[v2,10/26] userfaultfd: wp: add UFFDIO_COPY_MODE_WP

Message ID	20190212025632.28946-11-peterx@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <owner-linux-mm@kvack.org> Received-SPF: pass (google.com: domain of peterx@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; From: Peter Xu <peterx@redhat.com> To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: David Hildenbrand <david@redhat.com>, Hugh Dickins <hughd@google.com>, Maya Gokhale <gokhale2@llnl.gov>, Jerome Glisse <jglisse@redhat.com>, Pavel Emelyanov <xemul@virtuozzo.com>, Johannes Weiner <hannes@cmpxchg.org>, peterx@redhat.com, Martin Cracauer <cracauer@cons.org>, Shaohua Li <shli@fb.com>, Marty McFadden <mcfadden8@llnl.gov>, Andrea Arcangeli <aarcange@redhat.com>, Mike Kravetz <mike.kravetz@oracle.com>, Denis Plotnikov <dplotnikov@virtuozzo.com>, Mike Rapoport <rppt@linux.vnet.ibm.com>, Mel Gorman <mgorman@suse.de>, "Kirill A . Shutemov" <kirill@shutemov.name>, "Dr . David Alan Gilbert" <dgilbert@redhat.com> Subject: [PATCH v2 10/26] userfaultfd: wp: add UFFDIO_COPY_MODE_WP Date: Tue, 12 Feb 2019 10:56:16 +0800 Message-Id: <20190212025632.28946-11-peterx@redhat.com> In-Reply-To: <20190212025632.28946-1-peterx@redhat.com> References: <20190212025632.28946-1-peterx@redhat.com> Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	userfaultfd: write protection support \| expand [v2,00/26] userfaultfd: write protection support [v2,01/26] mm: gup: rename "nonblocking" to "locked" where proper [v2,02/26] mm: userfault: return VM_FAULT_RETRY on signals [v2,03/26] userfaultfd: don't retake mmap_sem to emulate NOPAGE [v2,04/26] mm: allow VM_FAULT_RETRY for multiple times [v2,05/26] mm: gup: allow VM_FAULT_RETRY for multiple times [v2,06/26] userfaultfd: wp: add helper for writeprotect check [v2,07/26] userfaultfd: wp: hook userfault handler to write protection fault [v2,08/26] userfaultfd: wp: add WP pagetable tracking to x86 [v2,09/26] userfaultfd: wp: userfaultfd_pte/huge_pmd_wp() helpers [v2,10/26] userfaultfd: wp: add UFFDIO_COPY_MODE_WP [v2,11/26] mm: merge parameters for change_protection() [v2,12/26] userfaultfd: wp: apply _PAGE_UFFD_WP bit [v2,13/26] mm: export wp_page_copy() [v2,14/26] userfaultfd: wp: handle COW properly for uffd-wp [v2,15/26] userfaultfd: wp: drop _PAGE_UFFD_WP properly when fork [v2,16/26] userfaultfd: wp: add pmd_swp_*uffd_wp() helpers [v2,17/26] userfaultfd: wp: support swap and page migration [v2,18/26] khugepaged: skip collapse if uffd-wp detected [v2,19/26] userfaultfd: introduce helper vma_find_uffd [v2,20/26] userfaultfd: wp: support write protection for userfault vma range [v2,21/26] userfaultfd: wp: add the writeprotect API to userfaultfd ioctl [v2,22/26] userfaultfd: wp: enabled write protection in userfaultfd API [v2,23/26] userfaultfd: wp: don't wake up when doing write protect [v2,24/26] userfaultfd: wp: UFFDIO_REGISTER_MODE_WP documentation update [v2,25/26] userfaultfd: selftests: refactor statistics [v2,26/26] userfaultfd: selftests: add write-protect test

Peter Xu Feb. 12, 2019, 2:56 a.m. UTC

From: Andrea Arcangeli <aarcange@redhat.com>

This allows UFFDIO_COPY to map pages wrprotected.

Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 fs/userfaultfd.c                 |  5 +++--
 include/linux/userfaultfd_k.h    |  2 +-
 include/uapi/linux/userfaultfd.h | 11 +++++-----
 mm/userfaultfd.c                 | 36 ++++++++++++++++++++++----------
 4 files changed, 35 insertions(+), 19 deletions(-)

Jerome Glisse Feb. 21, 2019, 5:29 p.m. UTC | #1

On Tue, Feb 12, 2019 at 10:56:16AM +0800, Peter Xu wrote:
> From: Andrea Arcangeli <aarcange@redhat.com>
> 
> This allows UFFDIO_COPY to map pages wrprotected.
> 
> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
> Signed-off-by: Peter Xu <peterx@redhat.com>

Minor nitpick down below, but in any case:

Reviewed-by: Jérôme Glisse <jglisse@redhat.com>

> ---
>  fs/userfaultfd.c                 |  5 +++--
>  include/linux/userfaultfd_k.h    |  2 +-
>  include/uapi/linux/userfaultfd.h | 11 +++++-----
>  mm/userfaultfd.c                 | 36 ++++++++++++++++++++++----------
>  4 files changed, 35 insertions(+), 19 deletions(-)
> 

[...]

> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> index d59b5a73dfb3..73a208c5c1e7 100644
> --- a/mm/userfaultfd.c
> +++ b/mm/userfaultfd.c
> @@ -25,7 +25,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
>  			    struct vm_area_struct *dst_vma,
>  			    unsigned long dst_addr,
>  			    unsigned long src_addr,
> -			    struct page **pagep)
> +			    struct page **pagep,
> +			    bool wp_copy)
>  {
>  	struct mem_cgroup *memcg;
>  	pte_t _dst_pte, *dst_pte;
> @@ -71,9 +72,9 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
>  	if (mem_cgroup_try_charge(page, dst_mm, GFP_KERNEL, &memcg, false))
>  		goto out_release;
>  
> -	_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
> -	if (dst_vma->vm_flags & VM_WRITE)
> -		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
> +	_dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
> +	if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
> +		_dst_pte = pte_mkwrite(_dst_pte);

I like parenthesis around around and :) ie:
    (dst_vma->vm_flags & VM_WRITE) && !wp_copy

I feel it is easier to read.

[...]

> @@ -416,11 +418,13 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
>  	if (!(dst_vma->vm_flags & VM_SHARED)) {
>  		if (!zeropage)
>  			err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
> -					       dst_addr, src_addr, page);
> +					       dst_addr, src_addr, page,
> +					       wp_copy);
>  		else
>  			err = mfill_zeropage_pte(dst_mm, dst_pmd,
>  						 dst_vma, dst_addr);
>  	} else {
> +		VM_WARN_ON(wp_copy); /* WP only available for anon */

Don't you want to return with error here ?

>  		if (!zeropage)
>  			err = shmem_mcopy_atomic_pte(dst_mm, dst_pmd,
>  						     dst_vma, dst_addr,

[...]

Peter Xu Feb. 22, 2019, 7:11 a.m. UTC | #2

On Thu, Feb 21, 2019 at 12:29:19PM -0500, Jerome Glisse wrote:
> On Tue, Feb 12, 2019 at 10:56:16AM +0800, Peter Xu wrote:
> > From: Andrea Arcangeli <aarcange@redhat.com>
> > 
> > This allows UFFDIO_COPY to map pages wrprotected.
> > 
> > Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
> > Signed-off-by: Peter Xu <peterx@redhat.com>
> 
> Minor nitpick down below, but in any case:
> 
> Reviewed-by: Jérôme Glisse <jglisse@redhat.com>
> 
> > ---
> >  fs/userfaultfd.c                 |  5 +++--
> >  include/linux/userfaultfd_k.h    |  2 +-
> >  include/uapi/linux/userfaultfd.h | 11 +++++-----
> >  mm/userfaultfd.c                 | 36 ++++++++++++++++++++++----------
> >  4 files changed, 35 insertions(+), 19 deletions(-)
> > 
> 
> [...]
> 
> > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > index d59b5a73dfb3..73a208c5c1e7 100644
> > --- a/mm/userfaultfd.c
> > +++ b/mm/userfaultfd.c
> > @@ -25,7 +25,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> >  			    struct vm_area_struct *dst_vma,
> >  			    unsigned long dst_addr,
> >  			    unsigned long src_addr,
> > -			    struct page **pagep)
> > +			    struct page **pagep,
> > +			    bool wp_copy)
> >  {
> >  	struct mem_cgroup *memcg;
> >  	pte_t _dst_pte, *dst_pte;
> > @@ -71,9 +72,9 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> >  	if (mem_cgroup_try_charge(page, dst_mm, GFP_KERNEL, &memcg, false))
> >  		goto out_release;
> >  
> > -	_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
> > -	if (dst_vma->vm_flags & VM_WRITE)
> > -		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
> > +	_dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
> > +	if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
> > +		_dst_pte = pte_mkwrite(_dst_pte);
> 
> I like parenthesis around around and :) ie:
>     (dst_vma->vm_flags & VM_WRITE) && !wp_copy
> 
> I feel it is easier to read.

Yeah another one. Though this line will be changed in follow up
patches, will fix anyways.

> 
> [...]
> 
> > @@ -416,11 +418,13 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
> >  	if (!(dst_vma->vm_flags & VM_SHARED)) {
> >  		if (!zeropage)
> >  			err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
> > -					       dst_addr, src_addr, page);
> > +					       dst_addr, src_addr, page,
> > +					       wp_copy);
> >  		else
> >  			err = mfill_zeropage_pte(dst_mm, dst_pmd,
> >  						 dst_vma, dst_addr);
> >  	} else {
> > +		VM_WARN_ON(wp_copy); /* WP only available for anon */
> 
> Don't you want to return with error here ?

Makes sense to me.  Does this looks good to you to be squashed into
current patch?

diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 73a208c5c1e7..f3ea09f412d4 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -73,7 +73,7 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
                goto out_release;
 
        _dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
-       if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
+       if ((dst_vma->vm_flags & VM_WRITE) && !wp_copy)
                _dst_pte = pte_mkwrite(_dst_pte);
 
        dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
@@ -424,7 +424,10 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
                        err = mfill_zeropage_pte(dst_mm, dst_pmd,
                                                 dst_vma, dst_addr);
        } else {
-               VM_WARN_ON(wp_copy); /* WP only available for anon */
+               if (unlikely(wp_copy))
+                       /* TODO: WP currently only available for anon */
+                       return -EINVAL;
+
                if (!zeropage)
                        err = shmem_mcopy_atomic_pte(dst_mm, dst_pmd,
                                                     dst_vma, dst_addr,

Thanks,

Jerome Glisse Feb. 22, 2019, 3:15 p.m. UTC | #3

On Fri, Feb 22, 2019 at 03:11:06PM +0800, Peter Xu wrote:
> On Thu, Feb 21, 2019 at 12:29:19PM -0500, Jerome Glisse wrote:
> > On Tue, Feb 12, 2019 at 10:56:16AM +0800, Peter Xu wrote:
> > > From: Andrea Arcangeli <aarcange@redhat.com>
> > > 
> > > This allows UFFDIO_COPY to map pages wrprotected.
> > > 
> > > Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
> > > Signed-off-by: Peter Xu <peterx@redhat.com>
> > 
> > Minor nitpick down below, but in any case:
> > 
> > Reviewed-by: Jérôme Glisse <jglisse@redhat.com>
> > 
> > > ---
> > >  fs/userfaultfd.c                 |  5 +++--
> > >  include/linux/userfaultfd_k.h    |  2 +-
> > >  include/uapi/linux/userfaultfd.h | 11 +++++-----
> > >  mm/userfaultfd.c                 | 36 ++++++++++++++++++++++----------
> > >  4 files changed, 35 insertions(+), 19 deletions(-)
> > > 
> > 
> > [...]
> > 
> > > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > > index d59b5a73dfb3..73a208c5c1e7 100644
> > > --- a/mm/userfaultfd.c
> > > +++ b/mm/userfaultfd.c
> > > @@ -25,7 +25,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> > >  			    struct vm_area_struct *dst_vma,
> > >  			    unsigned long dst_addr,
> > >  			    unsigned long src_addr,
> > > -			    struct page **pagep)
> > > +			    struct page **pagep,
> > > +			    bool wp_copy)
> > >  {
> > >  	struct mem_cgroup *memcg;
> > >  	pte_t _dst_pte, *dst_pte;
> > > @@ -71,9 +72,9 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> > >  	if (mem_cgroup_try_charge(page, dst_mm, GFP_KERNEL, &memcg, false))
> > >  		goto out_release;
> > >  
> > > -	_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
> > > -	if (dst_vma->vm_flags & VM_WRITE)
> > > -		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
> > > +	_dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
> > > +	if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
> > > +		_dst_pte = pte_mkwrite(_dst_pte);
> > 
> > I like parenthesis around around and :) ie:
> >     (dst_vma->vm_flags & VM_WRITE) && !wp_copy
> > 
> > I feel it is easier to read.
> 
> Yeah another one. Though this line will be changed in follow up
> patches, will fix anyways.
> 
> > 
> > [...]
> > 
> > > @@ -416,11 +418,13 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
> > >  	if (!(dst_vma->vm_flags & VM_SHARED)) {
> > >  		if (!zeropage)
> > >  			err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
> > > -					       dst_addr, src_addr, page);
> > > +					       dst_addr, src_addr, page,
> > > +					       wp_copy);
> > >  		else
> > >  			err = mfill_zeropage_pte(dst_mm, dst_pmd,
> > >  						 dst_vma, dst_addr);
> > >  	} else {
> > > +		VM_WARN_ON(wp_copy); /* WP only available for anon */
> > 
> > Don't you want to return with error here ?
> 
> Makes sense to me.  Does this looks good to you to be squashed into
> current patch?
> 
> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> index 73a208c5c1e7..f3ea09f412d4 100644
> --- a/mm/userfaultfd.c
> +++ b/mm/userfaultfd.c
> @@ -73,7 +73,7 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
>                 goto out_release;
>  
>         _dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
> -       if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
> +       if ((dst_vma->vm_flags & VM_WRITE) && !wp_copy)
>                 _dst_pte = pte_mkwrite(_dst_pte);
>  
>         dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
> @@ -424,7 +424,10 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
>                         err = mfill_zeropage_pte(dst_mm, dst_pmd,
>                                                  dst_vma, dst_addr);
>         } else {
> -               VM_WARN_ON(wp_copy); /* WP only available for anon */
> +               if (unlikely(wp_copy))
> +                       /* TODO: WP currently only available for anon */
> +                       return -EINVAL;
> +
>                 if (!zeropage)
>                         err = shmem_mcopy_atomic_pte(dst_mm, dst_pmd,
>                                                      dst_vma, dst_addr,

I would keep a the VM_WARN_ON or maybe a ONCE variant so that we at
least have a chance to be inform if for some reasons that code path
is taken. With that my r-b stands.

Cheers,
Jérôme

Peter Xu Feb. 25, 2019, 6:45 a.m. UTC | #4

On Fri, Feb 22, 2019 at 10:15:47AM -0500, Jerome Glisse wrote:
> On Fri, Feb 22, 2019 at 03:11:06PM +0800, Peter Xu wrote:
> > On Thu, Feb 21, 2019 at 12:29:19PM -0500, Jerome Glisse wrote:
> > > On Tue, Feb 12, 2019 at 10:56:16AM +0800, Peter Xu wrote:
> > > > From: Andrea Arcangeli <aarcange@redhat.com>
> > > > 
> > > > This allows UFFDIO_COPY to map pages wrprotected.
> > > > 
> > > > Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
> > > > Signed-off-by: Peter Xu <peterx@redhat.com>
> > > 
> > > Minor nitpick down below, but in any case:
> > > 
> > > Reviewed-by: Jérôme Glisse <jglisse@redhat.com>
> > > 
> > > > ---
> > > >  fs/userfaultfd.c                 |  5 +++--
> > > >  include/linux/userfaultfd_k.h    |  2 +-
> > > >  include/uapi/linux/userfaultfd.h | 11 +++++-----
> > > >  mm/userfaultfd.c                 | 36 ++++++++++++++++++++++----------
> > > >  4 files changed, 35 insertions(+), 19 deletions(-)
> > > > 
> > > 
> > > [...]
> > > 
> > > > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > > > index d59b5a73dfb3..73a208c5c1e7 100644
> > > > --- a/mm/userfaultfd.c
> > > > +++ b/mm/userfaultfd.c
> > > > @@ -25,7 +25,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> > > >  			    struct vm_area_struct *dst_vma,
> > > >  			    unsigned long dst_addr,
> > > >  			    unsigned long src_addr,
> > > > -			    struct page **pagep)
> > > > +			    struct page **pagep,
> > > > +			    bool wp_copy)
> > > >  {
> > > >  	struct mem_cgroup *memcg;
> > > >  	pte_t _dst_pte, *dst_pte;
> > > > @@ -71,9 +72,9 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> > > >  	if (mem_cgroup_try_charge(page, dst_mm, GFP_KERNEL, &memcg, false))
> > > >  		goto out_release;
> > > >  
> > > > -	_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
> > > > -	if (dst_vma->vm_flags & VM_WRITE)
> > > > -		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
> > > > +	_dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
> > > > +	if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
> > > > +		_dst_pte = pte_mkwrite(_dst_pte);
> > > 
> > > I like parenthesis around around and :) ie:
> > >     (dst_vma->vm_flags & VM_WRITE) && !wp_copy
> > > 
> > > I feel it is easier to read.
> > 
> > Yeah another one. Though this line will be changed in follow up
> > patches, will fix anyways.
> > 
> > > 
> > > [...]
> > > 
> > > > @@ -416,11 +418,13 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
> > > >  	if (!(dst_vma->vm_flags & VM_SHARED)) {
> > > >  		if (!zeropage)
> > > >  			err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
> > > > -					       dst_addr, src_addr, page);
> > > > +					       dst_addr, src_addr, page,
> > > > +					       wp_copy);
> > > >  		else
> > > >  			err = mfill_zeropage_pte(dst_mm, dst_pmd,
> > > >  						 dst_vma, dst_addr);
> > > >  	} else {
> > > > +		VM_WARN_ON(wp_copy); /* WP only available for anon */
> > > 
> > > Don't you want to return with error here ?
> > 
> > Makes sense to me.  Does this looks good to you to be squashed into
> > current patch?
> > 
> > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > index 73a208c5c1e7..f3ea09f412d4 100644
> > --- a/mm/userfaultfd.c
> > +++ b/mm/userfaultfd.c
> > @@ -73,7 +73,7 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> >                 goto out_release;
> >  
> >         _dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
> > -       if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
> > +       if ((dst_vma->vm_flags & VM_WRITE) && !wp_copy)
> >                 _dst_pte = pte_mkwrite(_dst_pte);
> >  
> >         dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
> > @@ -424,7 +424,10 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
> >                         err = mfill_zeropage_pte(dst_mm, dst_pmd,
> >                                                  dst_vma, dst_addr);
> >         } else {
> > -               VM_WARN_ON(wp_copy); /* WP only available for anon */
> > +               if (unlikely(wp_copy))
> > +                       /* TODO: WP currently only available for anon */
> > +                       return -EINVAL;
> > +
> >                 if (!zeropage)
> >                         err = shmem_mcopy_atomic_pte(dst_mm, dst_pmd,
> >                                                      dst_vma, dst_addr,
> 
> I would keep a the VM_WARN_ON or maybe a ONCE variant so that we at
> least have a chance to be inform if for some reasons that code path
> is taken. With that my r-b stands.

Yeah *ONCE() is good to me too (both can avoid DOS attack from
userspace) and I don't have strong opinion on whether we should fail
on this specific ioctl if it happens.  For now I'll just take the
advise and the r-b together.  Thanks,

Mike Rapoport Feb. 25, 2019, 3:58 p.m. UTC | #5

On Tue, Feb 12, 2019 at 10:56:16AM +0800, Peter Xu wrote:
> From: Andrea Arcangeli <aarcange@redhat.com>
> 
> This allows UFFDIO_COPY to map pages wrprotected.
                                       write protected please :)
> 
> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
> Signed-off-by: Peter Xu <peterx@redhat.com>

Except for two additional nits below

Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>

> ---
>  fs/userfaultfd.c                 |  5 +++--
>  include/linux/userfaultfd_k.h    |  2 +-
>  include/uapi/linux/userfaultfd.h | 11 +++++-----
>  mm/userfaultfd.c                 | 36 ++++++++++++++++++++++----------
>  4 files changed, 35 insertions(+), 19 deletions(-)
> 
> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index b397bc3b954d..3092885c9d2c 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -1683,11 +1683,12 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx,
>  	ret = -EINVAL;
>  	if (uffdio_copy.src + uffdio_copy.len <= uffdio_copy.src)
>  		goto out;
> -	if (uffdio_copy.mode & ~UFFDIO_COPY_MODE_DONTWAKE)
> +	if (uffdio_copy.mode & ~(UFFDIO_COPY_MODE_DONTWAKE|UFFDIO_COPY_MODE_WP))
>  		goto out;
>  	if (mmget_not_zero(ctx->mm)) {
>  		ret = mcopy_atomic(ctx->mm, uffdio_copy.dst, uffdio_copy.src,
> -				   uffdio_copy.len, &ctx->mmap_changing);
> +				   uffdio_copy.len, &ctx->mmap_changing,
> +				   uffdio_copy.mode);
>  		mmput(ctx->mm);
>  	} else {
>  		return -ESRCH;
> diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h
> index c6590c58ce28..765ce884cec0 100644
> --- a/include/linux/userfaultfd_k.h
> +++ b/include/linux/userfaultfd_k.h
> @@ -34,7 +34,7 @@ extern vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason);
> 
>  extern ssize_t mcopy_atomic(struct mm_struct *dst_mm, unsigned long dst_start,
>  			    unsigned long src_start, unsigned long len,
> -			    bool *mmap_changing);
> +			    bool *mmap_changing, __u64 mode);
>  extern ssize_t mfill_zeropage(struct mm_struct *dst_mm,
>  			      unsigned long dst_start,
>  			      unsigned long len,
> diff --git a/include/uapi/linux/userfaultfd.h b/include/uapi/linux/userfaultfd.h
> index 48f1a7c2f1f0..297cb044c03f 100644
> --- a/include/uapi/linux/userfaultfd.h
> +++ b/include/uapi/linux/userfaultfd.h
> @@ -203,13 +203,14 @@ struct uffdio_copy {
>  	__u64 dst;
>  	__u64 src;
>  	__u64 len;
> +#define UFFDIO_COPY_MODE_DONTWAKE		((__u64)1<<0)
>  	/*
> -	 * There will be a wrprotection flag later that allows to map
> -	 * pages wrprotected on the fly. And such a flag will be
> -	 * available if the wrprotection ioctl are implemented for the
> -	 * range according to the uffdio_register.ioctls.
> +	 * UFFDIO_COPY_MODE_WP will map the page wrprotected on the
> +	 * fly. UFFDIO_COPY_MODE_WP is available only if the
> +	 * wrprotection ioctl are implemented for the range according

                             ^ is

> +	 * to the uffdio_register.ioctls.
>  	 */
> -#define UFFDIO_COPY_MODE_DONTWAKE		((__u64)1<<0)
> +#define UFFDIO_COPY_MODE_WP			((__u64)1<<1)
>  	__u64 mode;
> 
>  	/*
> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> index d59b5a73dfb3..73a208c5c1e7 100644
> --- a/mm/userfaultfd.c
> +++ b/mm/userfaultfd.c
> @@ -25,7 +25,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
>  			    struct vm_area_struct *dst_vma,
>  			    unsigned long dst_addr,
>  			    unsigned long src_addr,
> -			    struct page **pagep)
> +			    struct page **pagep,
> +			    bool wp_copy)
>  {
>  	struct mem_cgroup *memcg;
>  	pte_t _dst_pte, *dst_pte;
> @@ -71,9 +72,9 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
>  	if (mem_cgroup_try_charge(page, dst_mm, GFP_KERNEL, &memcg, false))
>  		goto out_release;
> 
> -	_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
> -	if (dst_vma->vm_flags & VM_WRITE)
> -		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
> +	_dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
> +	if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
> +		_dst_pte = pte_mkwrite(_dst_pte);
> 
>  	dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
>  	if (dst_vma->vm_file) {
> @@ -399,7 +400,8 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
>  						unsigned long dst_addr,
>  						unsigned long src_addr,
>  						struct page **page,
> -						bool zeropage)
> +						bool zeropage,
> +						bool wp_copy)
>  {
>  	ssize_t err;
> 
> @@ -416,11 +418,13 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
>  	if (!(dst_vma->vm_flags & VM_SHARED)) {
>  		if (!zeropage)
>  			err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
> -					       dst_addr, src_addr, page);
> +					       dst_addr, src_addr, page,
> +					       wp_copy);
>  		else
>  			err = mfill_zeropage_pte(dst_mm, dst_pmd,
>  						 dst_vma, dst_addr);
>  	} else {
> +		VM_WARN_ON(wp_copy); /* WP only available for anon */
>  		if (!zeropage)
>  			err = shmem_mcopy_atomic_pte(dst_mm, dst_pmd,
>  						     dst_vma, dst_addr,
> @@ -438,7 +442,8 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
>  					      unsigned long src_start,
>  					      unsigned long len,
>  					      bool zeropage,
> -					      bool *mmap_changing)
> +					      bool *mmap_changing,
> +					      __u64 mode)
>  {
>  	struct vm_area_struct *dst_vma;
>  	ssize_t err;
> @@ -446,6 +451,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
>  	unsigned long src_addr, dst_addr;
>  	long copied;
>  	struct page *page;
> +	bool wp_copy;
> 
>  	/*>  	 * Sanitize the command parameters:
> @@ -502,6 +508,14 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
>  	    dst_vma->vm_flags & VM_SHARED))
>  		goto out_unlock;
> 
> +	/*
> +	 * validate 'mode' now that we know the dst_vma: don't allow
> +	 * a wrprotect copy if the userfaultfd didn't register as WP.
> +	 */
> +	wp_copy = mode & UFFDIO_COPY_MODE_WP;
> +	if (wp_copy && !(dst_vma->vm_flags & VM_UFFD_WP))
> +		goto out_unlock;
> +
>  	/*
>  	 * If this is a HUGETLB vma, pass off to appropriate routine
>  	 */

I think for hugetlb we should return an error if wp_copy==true.
It might be worth adding wp_copy parameter to __mcopy_atomic_hugetlb() in
advance and return the error from there, in a hope it will also support
UFFD_WP some day :)

> @@ -557,7 +571,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
>  		BUG_ON(pmd_trans_huge(*dst_pmd));
> 
>  		err = mfill_atomic_pte(dst_mm, dst_pmd, dst_vma, dst_addr,
> -				       src_addr, &page, zeropage);
> +				       src_addr, &page, zeropage, wp_copy);
>  		cond_resched();
> 
>  		if (unlikely(err == -ENOENT)) {
> @@ -604,14 +618,14 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
> 
>  ssize_t mcopy_atomic(struct mm_struct *dst_mm, unsigned long dst_start,
>  		     unsigned long src_start, unsigned long len,
> -		     bool *mmap_changing)
> +		     bool *mmap_changing, __u64 mode)
>  {
>  	return __mcopy_atomic(dst_mm, dst_start, src_start, len, false,
> -			      mmap_changing);
> +			      mmap_changing, mode);
>  }
> 
>  ssize_t mfill_zeropage(struct mm_struct *dst_mm, unsigned long start,
>  		       unsigned long len, bool *mmap_changing)
>  {
> -	return __mcopy_atomic(dst_mm, start, 0, len, true, mmap_changing);
> +	return __mcopy_atomic(dst_mm, start, 0, len, true, mmap_changing, 0);
>  }
> -- 
> 2.17.1
>

Peter Xu Feb. 26, 2019, 5:09 a.m. UTC | #6

On Mon, Feb 25, 2019 at 05:58:37PM +0200, Mike Rapoport wrote:
> On Tue, Feb 12, 2019 at 10:56:16AM +0800, Peter Xu wrote:
> > From: Andrea Arcangeli <aarcange@redhat.com>
> > 
> > This allows UFFDIO_COPY to map pages wrprotected.
>                                        write protected please :)

Sure!

> > 
> > Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
> > Signed-off-by: Peter Xu <peterx@redhat.com>
> 
> Except for two additional nits below
> 
> Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
> 
> > ---
> >  fs/userfaultfd.c                 |  5 +++--
> >  include/linux/userfaultfd_k.h    |  2 +-
> >  include/uapi/linux/userfaultfd.h | 11 +++++-----
> >  mm/userfaultfd.c                 | 36 ++++++++++++++++++++++----------
> >  4 files changed, 35 insertions(+), 19 deletions(-)
> > 
> > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> > index b397bc3b954d..3092885c9d2c 100644
> > --- a/fs/userfaultfd.c
> > +++ b/fs/userfaultfd.c
> > @@ -1683,11 +1683,12 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx,
> >  	ret = -EINVAL;
> >  	if (uffdio_copy.src + uffdio_copy.len <= uffdio_copy.src)
> >  		goto out;
> > -	if (uffdio_copy.mode & ~UFFDIO_COPY_MODE_DONTWAKE)
> > +	if (uffdio_copy.mode & ~(UFFDIO_COPY_MODE_DONTWAKE|UFFDIO_COPY_MODE_WP))
> >  		goto out;
> >  	if (mmget_not_zero(ctx->mm)) {
> >  		ret = mcopy_atomic(ctx->mm, uffdio_copy.dst, uffdio_copy.src,
> > -				   uffdio_copy.len, &ctx->mmap_changing);
> > +				   uffdio_copy.len, &ctx->mmap_changing,
> > +				   uffdio_copy.mode);
> >  		mmput(ctx->mm);
> >  	} else {
> >  		return -ESRCH;
> > diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h
> > index c6590c58ce28..765ce884cec0 100644
> > --- a/include/linux/userfaultfd_k.h
> > +++ b/include/linux/userfaultfd_k.h
> > @@ -34,7 +34,7 @@ extern vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason);
> > 
> >  extern ssize_t mcopy_atomic(struct mm_struct *dst_mm, unsigned long dst_start,
> >  			    unsigned long src_start, unsigned long len,
> > -			    bool *mmap_changing);
> > +			    bool *mmap_changing, __u64 mode);
> >  extern ssize_t mfill_zeropage(struct mm_struct *dst_mm,
> >  			      unsigned long dst_start,
> >  			      unsigned long len,
> > diff --git a/include/uapi/linux/userfaultfd.h b/include/uapi/linux/userfaultfd.h
> > index 48f1a7c2f1f0..297cb044c03f 100644
> > --- a/include/uapi/linux/userfaultfd.h
> > +++ b/include/uapi/linux/userfaultfd.h
> > @@ -203,13 +203,14 @@ struct uffdio_copy {
> >  	__u64 dst;
> >  	__u64 src;
> >  	__u64 len;
> > +#define UFFDIO_COPY_MODE_DONTWAKE		((__u64)1<<0)
> >  	/*
> > -	 * There will be a wrprotection flag later that allows to map
> > -	 * pages wrprotected on the fly. And such a flag will be
> > -	 * available if the wrprotection ioctl are implemented for the
> > -	 * range according to the uffdio_register.ioctls.
> > +	 * UFFDIO_COPY_MODE_WP will map the page wrprotected on the
> > +	 * fly. UFFDIO_COPY_MODE_WP is available only if the
> > +	 * wrprotection ioctl are implemented for the range according
> 
>                              ^ is

Will fix.

> 
> > +	 * to the uffdio_register.ioctls.
> >  	 */
> > -#define UFFDIO_COPY_MODE_DONTWAKE		((__u64)1<<0)
> > +#define UFFDIO_COPY_MODE_WP			((__u64)1<<1)
> >  	__u64 mode;
> > 
> >  	/*
> > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > index d59b5a73dfb3..73a208c5c1e7 100644
> > --- a/mm/userfaultfd.c
> > +++ b/mm/userfaultfd.c
> > @@ -25,7 +25,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> >  			    struct vm_area_struct *dst_vma,
> >  			    unsigned long dst_addr,
> >  			    unsigned long src_addr,
> > -			    struct page **pagep)
> > +			    struct page **pagep,
> > +			    bool wp_copy)
> >  {
> >  	struct mem_cgroup *memcg;
> >  	pte_t _dst_pte, *dst_pte;
> > @@ -71,9 +72,9 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> >  	if (mem_cgroup_try_charge(page, dst_mm, GFP_KERNEL, &memcg, false))
> >  		goto out_release;
> > 
> > -	_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
> > -	if (dst_vma->vm_flags & VM_WRITE)
> > -		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
> > +	_dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
> > +	if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
> > +		_dst_pte = pte_mkwrite(_dst_pte);
> > 
> >  	dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
> >  	if (dst_vma->vm_file) {
> > @@ -399,7 +400,8 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
> >  						unsigned long dst_addr,
> >  						unsigned long src_addr,
> >  						struct page **page,
> > -						bool zeropage)
> > +						bool zeropage,
> > +						bool wp_copy)
> >  {
> >  	ssize_t err;
> > 
> > @@ -416,11 +418,13 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
> >  	if (!(dst_vma->vm_flags & VM_SHARED)) {
> >  		if (!zeropage)
> >  			err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
> > -					       dst_addr, src_addr, page);
> > +					       dst_addr, src_addr, page,
> > +					       wp_copy);
> >  		else
> >  			err = mfill_zeropage_pte(dst_mm, dst_pmd,
> >  						 dst_vma, dst_addr);
> >  	} else {
> > +		VM_WARN_ON(wp_copy); /* WP only available for anon */
> >  		if (!zeropage)
> >  			err = shmem_mcopy_atomic_pte(dst_mm, dst_pmd,
> >  						     dst_vma, dst_addr,
> > @@ -438,7 +442,8 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
> >  					      unsigned long src_start,
> >  					      unsigned long len,
> >  					      bool zeropage,
> > -					      bool *mmap_changing)
> > +					      bool *mmap_changing,
> > +					      __u64 mode)
> >  {
> >  	struct vm_area_struct *dst_vma;
> >  	ssize_t err;
> > @@ -446,6 +451,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
> >  	unsigned long src_addr, dst_addr;
> >  	long copied;
> >  	struct page *page;
> > +	bool wp_copy;
> > 
> >  	/*>  	 * Sanitize the command parameters:
> > @@ -502,6 +508,14 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
> >  	    dst_vma->vm_flags & VM_SHARED))
> >  		goto out_unlock;
> > 
> > +	/*
> > +	 * validate 'mode' now that we know the dst_vma: don't allow
> > +	 * a wrprotect copy if the userfaultfd didn't register as WP.
> > +	 */
> > +	wp_copy = mode & UFFDIO_COPY_MODE_WP;
> > +	if (wp_copy && !(dst_vma->vm_flags & VM_UFFD_WP))
> > +		goto out_unlock;

[1]

> > +
> >  	/*
> >  	 * If this is a HUGETLB vma, pass off to appropriate routine
> >  	 */
> 
> I think for hugetlb we should return an error if wp_copy==true.
> It might be worth adding wp_copy parameter to __mcopy_atomic_hugetlb() in
> advance and return the error from there, in a hope it will also support
> UFFD_WP some day :)

Now we should have failed even earlier if someone wants to register a
hugetlbfs VMA with UFFD_WP because now vma_can_userfault() only allows
anonymous memory for it:

static inline bool vma_can_userfault(struct vm_area_struct *vma,
				     unsigned long vm_flags)
{
	/* FIXME: add WP support to hugetlbfs and shmem */
	return vma_is_anonymous(vma) ||
		((is_vm_hugetlb_page(vma) || vma_is_shmem(vma)) &&
		 !(vm_flags & VM_UFFD_WP));
}

And, as long as a VMA is not tagged with UFFD_WP, the page copy will
fail with -EINVAL directly above at [1] when setting the wp_copy flag.
So IMHO we should have already covered the case.

Considering these, I would think we could simply postpone the changes
to __mcopy_atomic_hugetlb() until adding hugetlbfs support on uffd-wp.
Mike, what do you think?

Thanks!

Mike Rapoport Feb. 26, 2019, 8:28 a.m. UTC | #7

On Tue, Feb 26, 2019 at 01:09:42PM +0800, Peter Xu wrote:
> On Mon, Feb 25, 2019 at 05:58:37PM +0200, Mike Rapoport wrote:
> > On Tue, Feb 12, 2019 at 10:56:16AM +0800, Peter Xu wrote:
> > > From: Andrea Arcangeli <aarcange@redhat.com>
> > > 
> > > This allows UFFDIO_COPY to map pages wrprotected.
> >                                        write protected please :)
> 
> Sure!
> 
> > > 
> > > Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
> > > Signed-off-by: Peter Xu <peterx@redhat.com>
> > 
> > Except for two additional nits below
> > 
> > Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
> > 
> > > ---
> > >  fs/userfaultfd.c                 |  5 +++--
> > >  include/linux/userfaultfd_k.h    |  2 +-
> > >  include/uapi/linux/userfaultfd.h | 11 +++++-----
> > >  mm/userfaultfd.c                 | 36 ++++++++++++++++++++++----------
> > >  4 files changed, 35 insertions(+), 19 deletions(-)
> > > 
> > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> > > index b397bc3b954d..3092885c9d2c 100644
> > > --- a/fs/userfaultfd.c
> > > +++ b/fs/userfaultfd.c
> > > @@ -1683,11 +1683,12 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx,
> > >  	ret = -EINVAL;
> > >  	if (uffdio_copy.src + uffdio_copy.len <= uffdio_copy.src)
> > >  		goto out;
> > > -	if (uffdio_copy.mode & ~UFFDIO_COPY_MODE_DONTWAKE)
> > > +	if (uffdio_copy.mode & ~(UFFDIO_COPY_MODE_DONTWAKE|UFFDIO_COPY_MODE_WP))
> > >  		goto out;
> > >  	if (mmget_not_zero(ctx->mm)) {
> > >  		ret = mcopy_atomic(ctx->mm, uffdio_copy.dst, uffdio_copy.src,
> > > -				   uffdio_copy.len, &ctx->mmap_changing);
> > > +				   uffdio_copy.len, &ctx->mmap_changing,
> > > +				   uffdio_copy.mode);
> > >  		mmput(ctx->mm);
> > >  	} else {
> > >  		return -ESRCH;
> > > diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h
> > > index c6590c58ce28..765ce884cec0 100644
> > > --- a/include/linux/userfaultfd_k.h
> > > +++ b/include/linux/userfaultfd_k.h
> > > @@ -34,7 +34,7 @@ extern vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason);
> > > 
> > >  extern ssize_t mcopy_atomic(struct mm_struct *dst_mm, unsigned long dst_start,
> > >  			    unsigned long src_start, unsigned long len,
> > > -			    bool *mmap_changing);
> > > +			    bool *mmap_changing, __u64 mode);
> > >  extern ssize_t mfill_zeropage(struct mm_struct *dst_mm,
> > >  			      unsigned long dst_start,
> > >  			      unsigned long len,
> > > diff --git a/include/uapi/linux/userfaultfd.h b/include/uapi/linux/userfaultfd.h
> > > index 48f1a7c2f1f0..297cb044c03f 100644
> > > --- a/include/uapi/linux/userfaultfd.h
> > > +++ b/include/uapi/linux/userfaultfd.h
> > > @@ -203,13 +203,14 @@ struct uffdio_copy {
> > >  	__u64 dst;
> > >  	__u64 src;
> > >  	__u64 len;
> > > +#define UFFDIO_COPY_MODE_DONTWAKE		((__u64)1<<0)
> > >  	/*
> > > -	 * There will be a wrprotection flag later that allows to map
> > > -	 * pages wrprotected on the fly. And such a flag will be
> > > -	 * available if the wrprotection ioctl are implemented for the
> > > -	 * range according to the uffdio_register.ioctls.
> > > +	 * UFFDIO_COPY_MODE_WP will map the page wrprotected on the
> > > +	 * fly. UFFDIO_COPY_MODE_WP is available only if the
> > > +	 * wrprotection ioctl are implemented for the range according
> > 
> >                              ^ is
> 
> Will fix.
> 
> > 
> > > +	 * to the uffdio_register.ioctls.
> > >  	 */
> > > -#define UFFDIO_COPY_MODE_DONTWAKE		((__u64)1<<0)
> > > +#define UFFDIO_COPY_MODE_WP			((__u64)1<<1)
> > >  	__u64 mode;
> > > 
> > >  	/*
> > > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > > index d59b5a73dfb3..73a208c5c1e7 100644
> > > --- a/mm/userfaultfd.c
> > > +++ b/mm/userfaultfd.c
> > > @@ -25,7 +25,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> > >  			    struct vm_area_struct *dst_vma,
> > >  			    unsigned long dst_addr,
> > >  			    unsigned long src_addr,
> > > -			    struct page **pagep)
> > > +			    struct page **pagep,
> > > +			    bool wp_copy)
> > >  {
> > >  	struct mem_cgroup *memcg;
> > >  	pte_t _dst_pte, *dst_pte;
> > > @@ -71,9 +72,9 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
> > >  	if (mem_cgroup_try_charge(page, dst_mm, GFP_KERNEL, &memcg, false))
> > >  		goto out_release;
> > > 
> > > -	_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
> > > -	if (dst_vma->vm_flags & VM_WRITE)
> > > -		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
> > > +	_dst_pte = pte_mkdirty(mk_pte(page, dst_vma->vm_page_prot));
> > > +	if (dst_vma->vm_flags & VM_WRITE && !wp_copy)
> > > +		_dst_pte = pte_mkwrite(_dst_pte);
> > > 
> > >  	dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
> > >  	if (dst_vma->vm_file) {
> > > @@ -399,7 +400,8 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
> > >  						unsigned long dst_addr,
> > >  						unsigned long src_addr,
> > >  						struct page **page,
> > > -						bool zeropage)
> > > +						bool zeropage,
> > > +						bool wp_copy)
> > >  {
> > >  	ssize_t err;
> > > 
> > > @@ -416,11 +418,13 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
> > >  	if (!(dst_vma->vm_flags & VM_SHARED)) {
> > >  		if (!zeropage)
> > >  			err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
> > > -					       dst_addr, src_addr, page);
> > > +					       dst_addr, src_addr, page,
> > > +					       wp_copy);
> > >  		else
> > >  			err = mfill_zeropage_pte(dst_mm, dst_pmd,
> > >  						 dst_vma, dst_addr);
> > >  	} else {
> > > +		VM_WARN_ON(wp_copy); /* WP only available for anon */
> > >  		if (!zeropage)
> > >  			err = shmem_mcopy_atomic_pte(dst_mm, dst_pmd,
> > >  						     dst_vma, dst_addr,
> > > @@ -438,7 +442,8 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
> > >  					      unsigned long src_start,
> > >  					      unsigned long len,
> > >  					      bool zeropage,
> > > -					      bool *mmap_changing)
> > > +					      bool *mmap_changing,
> > > +					      __u64 mode)
> > >  {
> > >  	struct vm_area_struct *dst_vma;
> > >  	ssize_t err;
> > > @@ -446,6 +451,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
> > >  	unsigned long src_addr, dst_addr;
> > >  	long copied;
> > >  	struct page *page;
> > > +	bool wp_copy;
> > > 
> > >  	/*>  	 * Sanitize the command parameters:
> > > @@ -502,6 +508,14 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
> > >  	    dst_vma->vm_flags & VM_SHARED))
> > >  		goto out_unlock;
> > > 
> > > +	/*
> > > +	 * validate 'mode' now that we know the dst_vma: don't allow
> > > +	 * a wrprotect copy if the userfaultfd didn't register as WP.
> > > +	 */
> > > +	wp_copy = mode & UFFDIO_COPY_MODE_WP;
> > > +	if (wp_copy && !(dst_vma->vm_flags & VM_UFFD_WP))
> > > +		goto out_unlock;
> 
> [1]
> 
> > > +
> > >  	/*
> > >  	 * If this is a HUGETLB vma, pass off to appropriate routine
> > >  	 */
> > 
> > I think for hugetlb we should return an error if wp_copy==true.
> > It might be worth adding wp_copy parameter to __mcopy_atomic_hugetlb() in
> > advance and return the error from there, in a hope it will also support
> > UFFD_WP some day :)
> 
> Now we should have failed even earlier if someone wants to register a
> hugetlbfs VMA with UFFD_WP because now vma_can_userfault() only allows
> anonymous memory for it:
> 
> static inline bool vma_can_userfault(struct vm_area_struct *vma,
> 				     unsigned long vm_flags)
> {
> 	/* FIXME: add WP support to hugetlbfs and shmem */
> 	return vma_is_anonymous(vma) ||
> 		((is_vm_hugetlb_page(vma) || vma_is_shmem(vma)) &&
> 		 !(vm_flags & VM_UFFD_WP));
> }
> 
> And, as long as a VMA is not tagged with UFFD_WP, the page copy will
> fail with -EINVAL directly above at [1] when setting the wp_copy flag.
> So IMHO we should have already covered the case.
> 
> Considering these, I would think we could simply postpone the changes
> to __mcopy_atomic_hugetlb() until adding hugetlbfs support on uffd-wp.
> Mike, what do you think?

Ok, fair enough.
 
> Thanks!
> 
> -- 
> Peter Xu
>

[v2,10/26] userfaultfd: wp: add UFFDIO_COPY_MODE_WP

Commit Message

Comments

Patch