From: Mike Rapoport <rppt@kernel.org>
To: Nikita Kalyazin <kalyazin@amazon.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Suren Baghdasaryan <surenb@google.com>,
Peter Xu <peterx@redhat.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Vlastimil Babka <vbabka@suse.cz>,
Muchun Song <muchun.song@linux.dev>,
Hugh Dickins <hughd@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
James Houghton <jthoughton@google.com>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
Michal Hocko <mhocko@suse.com>,
David Hildenbrand <david@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Oscar Salvador <osalvador@suse.de>,
Axel Rasmussen <axelrasmussen@google.com>,
Ujwal Kundur <ujwal.kundur@gmail.com>
Subject: Re: [PATCH v2 1/4] mm: Introduce vm_uffd_ops API
Date: Wed, 2 Jul 2025 20:39:32 +0300 [thread overview]
Message-ID: <aGVu1Isy-R9RszxW@kernel.org> (raw)
In-Reply-To: <cda7c46b-c474-48f4-b703-e2f988470f3b@amazon.com>
On Wed, Jul 02, 2025 at 06:08:44PM +0100, Nikita Kalyazin wrote:
>
>
> On 02/07/2025 16:56, Lorenzo Stoakes wrote:
> > On Tue, Jul 01, 2025 at 10:04:28AM -0700, Suren Baghdasaryan wrote:
> > > On Mon, Jun 30, 2025 at 3:16 AM Lorenzo Stoakes
> > > <lorenzo.stoakes@oracle.com> wrote:
> > > > This feels like you're trying to put mm functionality outside of mm?
> > >
> > > To second that, two things stick out for me here:
> > > 1. uffd_copy and uffd_get_folio seem to be at different abstraction
> > > levels. uffd_copy is almost the entire copy operation for VM_SHARED
> > > VMAs while uffd_get_folio is a small part of the continue operation.
> > > 2. shmem_mfill_atomic_pte which becomes uffd_copy for shmem in the
> > > last patch is quite a complex function which itself calls some IMO
> > > pretty internal functions like mfill_atomic_install_pte(). Expecting
> > > modules to implement such functionality seems like a stretch to me but
> > > maybe this is for some specialized modules which are written by mm
> > > experts only?
> >
> > To echo what Liam said - I don't think we can truly rely on expertise here
> > (we make enough mistakes in core mm for that to be a dubious proposition
> > even tere :) and even if experts were involved, having core mm
> > functionality outside of core mm carries significant risk - we are
> > constantly changing things, including assumptions around sensitive topics
> > such as locking (think VMA locking) - having code elsewhere significantly
> > increases the risk of missing things.
> >
> > I am also absolutely, to be frank, not going to accept us EXPORT()'ing
> > anything core.
> >
> > Page table manipulation really must rely in core mm and arch code only, it
> > is easily some of the most subtle, confusing and dangerous code in mm (I
> > have spent subtantial hours banging my head against it recently), and again
> > - subject to constant change.
> >
> > But to come back to Liam's comments and to reiterate what I was referring
> > to earlier, even permitting drivers to have access to VMAs is _highly_
> > problematic and has resulted in very real bugs and subtle issues that took
> > many hours, much stress + gnashing of teeth to adress.
>
> The main target of this change is the implementation of UFFD for
> KVM/guest_memfd (examples: [1], [2]) to avoid bringing KVM-specific code
> into the mm codebase. We usually mean KVM by the "drivers" in this context,
> and it is already somewhat "knowledgeable" of the mm. I don't think there
> are existing use cases for other drivers to implement this at the moment.
>
> Although I can't see new exports in this series, there is now a way to limit
> exports to particular modules [3]. Would it help if we only do it for KVM
> initially (if/when actually needed)?
There were talks about pulling out guest_memfd core into mm, but I don't
remember patches about it. If parts of guest_memfd were already in mm/ that
would make easier to export uffd ops to it.
> [1]
> https://lore.kernel.org/all/114133f5-0282-463d-9d65-3143aa658806@amazon.com/
> [2]
> https://lore.kernel.org/all/7666ee96-6f09-4dc1-8cb2-002a2d2a29cf@amazon.com/
> [3] https://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git/commit/?h=kbuild&id=707f853d7fa3ce323a6875487890c213e34d81a0
>
> Thanks,
> Nikita
>
> >
> > The very thing of:
> >
> > xxx
> > <hand off sensitive mutable state X, Y, Z to driver>
> > yyy
> >
> > Means that between xxx and yyy we can make literally no assumptions about
> > what just happened to all handed off state. A single instance of this has
> > caused mayhem, if we did this in such a way as to affect the _many_ uffd
> > hooks we could have a realy serious problem.
> >
> > So - what seems really positive about this series is the _generalisation_
> > and _abstraction_ of uffd functionality.
> >
> > That is something I appreciate and I think uffd sorely needs, in fact if we
> > could find a way to not need to do:
> >
> > if (some_uffd_predicate())
> > some_uffd_specific_fn();
> >
> > That'd be incredible.
> >
> > So I think the answer here is to do something like this, and to keep all
> > the mm-specific code in core mm.
> >
> > Thanks, Lorenzo
>
--
Sincerely yours,
Mike.
next prev parent reply other threads:[~2025-07-02 17:39 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-27 15:46 [PATCH v2 0/4] mm/userfaultfd: modulize memory types Peter Xu
2025-06-27 15:46 ` [PATCH v2 1/4] mm: Introduce vm_uffd_ops API Peter Xu
2025-06-29 8:50 ` Mike Rapoport
2025-07-02 19:30 ` Peter Xu
2025-06-30 10:15 ` Lorenzo Stoakes
2025-07-01 17:04 ` Suren Baghdasaryan
2025-07-02 15:40 ` Liam R. Howlett
2025-07-02 15:56 ` Lorenzo Stoakes
2025-07-02 17:08 ` Nikita Kalyazin
2025-07-02 17:39 ` Mike Rapoport [this message]
2025-07-02 19:46 ` Peter Xu
2025-07-03 17:48 ` Mike Rapoport
2025-07-04 9:34 ` David Hildenbrand
2025-07-04 14:59 ` Peter Xu
2025-07-04 19:39 ` Liam R. Howlett
2025-09-01 16:01 ` Nikita Kalyazin
2025-09-08 16:53 ` Liam R. Howlett
2025-09-16 20:05 ` Peter Xu
2025-09-17 15:29 ` Liam R. Howlett
2025-09-17 9:25 ` Mike Rapoport
2025-09-17 16:53 ` Liam R. Howlett
2025-09-18 8:37 ` Mike Rapoport
2025-09-18 16:47 ` Liam R. Howlett
2025-09-18 17:15 ` Nikita Kalyazin
2025-09-18 17:45 ` Lorenzo Stoakes
2025-09-18 17:53 ` David Hildenbrand
2025-09-18 18:20 ` Peter Xu
2025-09-18 19:43 ` Liam R. Howlett
2025-09-18 21:07 ` Peter Xu
2025-09-19 1:50 ` Liam R. Howlett
2025-09-19 14:16 ` Peter Xu
2025-09-19 14:34 ` Lorenzo Stoakes
2025-09-19 15:12 ` Peter Xu
2025-09-19 19:38 ` Liam R. Howlett
2025-09-22 16:33 ` Peter Xu
2025-09-22 17:20 ` David Hildenbrand
2025-09-22 18:03 ` Peter Xu
2025-09-18 17:54 ` Liam R. Howlett
2025-09-18 18:05 ` Mike Rapoport
2025-09-18 18:32 ` Liam R. Howlett
2025-09-18 19:32 ` Peter Xu
2025-09-19 9:05 ` Mike Rapoport
2025-09-16 19:55 ` Peter Xu
2025-09-19 17:22 ` Liam R. Howlett
2025-09-22 16:38 ` Peter Xu
2025-07-02 21:24 ` Liam R. Howlett
2025-07-02 21:36 ` Peter Xu
2025-07-03 2:00 ` Liam R. Howlett
2025-07-03 15:24 ` Peter Xu
2025-07-03 16:15 ` Lorenzo Stoakes
2025-07-03 17:39 ` Liam R. Howlett
2025-07-02 20:24 ` Peter Xu
2025-07-03 16:32 ` Lorenzo Stoakes
2025-07-02 18:16 ` Mike Rapoport
2025-07-02 20:22 ` Peter Xu
2025-07-03 15:01 ` Suren Baghdasaryan
2025-07-03 15:45 ` Peter Xu
2025-07-03 16:01 ` Lorenzo Stoakes
2025-06-27 15:46 ` [PATCH v2 2/4] mm/shmem: Support " Peter Xu
2025-06-29 8:51 ` Mike Rapoport
2025-06-27 15:46 ` [PATCH v2 3/4] mm/hugetlb: " Peter Xu
2025-06-29 8:52 ` Mike Rapoport
2025-06-27 15:46 ` [PATCH v2 4/4] mm: Apply vm_uffd_ops API to core mm Peter Xu
2025-06-29 8:55 ` Mike Rapoport
2025-07-02 20:38 ` Peter Xu
2025-06-30 10:29 ` [PATCH v2 0/4] mm/userfaultfd: modulize memory types Lorenzo Stoakes
2025-07-01 0:15 ` Andrew Morton
2025-07-02 20:36 ` Peter Xu
2025-07-03 15:55 ` Lorenzo Stoakes
2025-07-03 16:26 ` Peter Xu
2025-07-03 16:44 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGVu1Isy-R9RszxW@kernel.org \
--to=rppt@kernel.org \
--cc=Liam.Howlett@oracle.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=axelrasmussen@google.com \
--cc=david@redhat.com \
--cc=hughd@google.com \
--cc=jthoughton@google.com \
--cc=kalyazin@amazon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mhocko@suse.com \
--cc=muchun.song@linux.dev \
--cc=osalvador@suse.de \
--cc=peterx@redhat.com \
--cc=surenb@google.com \
--cc=ujwal.kundur@gmail.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.