On Mon, Oct 21, 2024 at 10:37:39PM +0200, David Hildenbrand wrote:
On 21.10.24 22:25, Vlastimil Babka wrote:
On 10/21/24 22:17, David Hildenbrand wrote:
On 21.10.24 22:11, Vlastimil Babka wrote:
On 10/20/24 18:20, Lorenzo Stoakes wrote:
<snip>
+static long madvise_guard_poison(struct vm_area_struct *vma,
struct vm_area_struct **prev,
unsigned long start, unsigned long end)
+{
- long err;
- *prev = vma;
- if (!is_valid_guard_vma(vma, /* allow_locked = */false))
return -EINVAL;
- /*
* If we install poison markers, then the range is no longer
* empty from a page table perspective and therefore it's
* appropriate to have an anon_vma.
*
* This ensures that on fork, we copy page tables correctly.
*/
- err = anon_vma_prepare(vma);
- if (err)
return err;
- /*
* Optimistically try to install the guard poison pages first. If any
* non-guard pages are encountered, give up and zap the range before
* trying again.
*/
Should the page walker become powerful enough to handle this in one go? :) But sure, if it's too big a task to teach it to zap ptes with all the tlb flushing etc (I assume it's something page walkers don't do today), it makes sense to do it this way. Or we could require userspace to zap first (MADV_DONTNEED), but that would unnecessarily mean extra syscalls for the use case of an allocator debug mode that wants to turn freed memory to guards to catch use after free. So this seems like a good compromise...
Yes please, KIS.
You mean "require userspace to zap first (MADV_DONTNEED)" ?
Yes, I see from Lorenzo's reply that there is apparently some history to this (maybe it's all nicely summarized in the cover letter / this patch, have to dig further).
Not sure yet what the problem is, I would have thought it's all protected by the PTL, and concurrent faults are user space doing something stupid and we'd detect it.
The looping mechanism is fine for dealing with concurrent faults. There's no actual _race_ due to PTL, it's just that a user could repeatedly populate stuff stupidly in a range that is meant to have poison markers put in.
It's not likely and would be kind of an abusive of the interface, and it'd really be a process just hurting itself.
In nearly all cases you won't zap at all. The whole point is it's optimistic. In 99.99% of others you zap once...
Have to do some more reading on this.
May I suggest a book on the history of the prodigy?
I'd normally agree with the KIS principle, but..
We can always implement support for that later if
it would either mean later we change behavior (installing guards on non-zapped PTEs would have to be an error now but maybe start working later, which is user observable change thus can break somebody)
really required (leave behavior open when documenting).
and leaving it open when documenting doesn't really mean anything for the "we don't break userspace" promise vs what the implementation actually does.
Not quite I think. You could start return -EEXIST or -EOPNOTSUPP and document that this can change in the future to succeed if there is something. User space can sense support.
Yeah I mean originally I had a -EAGAIN which was sort of equivalent of this but Jann pointed out you're just shifting work to userland who would loop and repeat.
I just don't see why we'd do this.
In fact I was looking at the series and thinking 'wow it's actually a really small delta' and being proud but... still not KIS enough apparently ;)
Something failing that at one point starts working is not really breaking user space, unless someone really *wants* to fail if there is already something (e.g., concurrent fault -> bail out instead of hiding it).
Of course, a more elegant solution would be GUARD_INSTALL vs. GUARD_FORCE_INSTALL.
.. but again, there seems to be more history to this.
I don't think there's really any value in that. There's just no sensible situation in which a user would care about this I don't think.
And if you're saying 'hey do MADV_DONTNEED if this fails and keep trying!' then why not just do that in the kernel?
Trying to explain to a user 'hey this is for installing guard pages but if there's a facing fault it'll fail and that could keep happening and then you'll have to zap and maybe in a loop' just... seems like a bloody awful interface?
I prefer 'here's an interface for installing and removing guard pages, enjoy!' :)
-- Cheers,
David / dhildenb