lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZS7ZqztMbhrG52JQ@x1n>
Date:   Tue, 17 Oct 2023 14:59:55 -0400
From:   Peter Xu <peterx@...hat.com>
To:     David Hildenbrand <david@...hat.com>
Cc:     Lokesh Gidra <lokeshgidra@...gle.com>,
        Suren Baghdasaryan <surenb@...gle.com>,
        akpm@...ux-foundation.org, viro@...iv.linux.org.uk,
        brauner@...nel.org, shuah@...nel.org, aarcange@...hat.com,
        hughd@...gle.com, mhocko@...e.com, axelrasmussen@...gle.com,
        rppt@...nel.org, willy@...radead.org, Liam.Howlett@...cle.com,
        jannh@...gle.com, zhangpeng362@...wei.com, bgeffon@...gle.com,
        kaleshsingh@...gle.com, ngeoffray@...gle.com, jdduke@...gle.com,
        linux-mm@...ck.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
        kernel-team@...roid.com
Subject: Re: [PATCH v3 2/3] userfaultfd: UFFDIO_MOVE uABI

David,

On Tue, Oct 17, 2023 at 05:55:10PM +0200, David Hildenbrand wrote:
> Don't get me wrong, but this feature is already complicated enough that we
> should really think twice if we want to make this even more complicated and
> harder to maintain -- because once it's in we all know it's hard to remove
> and we can easily end up with a maintenance nightmare without sufficiently
> good use cases.

Yes I agree it's non-trivial.  My point is adding cross-mm doesn't make it
even more complicated.. afaics.

For example, could you provide a list of things that will be different to
support single mm or cross mm?  I see two things that can be different, but
I'd rather have all of them even if single-mm..

  - cgroup: I assume single-mm may avoid uncharge and charge again, but I
    prefer it be there even if we only allow single-mm.  For example, I'm
    not 100% sure whether memcg won't start to behave differently according
    to vma attribute in the future.

  - page pinning: I assume for single-mm we can avoid checking page pinning
    based on the fact that MMF_HAS_PINNED is per-mm, but I also prefer we
    fail explicitly on pinned pages over UFFDIO_MOVE because it doesn't
    sound correct, and avoid future changes on top of pinning solution that
    can change the assumption that "move a pin page within mm" is ok.

Is there anything else that will be different?  Did I miss something
important?

[...]

> BTW, wasn't there a way to do VM live-upgrade using fork() and replacing the
> binary? I recall that there was at some time either an implementation in
> QEMU or a proposal for an implementation; but I don't know how VM memory was
> provided. It's certainly harder to move VM memory using fork().

Maybe you meant the cpr project.  I didn't actually follow that much
previously (and will need to follow more after I took the migration
duties.. when there's a new post), but IIUC at least the latest version
needs to go with file memory only, not anonymous:

https://lore.kernel.org/all/1658851843-236870-1-git-send-email-steven.sistare@oracle.com/

        Guest RAM must be non-volatile across reboot, which can be achieved by
        backing it with a dax device, or /dev/shm PKRAM as proposed in...

        Guest RAM must be backed by a memory backend with share=on, but
        cannot be memory-backend-ram.  The memory is re-mmap'd in the
        updated process, so guest ram is efficiently preserved in place

My understanding is there used to have solution for anonymous but that
needs extra kernel changes (MADV_DOEXEC).

https://lore.kernel.org/linux-mm/1595869887-23307-1-git-send-email-anthony.yznaga@oracle.com/

I saw that you were part of the discussion, so maybe you will remember some
more clue of that part.

IIUC one core requirement of the whole approach is also that it will cover
VFIO and maintenance of device DMA mappings, in which case it'll be
different with any approach to leverage UFFDIO_MOVE because VFIO will not
be allowed here; again I hope we start with forbid pinning. But it should
be much cleaner on the design when with UFFDIO_MOVE, just not working with
VFIO.

One thing I'd need to measure is latency of UFFDIO_MOVE on page fault
resolutions.  I expect no more than tens of microseconds or even less.
Should be drastically smaller than remote postcopy anyway.

I'm probably off topic.. To go back: let's try to figure out what is
special with cross-mm support.  It'll be very weird in the future for
anyone to propose a patch just add a feature flag and declaring cross-mm
support, if the code is mostly all there.  Nothing stops us from discussing
what a cross-mm design will need.

[...]

> Is that and will that remain the case? I know people have been working on
> transparent user-space swapping using monitor processes using uffd. I
> thought there would have been ways to achieve that without any corporation
> of the dst.

Any example?

For what I am aware, all corporation requires uffd desc forwarding.  I
think the trick here is any userfaultfd desc must be created by its own
process, so far nobody else.  That's more or less saying "I want to do
this" from its own opinion.  The next is forwarding that to someone else.
Parent process is fine taking uffd of child with EVENT_FORK, as I
mentioned, but besides that nothing else I can think of that can violate
this guard to manipulate a random process.

Thanks,

-- 
Peter Xu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ