhammad Usama Anjum <usama.anjum@...labora.com>
Cc: Peter Xu <peterx@...hat.com>, David Hildenbrand <david@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Andrei Vagin <avagin@...il.com>,
Danylo Mocherniuk <mdanylo@...gle.com>,
Paul Gofman <pgofman@...eweavers.com>,
Cyrill Gorcunov <gorcunov@...il.com>,
Mike Rapoport <rppt@...nel.org>, Nadav Amit <namit@...are.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Shuah Khan <shuah@...nel.org>,
Christian Brauner <brauner@...nel.org>,
Yang Shi <shy828301@...il.com>,
Vlastimil Babka <vbabka@...e.cz>,
"Liam R . Howlett" <Liam.Howlett@...cle.com>,
Yun Zhou <yun.zhou@...driver.com>,
Suren Baghdasaryan <surenb@...gle.com>,
Alex Sierra <alex.sierra@....com>,
Matthew Wilcox <willy@...radead.org>,
Pasha Tatashin <pasha.tatashin@...een.com>,
Axel Rasmussen <axelrasmussen@...gle.com>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
Dan Williams <dan.j.williams@...el.com>,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-mm@...ck.org, linux-kselftest@...r.kernel.org,
Greg KH <gregkh@...uxfoundation.org>, kernel@...labora.com
Subject: Re: [PATCH v28 5/6] mm/pagemap: add documentation of PAGEMAP_SCAN IOCTL
On Wed, 9 Aug 2023 at 08:16, Muhammad Usama Anjum
<usama.anjum@...labora.com> wrote:
> Add some explanation and method to use write-protection and written-to
> on memory range.
[...]
> --- a/Documentation/admin-guide/mm/pagemap.rst
> +++ b/Documentation/admin-guide/mm/pagemap.rst
> @@ -227,3 +227,67 @@ Before Linux 3.11 pagemap bits 55-60 were used for "page-shift" (which is
> always 12 at most architectures). Since Linux 3.11 their meaning changes
> after first clear of soft-dirty bits. Since Linux 4.2 they are used for
> flags unconditionally.
> +
> +Pagemap Scan IOCTL
> +==================
> +
> +The ``PAGEMAP_SCAN`` IOCTL on the pagemap file can be used to get or optionally
> +clear the info about page table entries. The following operations are supported
> +in this IOCTL:
> +- Get the information if the pages have Async Write-Protection enabled
> + (``PAGE_IS_WPALLOWED``), have been written to (``PAGE_IS_WRITTEN``), file mapped
> + (``PAGE_IS_FILE``), present (``PAGE_IS_PRESENT``), swapped (``PAGE_IS_SWAPPED``)
> + or page has pfn zero (``PAGE_IS_PFNZERO``).
A recent addition -- PAGE_IS_HUGE -- is missing.
BTW, it could be easier to understand if the page categories were
separated from the operation description and listed so that each has
its own line and maybe a longer description where needed.
> +- Find pages which have been written to and/or write protect
> + (atomic ``PM_SCAN_WP_MATCHING + PM_SCAN_CHECK_WPASYNC``) the pages atomically.
> + The (``PM_SCAN_WP_MATCHING``) is used to WP the matched pages. The
> + (``PM_SCAN_CHECK_WPASYNC``) aborts the operation if non-Async-Write-Protected
> + pages are found.
The operation the IOCTL does now is: "scan the process page tables and
report memory ranges matching provided criteria '.
Flags extend the operation: "PM_SCAN_WP_MATCHING write protects the
memory reported" (it does it atomically, but this is just an
optimization, isn't it? A process could gather the ranges, WP them,
and then copy.)
"PM_SCAN_CHECK_WPASYNC" aborts the scan early if a non-WP-able
matching page is found.
> +The ``struct pm_scan_arg`` is used as the argument of the IOCTL.
> + 1. The size of the ``struct pm_scan_arg`` must be specified in the ``size``
> + field. This field will be helpful in recognizing the structure if extensions
> + are done later.
> + 2. The flags can be specified in the ``flags`` field. The ``PM_SCAN_WP_MATCHING``
> + and ``PM_SCAN_CHECK_WPASYNC`` are the only added flags at this time. The get
> + operation is optionally performed depending upon if the output buffer is
> + provided or not.
> + 3. The range is specified through ``start`` and ``end``.
> + 4. The output buffer of ``struct page_region`` array and size is specified in
> + ``vec`` and ``vec_len``.
> + 5. The optional maximum requested pages are specified in the ``max_pages``.
> + 6. The masks are specified in ``category_mask``, ``category_anyof_mask``,
> + ``category_inverted`` and ``return_mask``.
> + 1. To find if ``PAGE_IS_WRITTEN`` flag is set for pages which have
> + ``PAGE_IS_FILE`` set and ``PAGE_IS_SWAPPED`` unset, ``category_mask``
> + is set to ``PAGE_IS_FILE | PAGE_IS_SWAPPED``, ``category_inverted`` is
> + set to ``PAGE_IS_SWAPPED`` and ``return_mask`` is set to ``PAGE_IS_WRITTEN``.
> + The output buffer in ``vec`` and length must be specified in ``vec_len``.
> + 2. To find pages which have either ``PAGE_IS_FILE`` or ``PAGE_IS_SWAPPED``
> + set, ``category_anyof_mask`` is set to ``PAGE_IS_FILE | PAGE_IS_SWAPPED``.
> + 3. To find written pages and engage write protect, ``PAGE_IS_WRITTEN`` is
> + specified in ``category_mask`` and ``return_mask``. In addition to
> + specifying the output buffer in ``vec`` and length in ``vec_len``, the
> + ``PM_SCAN_WP_MATCHING`` is specified in ``flags`` to perform write protect
> + on the range as well.
Could this be rewritten as examples? E.g.:
Finding dirty file-backed pages:
struct pm_scan_arg arg = {
.size = sizeof(arg),
.flags = 0,
...
.category_mask = ...,
.return_mask = ...
};
ssize_t n = ioctl(..., &arg);
Find dirty pages and write protect them in the same call:
arg = { ... };
do {
... ioctl(...)
} while(...);
(The code snippets heavily commented.)
> +The ``PAGE_IS_WRITTEN`` flag can be considered as the better and correct
"as a better-performing alternative"
> +alternative of soft-dirty flag. It doesn't get affected by housekeeping chores
> +(VMA merging) of the kernel and hence the user can find the true soft-dirty pages
> +only.
This is still an optimization, e.g. in THP case there might be too
many pages reported?
> + This IOCTL adds the atomic way to find which pages have been written and
> +write protect those pages again. This kind of operation is needed to efficiently
> +find out which pages have changed in the memory.
This repeats the description of PM_SCAN_WP_MATCHING -- I suggest
removing this part.
> +To get information about which pages have been written to or optionally write
> +protect the pages, following must be performed first in order:
"PAGE_IS_WRITTEN" category is used with uffd write protect-enabled
ranges to implement memory dirty tracking in userspace:
> + 1. The userfaultfd file descriptor is created with ``userfaultfd`` syscall.
> + 2. The ``UFFD_FEATURE_WP_UNPOPULATED`` and ``UFFD_FEATURE_WP_ASYNC`` features
> + are set by ``UFFDIO_API`` IOCTL.
> + 3. The memory range is registered with ``UFFDIO_REGISTER_MODE_WP`` mode
> + through ``UFFDIO_REGISTER`` IOCTL.
> + 4. Then any part of the registered memory or the whole memory region must
> + be write protected using ``PAGEMAP_SCAN`` IOCTL with flag ``PM_SCAN_OP_WP``
> + or the ``UFFDIO_WRITEPROTECT`` IOCTL can be used. Both of these perform the
> + same operation. The former is better in terms of performance.
I guess that the UFFD performance could be fixed? But this part refers
to the old PM_SCAN_OP_WP, so an updated example is needed.
> + 5. Now the ``PAGEMAP_SCAN`` IOCTL can be used to either just find pages which
> + have been written to and/or optionally write protect the pages as well.
"find the pages written to since they were last write protected", but
this sounds contradicting: we look for pages that were WP but written
anyway. (IOW: marking write-protected is an implementation detail -
the ioctl is to find pages that changed since they were last marked.)
Maybe we should call the operation "marking CLEAN" or alike?
Best Regards
Michał Mirosław
Powered by blists - more mailing lists