lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d40b8c86-6163-4529-ada4-d2b3c1065cba@redhat.com>
Date:   Thu, 19 Oct 2023 17:41:01 +0200
From:   David Hildenbrand <david@...hat.com>
To:     Peter Xu <peterx@...hat.com>
Cc:     Lokesh Gidra <lokeshgidra@...gle.com>,
        Suren Baghdasaryan <surenb@...gle.com>,
        akpm@...ux-foundation.org, viro@...iv.linux.org.uk,
        brauner@...nel.org, shuah@...nel.org, aarcange@...hat.com,
        hughd@...gle.com, mhocko@...e.com, axelrasmussen@...gle.com,
        rppt@...nel.org, willy@...radead.org, Liam.Howlett@...cle.com,
        jannh@...gle.com, zhangpeng362@...wei.com, bgeffon@...gle.com,
        kaleshsingh@...gle.com, ngeoffray@...gle.com, jdduke@...gle.com,
        linux-mm@...ck.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
        kernel-team@...roid.com
Subject: Re: [PATCH v3 2/3] userfaultfd: UFFDIO_MOVE uABI

On 17.10.23 20:59, Peter Xu wrote:
> David,
> 
> On Tue, Oct 17, 2023 at 05:55:10PM +0200, David Hildenbrand wrote:
>> Don't get me wrong, but this feature is already complicated enough that we
>> should really think twice if we want to make this even more complicated and
>> harder to maintain -- because once it's in we all know it's hard to remove
>> and we can easily end up with a maintenance nightmare without sufficiently
>> good use cases.
> 
> Yes I agree it's non-trivial.  My point is adding cross-mm doesn't make it
> even more complicated.. afaics.

That's not my main point. It can easily become a maintenance burden 
without any real use cases yet that we are willing to support.

> 
> For example, could you provide a list of things that will be different to
> support single mm or cross mm?  I see two things that can be different, but
> I'd rather have all of them even if single-mm..
> 
>    - cgroup: I assume single-mm may avoid uncharge and charge again, but I
>      prefer it be there even if we only allow single-mm.  For example, I'm
>      not 100% sure whether memcg won't start to behave differently according
>      to vma attribute in the future.
> 
>    - page pinning: I assume for single-mm we can avoid checking page pinning
>      based on the fact that MMF_HAS_PINNED is per-mm, but I also prefer we
>      fail explicitly on pinned pages over UFFDIO_MOVE because it doesn't
>      sound correct, and avoid future changes on top of pinning solution that
>      can change the assumption that "move a pin page within mm" is ok.
> 
> Is there anything else that will be different?  Did I miss something
> important?

Again, that's not my main point. All I'm asking for is to separate it 
out, make it a separate flag, and include it once we have reasonable use 
cases that we are actually willing to support -- including actual data 
why it's beneficial to have.

For the single-mm use it has been shown that there are reasonable, 
existing use cases exist, and I think we are willing to support that.

This patch set is close to doubling (!) the size of mm/userfaultfd.c, 
and it already has every possible smell of maintanance nightmare IMHO. 
It does things that shouldn't be specific to some MM subsystem. I'm 
happy to see any possible complexity reduced. Moving pages between MMs 
is added complexity.

But I will stop arguing further; I hope I made my point clear and I have 
other things to work on than fighting against overly-complicated uffd 
features.


> 
> [...]
> 
>> BTW, wasn't there a way to do VM live-upgrade using fork() and replacing the
>> binary? I recall that there was at some time either an implementation in
>> QEMU or a proposal for an implementation; but I don't know how VM memory was
>> provided. It's certainly harder to move VM memory using fork().
> 
> Maybe you meant the cpr project.  I didn't actually follow that much
> previously (and will need to follow more after I took the migration
> duties.. when there's a new post), but IIUC at least the latest version
> needs to go with file memory only, not anonymous:
> 
> https://lore.kernel.org/all/1658851843-236870-1-git-send-email-steven.sistare@oracle.com/
> 
>          Guest RAM must be non-volatile across reboot, which can be achieved by
>          backing it with a dax device, or /dev/shm PKRAM as proposed in...
> 
>          Guest RAM must be backed by a memory backend with share=on, but
>          cannot be memory-backend-ram.  The memory is re-mmap'd in the
>          updated process, so guest ram is efficiently preserved in place
> 
> My understanding is there used to have solution for anonymous but that
> needs extra kernel changes (MADV_DOEXEC).

Probably, I also stumbled over a paper from 2019 that mentioned that that.

> 
> https://lore.kernel.org/linux-mm/1595869887-23307-1-git-send-email-anthony.yznaga@oracle.com/
> 
> I saw that you were part of the discussion, so maybe you will remember some
> more clue of that part.
> 

Ouch, 2020. But my comments were only regarding mshare, not MADV_DOEXEC. 
In fact, I don't even know why both discussions/threads show up as a 
single one there..

> IIUC one core requirement of the whole approach is also that it will cover
> VFIO and maintenance of device DMA mappings, in which case it'll be
> different with any approach to leverage UFFDIO_MOVE because VFIO will not
> be allowed here; again I hope we start with forbid pinning. But it should
> be much cleaner on the design when with UFFDIO_MOVE, just not working with
> VFIO.
> 
> One thing I'd need to measure is latency of UFFDIO_MOVE on page fault
> resolutions.  I expect no more than tens of microseconds or even less.
> Should be drastically smaller than remote postcopy anyway.
> 
> I'm probably off topic.. To go back: let's try to figure out what is
> special with cross-mm support.  It'll be very weird in the future for
> anyone to propose a patch just add a feature flag and declaring cross-mm
> support, if the code is mostly all there.  Nothing stops us from discussing
> what a cross-mm design will need.

Again, I hope I made my point clear.

> 
> [...]
> 
>> Is that and will that remain the case? I know people have been working on
>> transparent user-space swapping using monitor processes using uffd. I
>> thought there would have been ways to achieve that without any corporation
>> of the dst.
> 
> Any example?

Nothing concrete, I only heard about uffd monitors that implement 
user-space based swapping. I don't recall if they require some kind of 
support from a library that gets loaded into these processes,

Same thoughts regarding CRIU using uffd.

> 
> For what I am aware, all corporation requires uffd desc forwarding.  I
> think the trick here is any userfaultfd desc must be created by its own
> process, so far nobody else.  That's more or less saying "I want to do
> this" from its own opinion.  The next is forwarding that to someone else.
> Parent process is fine taking uffd of child with EVENT_FORK, as I
> mentioned, but besides that nothing else I can think of that can violate
> this guard to manipulate a random process.

Do you have any idea how CRIU makes that work (at least I recall that 
they wanted to use UFFD).

-- 
Cheers,

David / dhildenb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ