* [PATCH v3 19/20] fs/proc/task_mmu: remove per-page mapcount dependency for smaps/smaps_rollup (CONFIG_NO_PAGE_MAPCOUNT)
From: David Hildenbrand @ 2025-03-03 16:30 UTC (permalink / raw)
To: linux-kernel
Cc: linux-doc, cgroups, linux-mm, linux-fsdevel, linux-api,
David Hildenbrand, Andrew Morton, Matthew Wilcox (Oracle),
Tejun Heo, Zefan Li, Johannes Weiner, Michal Koutný,
Jonathan Corbet, Andy Lutomirski, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Dave Hansen, Muchun Song, Liam R. Howlett,
Lorenzo Stoakes, Vlastimil Babka, Jann Horn
In-Reply-To: <20250303163014.1128035-1-david@redhat.com>
Let's implement an alternative when per-page mapcounts in large folios are
no longer maintained -- soon with CONFIG_NO_PAGE_MAPCOUNT.
When computing the output for smaps / smaps_rollups, in particular when
calculating the USS (Unique Set Size) and the PSS (Proportional Set Size),
we still rely on per-page mapcounts.
To determine private vs. shared, we'll use folio_likely_mapped_shared(),
similar to how we handle PM_MMAP_EXCLUSIVE. Similarly, we might now
under-estimate the USS and count pages towards "shared" that are
actually "private" ("exclusively mapped").
When calculating the PSS, we'll now also use the average per-page
mapcount for large folios: this can result in both, an over-estimation
and an under-estimation of the PSS. The difference is not expected to
matter much in practice, but we'll have to learn as we go.
We can now provide folio_precise_page_mapcount() only with
CONFIG_PAGE_MAPCOUNT, and remove one of the last users of per-page
mapcounts when CONFIG_NO_PAGE_MAPCOUNT is enabled.
Document the new behavior.
Signed-off-by: David Hildenbrand <david@redhat.com>
---
Documentation/filesystems/proc.rst | 22 +++++++++++++++++++---
fs/proc/internal.h | 8 ++++++++
fs/proc/task_mmu.c | 17 +++++++++++++++--
3 files changed, 42 insertions(+), 5 deletions(-)
diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
index 1aa190017f796..c9e62e8e0685e 100644
--- a/Documentation/filesystems/proc.rst
+++ b/Documentation/filesystems/proc.rst
@@ -502,9 +502,25 @@ process, its PSS will be 1500. "Pss_Dirty" is the portion of PSS which
consists of dirty pages. ("Pss_Clean" is not included, but it can be
calculated by subtracting "Pss_Dirty" from "Pss".)
-Note that even a page which is part of a MAP_SHARED mapping, but has only
-a single pte mapped, i.e. is currently used by only one process, is accounted
-as private and not as shared.
+Traditionally, a page is accounted as "private" if it is mapped exactly once,
+and a page is accounted as "shared" when mapped multiple times, even when
+mapped in the same process multiple times. Note that this accounting is
+independent of MAP_SHARED.
+
+In some kernel configurations, the semantics of pages part of a larger
+allocation (e.g., THP) can differ: a page is accounted as "private" if all
+pages part of the corresponding large allocation are *certainly* mapped in the
+same process, even if the page is mapped multiple times in that process. A
+page is accounted as "shared" if any page page of the larger allocation
+is *maybe* mapped in a different process. In some cases, a large allocation
+might be treated as "maybe mapped by multiple processes" even though this
+is no longer the case.
+
+Some kernel configurations do not track the precise number of times a page part
+of a larger allocation is mapped. In this case, when calculating the PSS, the
+average number of mappings per page in this larger allocation might be used
+as an approximation for the number of mappings of a page. The PSS calculation
+will be imprecise in this case.
"Referenced" indicates the amount of memory currently marked as referenced or
accessed.
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
index 96ea58e843114..8c921bc8652d9 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -143,6 +143,7 @@ unsigned name_to_int(const struct qstr *qstr);
/* Worst case buffer size needed for holding an integer. */
#define PROC_NUMBUF 13
+#ifdef CONFIG_PAGE_MAPCOUNT
/**
* folio_precise_page_mapcount() - Number of mappings of this folio page.
* @folio: The folio.
@@ -173,6 +174,13 @@ static inline int folio_precise_page_mapcount(struct folio *folio,
return mapcount;
}
+#else /* !CONFIG_PAGE_MAPCOUNT */
+static inline int folio_precise_page_mapcount(struct folio *folio,
+ struct page *page)
+{
+ BUILD_BUG();
+}
+#endif /* CONFIG_PAGE_MAPCOUNT */
/**
* folio_average_page_mapcount() - Average number of mappings per page in this
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 5043376ebd476..061f16b767118 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -707,6 +707,8 @@ static void smaps_account(struct mem_size_stats *mss, struct page *page,
struct folio *folio = page_folio(page);
int i, nr = compound ? compound_nr(page) : 1;
unsigned long size = nr * PAGE_SIZE;
+ bool exclusive;
+ int mapcount;
/*
* First accumulate quantities that depend only on |size| and the type
@@ -747,18 +749,29 @@ static void smaps_account(struct mem_size_stats *mss, struct page *page,
dirty, locked, present);
return;
}
+
+ if (IS_ENABLED(CONFIG_NO_PAGE_MAPCOUNT)) {
+ mapcount = folio_average_page_mapcount(folio);
+ exclusive = !folio_maybe_mapped_shared(folio);
+ }
+
/*
* We obtain a snapshot of the mapcount. Without holding the folio lock
* this snapshot can be slightly wrong as we cannot always read the
* mapcount atomically.
*/
for (i = 0; i < nr; i++, page++) {
- int mapcount = folio_precise_page_mapcount(folio, page);
unsigned long pss = PAGE_SIZE << PSS_SHIFT;
+
+ if (IS_ENABLED(CONFIG_PAGE_MAPCOUNT)) {
+ mapcount = folio_precise_page_mapcount(folio, page);
+ exclusive = mapcount < 2;
+ }
+
if (mapcount >= 2)
pss /= mapcount;
smaps_page_accumulate(mss, folio, PAGE_SIZE, pss,
- dirty, locked, mapcount < 2);
+ dirty, locked, exclusive);
}
}
--
2.48.1
^ permalink raw reply related
* [PATCH v3 17/20] fs/proc/task_mmu: remove per-page mapcount dependency for PM_MMAP_EXCLUSIVE (CONFIG_NO_PAGE_MAPCOUNT)
From: David Hildenbrand @ 2025-03-03 16:30 UTC (permalink / raw)
To: linux-kernel
Cc: linux-doc, cgroups, linux-mm, linux-fsdevel, linux-api,
David Hildenbrand, Andrew Morton, Matthew Wilcox (Oracle),
Tejun Heo, Zefan Li, Johannes Weiner, Michal Koutný,
Jonathan Corbet, Andy Lutomirski, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Dave Hansen, Muchun Song, Liam R. Howlett,
Lorenzo Stoakes, Vlastimil Babka, Jann Horn
In-Reply-To: <20250303163014.1128035-1-david@redhat.com>
Let's implement an alternative when per-page mapcounts in large folios are
no longer maintained -- soon with CONFIG_NO_PAGE_MAPCOUNT.
PM_MMAP_EXCLUSIVE will now be set if folio_likely_mapped_shared() is
true -- when the folio is considered "mapped shared", including when
it once was "mapped shared" but no longer is, as documented.
This might result in and under-indication of "exclusively mapped", which
is considered better than over-indicating it: under-estimating the USS
(Unique Set Size) is better than over-estimating it.
As an alternative, we could simply remove that flag with
CONFIG_NO_PAGE_MAPCOUNT completely, but there might be value to it. So,
let's keep it like that and document the behavior.
Signed-off-by: David Hildenbrand <david@redhat.com>
---
Documentation/admin-guide/mm/pagemap.rst | 11 +++++++++++
fs/proc/task_mmu.c | 11 +++++++++--
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/Documentation/admin-guide/mm/pagemap.rst b/Documentation/admin-guide/mm/pagemap.rst
index d6647daca9122..afce291649dd6 100644
--- a/Documentation/admin-guide/mm/pagemap.rst
+++ b/Documentation/admin-guide/mm/pagemap.rst
@@ -38,6 +38,17 @@ There are four components to pagemap:
precisely which pages are mapped (or in swap) and comparing mapped
pages between processes.
+ Traditionally, bit 56 indicates that a page is mapped exactly once and bit
+ 56 is clear when a page is mapped multiple times, even when mapped in the
+ same process multiple times. In some kernel configurations, the semantics
+ for pages part of a larger allocation (e.g., THP) can differ: bit 56 is set
+ if all pages part of the corresponding large allocation are *certainly*
+ mapped in the same process, even if the page is mapped multiple times in that
+ process. Bit 56 is clear when any page page of the larger allocation
+ is *maybe* mapped in a different process. In some cases, a large allocation
+ might be treated as "maybe mapped by multiple processes" even though this
+ is no longer the case.
+
Efficient users of this interface will use ``/proc/pid/maps`` to
determine which areas of memory are actually mapped and llseek to
skip over unmapped regions.
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 1162f0e72df2e..f937c2df7b3f4 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -1652,6 +1652,13 @@ static int add_to_pagemap(pagemap_entry_t *pme, struct pagemapread *pm)
return 0;
}
+static bool __folio_page_mapped_exclusively(struct folio *folio, struct page *page)
+{
+ if (IS_ENABLED(CONFIG_PAGE_MAPCOUNT))
+ return folio_precise_page_mapcount(folio, page) == 1;
+ return !folio_maybe_mapped_shared(folio);
+}
+
static int pagemap_pte_hole(unsigned long start, unsigned long end,
__always_unused int depth, struct mm_walk *walk)
{
@@ -1742,7 +1749,7 @@ static pagemap_entry_t pte_to_pagemap_entry(struct pagemapread *pm,
if (!folio_test_anon(folio))
flags |= PM_FILE;
if ((flags & PM_PRESENT) &&
- folio_precise_page_mapcount(folio, page) == 1)
+ __folio_page_mapped_exclusively(folio, page))
flags |= PM_MMAP_EXCLUSIVE;
}
if (vma->vm_flags & VM_SOFTDIRTY)
@@ -1817,7 +1824,7 @@ static int pagemap_pmd_range(pmd_t *pmdp, unsigned long addr, unsigned long end,
pagemap_entry_t pme;
if (folio && (flags & PM_PRESENT) &&
- folio_precise_page_mapcount(folio, page + idx) == 1)
+ __folio_page_mapped_exclusively(folio, page))
cur_flags |= PM_MMAP_EXCLUSIVE;
pme = make_pme(frame, cur_flags);
--
2.48.1
^ permalink raw reply related
* Re: [PATCH v3 00/20] mm: MM owner tracking for large folios (!hugetlb) + CONFIG_NO_PAGE_MAPCOUNT
From: Andrew Morton @ 2025-03-03 22:43 UTC (permalink / raw)
To: David Hildenbrand
Cc: linux-kernel, linux-doc, cgroups, linux-mm, linux-fsdevel,
linux-api, Matthew Wilcox (Oracle), Tejun Heo, Zefan Li,
Johannes Weiner, Michal Koutný, Jonathan Corbet,
Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, Muchun Song, Liam R. Howlett, Lorenzo Stoakes,
Vlastimil Babka, Jann Horn
In-Reply-To: <20250303163014.1128035-1-david@redhat.com>
On Mon, 3 Mar 2025 17:29:53 +0100 David Hildenbrand <david@redhat.com> wrote:
> Some smaller change based on Zi Yan's feedback (thanks!).
>
>
> Let's add an "easy" way to decide -- without false positives, without
> page-mapcounts and without page table/rmap scanning -- whether a large
> folio is "certainly mapped exclusively" into a single MM, or whether it
> "maybe mapped shared" into multiple MMs.
>
> Use that information to implement Copy-on-Write reuse, to convert
> folio_likely_mapped_shared() to folio_maybe_mapped_share(), and to
> introduce a kernel config option that let's us not use+maintain
> per-page mapcounts in large folios anymore.
>
> ...
>
> The goal is to make CONFIG_NO_PAGE_MAPCOUNT the default at some point,
> to then slowly make it the only option, as we learn about real-life
> impacts and possible ways to mitigate them.
I expect that we'll get very little runtime testing this way, and we
won't hear about that testing unless there's a failure.
Part of me wants to make it default on right now, but that's perhaps a
bit mean to linux-next testers.
Or perhaps default-off for now and switch to default-y for 6.15-rcX?
I suggest this just to push things along more aggressively - we may
choose to return to default-off after a few weeks of -rcX.
^ permalink raw reply
* Re: [PATCH v3 00/20] mm: MM owner tracking for large folios (!hugetlb) + CONFIG_NO_PAGE_MAPCOUNT
From: David Hildenbrand @ 2025-03-04 10:21 UTC (permalink / raw)
To: Andrew Morton
Cc: linux-kernel, linux-doc, cgroups, linux-mm, linux-fsdevel,
linux-api, Matthew Wilcox (Oracle), Tejun Heo, Zefan Li,
Johannes Weiner, Michal Koutný, Jonathan Corbet,
Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, Muchun Song, Liam R. Howlett, Lorenzo Stoakes,
Vlastimil Babka, Jann Horn
In-Reply-To: <20250303144332.4cb51677966b515ee0c89a44@linux-foundation.org>
On 03.03.25 23:43, Andrew Morton wrote:
> On Mon, 3 Mar 2025 17:29:53 +0100 David Hildenbrand <david@redhat.com> wrote:
>
>> Some smaller change based on Zi Yan's feedback (thanks!).
>>
>>
>> Let's add an "easy" way to decide -- without false positives, without
>> page-mapcounts and without page table/rmap scanning -- whether a large
>> folio is "certainly mapped exclusively" into a single MM, or whether it
>> "maybe mapped shared" into multiple MMs.
>>
>> Use that information to implement Copy-on-Write reuse, to convert
>> folio_likely_mapped_shared() to folio_maybe_mapped_share(), and to
>> introduce a kernel config option that let's us not use+maintain
>> per-page mapcounts in large folios anymore.
>>
>> ...
>>
>> The goal is to make CONFIG_NO_PAGE_MAPCOUNT the default at some point,
>> to then slowly make it the only option, as we learn about real-life
>> impacts and possible ways to mitigate them.
>
> I expect that we'll get very little runtime testing this way, and we
> won't hear about that testing unless there's a failure.
>
> Part of me wants to make it default on right now, but that's perhaps a
> bit mean to linux-next testers.
Yes, letting this sit at least for some time before we enable it in
linux-next as default might make sense.
> > Or perhaps default-off for now and switch to default-y for 6.15-rcX?
Maybe default-off for now, until we rebase mm-unstable to 6.15-rcX.
Then, default on first in linux-next, and then upstream (6.16).
>
> I suggest this just to push things along more aggressively - we may
> choose to return to default-off after a few weeks of -rcX.
Yeah, I'm usually very careful; sometimes a bit too careful :)
--
Cheers,
David / dhildenb
^ permalink raw reply
* Re: [PATCH v3 03/20] mm: let _folio_nr_pages overlay memcg_data in first tail page
From: David Hildenbrand @ 2025-03-05 10:29 UTC (permalink / raw)
To: linux-kernel
Cc: linux-doc, cgroups, linux-mm, linux-fsdevel, linux-api,
Andrew Morton, Matthew Wilcox (Oracle), Tejun Heo, Zefan Li,
Johannes Weiner, Michal Koutný, Jonathan Corbet,
Andy Lutomirski, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, Muchun Song, Liam R. Howlett, Lorenzo Stoakes,
Vlastimil Babka, Jann Horn, Kirill A. Shutemov, Stephen Rothwell
In-Reply-To: <20250303163014.1128035-4-david@redhat.com>
On 03.03.25 17:29, David Hildenbrand wrote:
> Let's free up some more of the "unconditionally available on 64BIT"
> space in order-1 folios by letting _folio_nr_pages overlay memcg_data in
> the first tail page (second folio page). Consequently, we have the
> optimization now whenever we have CONFIG_MEMCG, independent of 64BIT.
>
> We have to make sure that page->memcg on tail pages does not return
> "surprises". page_memcg_check() already properly refuses PageTail().
> Let's do that earlier in print_page_owner_memcg() to avoid printing
> wrong "Slab cache page" information. No other code should touch that
> field on tail pages of compound pages.
>
> Reset the "_nr_pages" to 0 when splitting folios, or when freeing them
> back to the buddy (to avoid false page->memcg_data "bad page" reports).
>
> Note that in __split_huge_page(), folio_nr_pages() would stop working
> already as soon as we start messing with the subpages.
>
> Most kernel configs should have at least CONFIG_MEMCG enabled, even if
> disabled at runtime. 64byte "struct memmap" is what we usually have
> on 64BIT.
>
> While at it, rename "_folio_nr_pages" to "_nr_pages".
>
> Hopefully memdescs / dynamically allocating "strut folio" in the future
> will further clean this up, e.g., making _nr_pages available in all
> configs and maybe even in small folios. Doing that should be fairly easy
> on top of this change.
>
> Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> Signed-off-by: David Hildenbrand <david@redhat.com>
> ---
> include/linux/mm.h | 4 ++--
> include/linux/mm_types.h | 30 ++++++++++++++++++++++--------
> mm/huge_memory.c | 16 +++++++++++++---
> mm/internal.h | 4 ++--
> mm/page_alloc.c | 6 +++++-
> mm/page_owner.c | 2 +-
> 6 files changed, 45 insertions(+), 17 deletions(-)
>
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index a743321dc1a5d..694704217df8a 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -1199,10 +1199,10 @@ static inline unsigned int folio_large_order(const struct folio *folio)
> return folio->_flags_1 & 0xff;
> }
>
> -#ifdef CONFIG_64BIT
> +#ifdef NR_PAGES_IN_LARGE_FOLIO
> static inline long folio_large_nr_pages(const struct folio *folio)
> {
> - return folio->_folio_nr_pages;
> + return folio->_nr_pages;
> }
> #else
> static inline long folio_large_nr_pages(const struct folio *folio)
> diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
> index 689b2a7461892..e81be20bbabc6 100644
> --- a/include/linux/mm_types.h
> +++ b/include/linux/mm_types.h
> @@ -287,6 +287,11 @@ typedef struct {
> unsigned long val;
> } swp_entry_t;
>
> +#if defined(CONFIG_MEMCG) || defined(CONFIG_SLAB_OBJ_EXT)
> +/* We have some extra room after the refcount in tail pages. */
> +#define NR_PAGES_IN_LARGE_FOLIO
> +#endif
> +
> /**
> * struct folio - Represents a contiguous set of bytes.
> * @flags: Identical to the page flags.
> @@ -312,7 +317,7 @@ typedef struct {
> * @_large_mapcount: Do not use directly, call folio_mapcount().
> * @_nr_pages_mapped: Do not use outside of rmap and debug code.
> * @_pincount: Do not use directly, call folio_maybe_dma_pinned().
> - * @_folio_nr_pages: Do not use directly, call folio_nr_pages().
> + * @_nr_pages: Do not use directly, call folio_nr_pages().
> * @_hugetlb_subpool: Do not use directly, use accessor in hugetlb.h.
> * @_hugetlb_cgroup: Do not use directly, use accessor in hugetlb_cgroup.h.
> * @_hugetlb_cgroup_rsvd: Do not use directly, use accessor in hugetlb_cgroup.h.
> @@ -377,13 +382,20 @@ struct folio {
> unsigned long _flags_1;
> unsigned long _head_1;
> /* public: */
> - atomic_t _large_mapcount;
> - atomic_t _entire_mapcount;
> - atomic_t _nr_pages_mapped;
> - atomic_t _pincount;
> -#ifdef CONFIG_64BIT
> - unsigned int _folio_nr_pages;
> -#endif
> + union {
> + struct {
> + atomic_t _large_mapcount;
> + atomic_t _entire_mapcount;
> + atomic_t _nr_pages_mapped;
> + atomic_t _pincount;
> + };
> + unsigned long _usable_1[4];
> + };
> + atomic_t _mapcount_1;
> + atomic_t _refcount_1;
> +#ifdef NR_PAGES_IN_LARGE_FOLIO
> + unsigned int _nr_pages;
> +#endif /* NR_PAGES_IN_LARGE_FOLIO */
> /* private: the union with struct page is transitional */
@Andrew
The following on top to make htmldoc happy.
There will be two conflicts to be resolved in two patches because of
the added "/* private: " under "_pincount".
It's fairly straight forward to resolve (just keep "/* private:" below
any changes), but let me know if I should resend a v4 instead for this.
From 9d9ff38c2ea14f1b4dab29f099ec0f6be683f3fe Mon Sep 17 00:00:00 2001
From: David Hildenbrand <david@redhat.com>
Date: Wed, 5 Mar 2025 11:14:52 +0100
Subject: [PATCH] fixup: mm: let _folio_nr_pages overlay memcg_data in first
tail page
Make "make htmldoc" happy by marking non-private placeholder entries
private.
Signed-off-by: David Hildenbrand <david@redhat.com>
---
include/linux/mm_types.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index e81be20bbabc..6062c12c3871 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -381,18 +381,20 @@ struct folio {
struct {
unsigned long _flags_1;
unsigned long _head_1;
- /* public: */
union {
struct {
+ /* public: */
atomic_t _large_mapcount;
atomic_t _entire_mapcount;
atomic_t _nr_pages_mapped;
atomic_t _pincount;
+ /* private: the union with struct page is transitional */
};
unsigned long _usable_1[4];
};
atomic_t _mapcount_1;
atomic_t _refcount_1;
+ /* public: */
#ifdef NR_PAGES_IN_LARGE_FOLIO
unsigned int _nr_pages;
#endif /* NR_PAGES_IN_LARGE_FOLIO */
--
2.48.1
--
Cheers,
David / dhildenb
^ permalink raw reply related
* Re: [PATCHv3 perf/core] uprobes: Harden uretprobe syscall trampoline check
From: Jiri Olsa @ 2025-03-06 10:57 UTC (permalink / raw)
To: Jiri Olsa
Cc: Andy Lutomirski, Kees Cook, Steven Rostedt, Masami Hiramatsu,
Oleg Nesterov, Peter Zijlstra, Andrii Nakryiko, Eyal Birger,
stable, Jann Horn, linux-kernel, linux-trace-kernel, linux-api,
x86, bpf, Thomas Gleixner, Ingo Molnar, Deepak Gupta,
Stephen Rothwell
In-Reply-To: <Z7MnB3yf2u9eR1yp@krava>
On Mon, Feb 17, 2025 at 01:09:43PM +0100, Jiri Olsa wrote:
> On Thu, Feb 13, 2025 at 09:58:29AM -0800, Andy Lutomirski wrote:
> > On Thu, Feb 13, 2025 at 1:16 AM Jiri Olsa <olsajiri@gmail.com> wrote:
> > >
> > > On Wed, Feb 12, 2025 at 05:37:11PM -0800, Andy Lutomirski wrote:
> > > > On Wed, Feb 12, 2025 at 2:04 PM Jiri Olsa <jolsa@kernel.org> wrote:
> > > > >
> > > > > Jann reported [1] possible issue when trampoline_check_ip returns
> > > > > address near the bottom of the address space that is allowed to
> > > > > call into the syscall if uretprobes are not set up.
> > > > >
> > > > > Though the mmap minimum address restrictions will typically prevent
> > > > > creating mappings there, let's make sure uretprobe syscall checks
> > > > > for that.
> > > >
> > > > It would be a layering violation, but we could perhaps do better here:
> > > >
> > > > > - if (regs->ip != trampoline_check_ip())
> > > > > + /* Make sure the ip matches the only allowed sys_uretprobe caller. */
> > > > > + if (unlikely(regs->ip != trampoline_check_ip(tramp)))
> > > > > goto sigill;
> > > >
> > > > Instead of SIGILL, perhaps this should do the seccomp action? So the
> > > > logic in seccomp would be (sketchily, with some real mode1 mess):
> > > >
> > > > if (is_a_real_uretprobe())
> > > > skip seccomp;
> > >
> > > IIUC you want to move the address check earlier to the seccomp path..
> > > with the benefit that we would kill not allowed caller sooner?
> >
> > The benefit would be that seccomp users that want to do something
> > other than killing a process (returning an error code, getting
> > notified, etc) could retain that functionality without the new
> > automatic hole being poked for uretprobe() in cases where uprobes
> > aren't in use or where the calling address doesn't match the uprobe
> > trampoline. IOW it would reduce the scope to which we're making
> > seccomp behave unexpectedly.
>
> Kees, any thoughts about this approach?
ping, any idea?
thanks,
jirka
>
> thanks,
> jirka
>
>
> >
> > >
> > > jirka
> > >
> > > >
> > > > where is_a_real_uretprobe() is only true if the nr and arch match
> > > > uretprobe *and* the address is right.
> > > >
> > > > --Andy
> > >
^ permalink raw reply
* Re: [PATCHv3 perf/core] uprobes: Harden uretprobe syscall trampoline check
From: Ingo Molnar @ 2025-03-06 11:22 UTC (permalink / raw)
To: Jiri Olsa
Cc: Andy Lutomirski, Kees Cook, Steven Rostedt, Masami Hiramatsu,
Oleg Nesterov, Peter Zijlstra, Andrii Nakryiko, Eyal Birger,
stable, Jann Horn, linux-kernel, linux-trace-kernel, linux-api,
x86, bpf, Thomas Gleixner, Ingo Molnar, Deepak Gupta,
Stephen Rothwell, Alexei Starovoitov
In-Reply-To: <Z8l_ipCn8tBE1d9Q@krava>
* Jiri Olsa <olsajiri@gmail.com> wrote:
> On Mon, Feb 17, 2025 at 01:09:43PM +0100, Jiri Olsa wrote:
> > On Thu, Feb 13, 2025 at 09:58:29AM -0800, Andy Lutomirski wrote:
> > > On Thu, Feb 13, 2025 at 1:16 AM Jiri Olsa <olsajiri@gmail.com> wrote:
> > > >
> > > > On Wed, Feb 12, 2025 at 05:37:11PM -0800, Andy Lutomirski wrote:
> > > > > On Wed, Feb 12, 2025 at 2:04 PM Jiri Olsa <jolsa@kernel.org> wrote:
> > > > > >
> > > > > > Jann reported [1] possible issue when trampoline_check_ip returns
> > > > > > address near the bottom of the address space that is allowed to
> > > > > > call into the syscall if uretprobes are not set up.
> > > > > >
> > > > > > Though the mmap minimum address restrictions will typically prevent
> > > > > > creating mappings there, let's make sure uretprobe syscall checks
> > > > > > for that.
> > > > >
> > > > > It would be a layering violation, but we could perhaps do better here:
> > > > >
> > > > > > - if (regs->ip != trampoline_check_ip())
> > > > > > + /* Make sure the ip matches the only allowed sys_uretprobe caller. */
> > > > > > + if (unlikely(regs->ip != trampoline_check_ip(tramp)))
> > > > > > goto sigill;
> > > > >
> > > > > Instead of SIGILL, perhaps this should do the seccomp action? So the
> > > > > logic in seccomp would be (sketchily, with some real mode1 mess):
> > > > >
> > > > > if (is_a_real_uretprobe())
> > > > > skip seccomp;
> > > >
> > > > IIUC you want to move the address check earlier to the seccomp path..
> > > > with the benefit that we would kill not allowed caller sooner?
> > >
> > > The benefit would be that seccomp users that want to do something
> > > other than killing a process (returning an error code, getting
> > > notified, etc) could retain that functionality without the new
> > > automatic hole being poked for uretprobe() in cases where uprobes
> > > aren't in use or where the calling address doesn't match the uprobe
> > > trampoline. IOW it would reduce the scope to which we're making
> > > seccomp behave unexpectedly.
> >
> > Kees, any thoughts about this approach?
>
> ping, any idea?
So in any case I think the seccomp QoL tie-in suggested by Andy should
be done in a separate patch, and I've applied the -v3 patch to
tip:perf/core as-is.
( I've added Alexei's Acked-by too, which as I've read the v2 thread's
discussion was a given as long as his ~0 suggestion was implemented,
which you did. )
Thanks,
Ingo
^ permalink raw reply
* Re: [RFC PATCH 5/9] Define user structure for events and responses.
From: Mickaël Salaün @ 2025-03-08 19:07 UTC (permalink / raw)
To: Tingmao Wang
Cc: Günther Noack, Jan Kara, linux-security-module,
Amir Goldstein, Matthew Bobrowski, linux-fsdevel, Tycho Andersen,
Christian Brauner, Kees Cook, Jann Horn, Andy Lutomirski,
Paul Moore, linux-api
In-Reply-To: <fbb8e557-0b63-4bbe-b8ac-3f7ba2983146@maowtm.org>
On Thu, Mar 06, 2025 at 03:05:10AM +0000, Tingmao Wang wrote:
> On 3/4/25 19:49, Mickaël Salaün wrote:
> > On Tue, Mar 04, 2025 at 01:13:01AM +0000, Tingmao Wang wrote:
> [...]
> > > + /**
> > > + * @cookie: Opaque identifier to be included in the response.
> > > + */
> > > + __u32 cookie;
> >
> > I guess we could use a __u64 index counter per layer instead. That
> > would also help to order requests if they are treated by different
> > supervisor threads.
>
> I don't immediately see a use for ordering requests (if we get more than one
> event at once, they are coming from different threads anyway so there can't
> be any dependencies between them, and the supervisor threads can use
> timestamps), but I think making it a __u64 is probably a good idea
> regardless, as it means we don't have to do some sort of ID allocation, and
> can just increment an atomic.
Indeed, we should follow the seccomp unotify approach with a random u64
incremented per request.
>
> > > +};
> > > +
> > > +struct landlock_supervise_event {
> > > + struct landlock_supervise_event_hdr hdr;
> > > + __u64 access_request;
> > > + __kernel_pid_t accessor;
> > > + union {
> > > + struct {
> > > + /**
> > > + * @fd1: An open file descriptor for the file (open,
> > > + * delete, execute, link, readdir, rename, truncate),
> > > + * or the parent directory (for create operations
> > > + * targeting its child) being accessed. Must be
> > > + * closed by the reader.
> > > + *
> > > + * If this points to a parent directory, @destname
> > > + * will contain the target filename. If @destname is
> > > + * empty, this points to the target file.
> > > + */
> > > + int fd1;
> > > + /**
> > > + * @fd2: For link or rename requests, a second file
> > > + * descriptor for the target parent directory. Must
> > > + * be closed by the reader. @destname contains the
> > > + * destination filename. This field is -1 if not
> > > + * used.
> > > + */
> > > + int fd2;
> >
> > Can we just use one FD but identify the requested access instead and
> > send one event for each, like for the audit patch series?
>
> I haven't managed to read or test out the audit patch yet (I will do), but I
> think having the ability to specifically tell whether the child is trying to
> move / rename / create a hard link of an existing file, and what it's trying
> to use as destination, might be useful (either for security, or purely for
> UX)?
>
> For example, imagine something trying to link or move ~/.ssh/id_ecdsa to
> /tmp/innocent-tmp-file then read the latter. The supervisor can warn the
> user on the initial link attempt, and the shenanigan will probably be
> stopped there (although still, being able to say "[program] wants to link
> ~/.ssh/id_ecdsa to /tmp/innocent-tmp-file" seems better than just "[program]
> wants to create a link for ~/.ssh/id_ecdsa"), but even if somehow this ends
> up allowed, later on for the read request it could say something like
>
> [program] wants to read /tmp/innocent-tmp-file
> (previously moved from ~/.ssh/id_ecdsa)
>
> Maybe this is a bit silly, but there might be other use cases for knowing
> the exact details of a rename/link request, either for at-the-time decision
> making, or tracking stuff for future requests?
This pattern looks like datagram packets. I think we should use the
netlink attributes. There were concern about using a netlink socket for
the seccomp unotification though:
https://lore.kernel.org/all/CALCETrXeZZfVzXh7SwKhyB=+ySDk5fhrrdrXrcABsQ=JpQT7Tg@mail.gmail.com/
There are two main differences with seccomp unotify:
- the supervisor should be able to receive arbitrary-sized data (e.g.
file name, not path);
- the supervisor should be able to receive file descriptors (instead of
path).
Sockets are created with socket(2) whereas in our case we should only
get a supervisor FD (indirectly) through landlock_restrict_self(2),
which clearly identifies a kernel object. Another issue would be to
deal with network namespaces, probably by creating a private one.
Sockets are powerful but we don't needs all the routing complexity.
Moreover, we should only need a blocking communication channel to avoid
issues managing in-flight object references (transformed to FDs when
received). That makes me think that a socket might not be the right
construct, but we can still rely on the NLA macros to define a proper
protocol with dynamically-sized events, received and send with dedicated
IOCTL commands.
Netlink already provides a way to send a cookie, and
netlink_attribute_type defines the types we'll need, including string.
For instance, a link request/event could include 3 packets, one for each
of these properties:
1. the source file FD;
2. the destination directory FD;
3. the destination filename string.
This way we would avoid the union defined in this patch.
There is still the question about receiving FDs though. It would be nice
to have a (set of?) dedicated IOCTL(s) to receive an FD, but I'm not
sure how this could be properly handled wrt NLA.
>
> I will try out the audit patch to see how things like these appears in the
> log before commenting further on this. Maybe there is a way to achieve this
> while still simplifying the event structure?
>
> >
> > > + /**
> > > + * @destname: A filename for a file creation target.
> > > + *
> > > + * If either of fd1 or fd2 points to a parent
> > > + * directory rather than the target file, this is the
> > > + * NULL-terminated name of the file that will be
> > > + * newly created.
> > > + *
> > > + * Counting the NULL terminator, this field will
> > > + * contain one or more NULL padding at the end so
> > > + * that the length of the whole struct
> > > + * landlock_supervise_event is a multiple of 8 bytes.
> > > + *
> > > + * This is a variable length member, and the length
> > > + * including the terminating NULL(s) can be derived
> > > + * from hdr.length - offsetof(struct
> > > + * landlock_supervise_event, destname).
> > > + */
> > > + char destname[];
> >
> > I'd prefer to avoid sending file names for now. I don't think it's
> > necessary, and that could encourage supervisors to filter access
> > according to names.
> >
>
> This is also motivated by the potential UX I'm thinking of. For example, if
> a newly installed application tries to create ~/.app-name, it will be much
> more reassuring and convenient to the user if we can show something like
>
> [program] wants to mkdir ~/.app-name. Allow this and future
> access to the new directory?
>
> rather than just "[program] wants to mkdir under ~". (The "Allow this and
> future access to the new directory" bit is made possible by the supervisor
> knowing the name of the file/directory being created, and can remember them
> / write them out to a persistent profile etc)
>
> Note that this is just the filename under the dir represented by fd - this
> isn't a path or anything that can be subject to symlink-related attacks,
> etc. If a program calls e.g.
> mkdirat or openat (dfd -> "/some/", pathname="dir/stuff", O_CREAT)
> my understanding is that fd1 will point to /some/dir, and destname would be
> "stuff"
Right, this file name information would be useful. In the case of
audit, the goal is to efficiently and asynchronously log security events
(and align with other LSM logs and related limitations), not primarily
to debug sandboxed apps nor to enrich this information for decision
making, but the supervisor feature would help here. The patch message
should include this rationale.
>
> Actually, in case your question is "why not send a fd to represent the newly
> created file, instead of sending the name" -- I'm not sure whether you can
> open even an O_PATH fd to a non-existent file.
That would not be possible because it would not exist yet, a file name
(not file path) is OK for this case.
>
> > > + };
> > > + struct {
> > > + __u16 port;
> > > + };
> > > + };
> > > +};
> > > +
> >
> > [...]
>
>
^ permalink raw reply
* Re: [RFC PATCH 5/9] Define user structure for events and responses.
From: Tingmao Wang @ 2025-03-10 0:39 UTC (permalink / raw)
To: Mickaël Salaün, Tycho Andersen
Cc: Günther Noack, Jan Kara, linux-security-module,
Amir Goldstein, Matthew Bobrowski, linux-fsdevel,
Christian Brauner, Kees Cook, Jann Horn, Andy Lutomirski,
Paul Moore, linux-api
In-Reply-To: <20250306.aej5ieg1Hi6j@digikod.net>
On 3/8/25 19:07, Mickaël Salaün wrote:
> On Thu, Mar 06, 2025 at 03:05:10AM +0000, Tingmao Wang wrote:
>> On 3/4/25 19:49, Mickaël Salaün wrote:
>>> On Tue, Mar 04, 2025 at 01:13:01AM +0000, Tingmao Wang wrote:
>> [...]
>>>> + /**
>>>> + * @cookie: Opaque identifier to be included in the response.
>>>> + */
>>>> + __u32 cookie;
>>>
>>> I guess we could use a __u64 index counter per layer instead. That
>>> would also help to order requests if they are treated by different
>>> supervisor threads.
>>
>> I don't immediately see a use for ordering requests (if we get more than one
>> event at once, they are coming from different threads anyway so there can't
>> be any dependencies between them, and the supervisor threads can use
>> timestamps), but I think making it a __u64 is probably a good idea
>> regardless, as it means we don't have to do some sort of ID allocation, and
>> can just increment an atomic.
>
> Indeed, we should follow the seccomp unotify approach with a random u64
> incremented per request.
Do you mean a random starting value, incremented by one per request, or
something like the landlock_id in the audit patch (random increments too)?
>
>>
>>>> +};
>>>> +
>>>> +struct landlock_supervise_event {
>>>> + struct landlock_supervise_event_hdr hdr;
>>>> + __u64 access_request;
>>>> + __kernel_pid_t accessor;
>>>> + union {
>>>> + struct {
>>>> + /**
>>>> + * @fd1: An open file descriptor for the file (open,
>>>> + * delete, execute, link, readdir, rename, truncate),
>>>> + * or the parent directory (for create operations
>>>> + * targeting its child) being accessed. Must be
>>>> + * closed by the reader.
>>>> + *
>>>> + * If this points to a parent directory, @destname
>>>> + * will contain the target filename. If @destname is
>>>> + * empty, this points to the target file.
>>>> + */
>>>> + int fd1;
>>>> + /**
>>>> + * @fd2: For link or rename requests, a second file
>>>> + * descriptor for the target parent directory. Must
>>>> + * be closed by the reader. @destname contains the
>>>> + * destination filename. This field is -1 if not
>>>> + * used.
>>>> + */
>>>> + int fd2;
>>>
>>> Can we just use one FD but identify the requested access instead and
>>> send one event for each, like for the audit patch series?
>>
>> I haven't managed to read or test out the audit patch yet (I will do), but I
>> think having the ability to specifically tell whether the child is trying to
>> move / rename / create a hard link of an existing file, and what it's trying
>> to use as destination, might be useful (either for security, or purely for
>> UX)?
>>
>> For example, imagine something trying to link or move ~/.ssh/id_ecdsa to
>> /tmp/innocent-tmp-file then read the latter. The supervisor can warn the
>> user on the initial link attempt, and the shenanigan will probably be
>> stopped there (although still, being able to say "[program] wants to link
>> ~/.ssh/id_ecdsa to /tmp/innocent-tmp-file" seems better than just "[program]
>> wants to create a link for ~/.ssh/id_ecdsa"), but even if somehow this ends
>> up allowed, later on for the read request it could say something like
>>
>> [program] wants to read /tmp/innocent-tmp-file
>> (previously moved from ~/.ssh/id_ecdsa)
>>
>> Maybe this is a bit silly, but there might be other use cases for knowing
>> the exact details of a rename/link request, either for at-the-time decision
>> making, or tracking stuff for future requests?
>
> This pattern looks like datagram packets. I think we should use the
> netlink attributes. There were concern about using a netlink socket for
> the seccomp unotification though:
> https://lore.kernel.org/all/CALCETrXeZZfVzXh7SwKhyB=+ySDk5fhrrdrXrcABsQ=JpQT7Tg@mail.gmail.com/
>
> There are two main differences with seccomp unotify:
> - the supervisor should be able to receive arbitrary-sized data (e.g.
> file name, not path);
> - the supervisor should be able to receive file descriptors (instead of
> path).
>
> Sockets are created with socket(2) whereas in our case we should only
> get a supervisor FD (indirectly) through landlock_restrict_self(2),
> which clearly identifies a kernel object. Another issue would be to
> deal with network namespaces, probably by creating a private one.
> Sockets are powerful but we don't needs all the routing complexity.
> Moreover, we should only need a blocking communication channel to avoid
> issues managing in-flight object references (transformed to FDs when
> received). That makes me think that a socket might not be the right
> construct, but we can still rely on the NLA macros to define a proper
> protocol with dynamically-sized events, received and send with dedicated
> IOCTL commands.
>
> Netlink already provides a way to send a cookie, and
> netlink_attribute_type defines the types we'll need, including string.
>
> For instance, a link request/event could include 3 packets, one for each
> of these properties:
> 1. the source file FD;
> 2. the destination directory FD;
> 3. the destination filename string.
>
> This way we would avoid the union defined in this patch.
I had no idea about netlink - I will take a look. Do you know if there
is any existing code which uses it in a similar way (i.e. not creating
an actual socket, but using netlink messages)?
I think in the end seccomp-unotify went with an ioctl with a custom
struct seccomp_notif due to friction with the NL API [1] - do you think
we will face the same problem here? (I will take a deeper look at
netlink after sending this.)
(Tycho - could you weigh in?)
[1]:
https://lore.kernel.org/all/CAGXu5jKsLDSBjB74SrvCvmGy_RTEjBsMtR5dk1CcRFrHEQfM_g@mail.gmail.com/
>
> There is still the question about receiving FDs though. It would be nice
> to have a (set of?) dedicated IOCTL(s) to receive an FD, but I'm not
> sure how this could be properly handled wrt NLA.
Also, if we go with netlink messages, why do we need additional IOCTLs?
Can we open the fd when we write out the message? (Maybe I will end up
realizing the reason for this after reading netlink code, but I would )
>
>>
>> I will try out the audit patch to see how things like these appears in the
>> log before commenting further on this. Maybe there is a way to achieve this
>> while still simplifying the event structure?
>>
>>>
>>>> + /**
>>>> + * @destname: A filename for a file creation target.
>>>> + *
>>>> + * If either of fd1 or fd2 points to a parent
>>>> + * directory rather than the target file, this is the
>>>> + * NULL-terminated name of the file that will be
>>>> + * newly created.
>>>> + *
>>>> + * Counting the NULL terminator, this field will
>>>> + * contain one or more NULL padding at the end so
>>>> + * that the length of the whole struct
>>>> + * landlock_supervise_event is a multiple of 8 bytes.
>>>> + *
>>>> + * This is a variable length member, and the length
>>>> + * including the terminating NULL(s) can be derived
>>>> + * from hdr.length - offsetof(struct
>>>> + * landlock_supervise_event, destname).
>>>> + */
>>>> + char destname[];
>>>
>>> I'd prefer to avoid sending file names for now. I don't think it's
>>> necessary, and that could encourage supervisors to filter access
>>> according to names.
>>>
>>
>> This is also motivated by the potential UX I'm thinking of. For example, if
>> a newly installed application tries to create ~/.app-name, it will be much
>> more reassuring and convenient to the user if we can show something like
>>
>> [program] wants to mkdir ~/.app-name. Allow this and future
>> access to the new directory?
>>
>> rather than just "[program] wants to mkdir under ~". (The "Allow this and
>> future access to the new directory" bit is made possible by the supervisor
>> knowing the name of the file/directory being created, and can remember them
>> / write them out to a persistent profile etc)
>>
>> Note that this is just the filename under the dir represented by fd - this
>> isn't a path or anything that can be subject to symlink-related attacks,
>> etc. If a program calls e.g.
>> mkdirat or openat (dfd -> "/some/", pathname="dir/stuff", O_CREAT)
>> my understanding is that fd1 will point to /some/dir, and destname would be
>> "stuff"
>
> Right, this file name information would be useful. In the case of
> audit, the goal is to efficiently and asynchronously log security events
> (and align with other LSM logs and related limitations), not primarily
> to debug sandboxed apps nor to enrich this information for decision
> making, but the supervisor feature would help here. The patch message
> should include this rationale.
Will do
>
>>
>> Actually, in case your question is "why not send a fd to represent the newly
>> created file, instead of sending the name" -- I'm not sure whether you can
>> open even an O_PATH fd to a non-existent file.
>
> That would not be possible because it would not exist yet, a file name
> (not file path) is OK for this case.
>
>>
>>>> + };
>>>> + struct {
>>>> + __u16 port;
>>>> + };
>>>> + };
>>>> +};
>>>> +
>>>
>>> [...]
>>
>>
^ permalink raw reply
* Add sysctl for tcp_delayed_ack
From: Andrew Easton @ 2025-03-10 1:20 UTC (permalink / raw)
To: David S. Miller, David S. Ahern, Eric Dumazet, Jakub Kicinski,
Paolo Abeni
Cc: Simon Horman, Linux Kernel Mailing List, Network Subsystem,
Linux Kernel Mailing List, Sysctl API ABI
[-- Attachment #1: Type: text/plain, Size: 1872 bytes --]
Subject: Add sysctl for tcp_delayed_ack
Hi everyone,
this is a proposed patch for adding a sysctl for
disabling TCP delayed ACK (IETF RFC 1122) without
having to patch software to constantly poke sockets
with TCP_QUICKACK which apparently resets on
subsequent operations, see tcp(7).
For my personal computer networks experimenting with
globally disabling TCP delayed ACK across two other
operating systems seems to have considerably improved
congestion control. (While I propose only anecdotal
evidence, there is more to it. Am open to the
ensuing technical discussion, but only if that turns
out to be a good use of other people's time.)
This is my first proposed kernel patch and it is
likely missing a whole bunch of details. For
example:
1. Where is the TCP ACK delay computed for IPv6?
Could not identify this in file net/ipv6/tcp_ipv6.c .
2. Perhaps, adding kernel configuration options for
the ncurses interface is desireable. What is a good
example to learn from?
3. Perhaps, setting constants in file
include/uapi/linux/sysctl.h may be unnecessary, but I
have not found any guidelines on when these CTL
numbers are necessary. Likely, because I did not
read the documentation carefully enough. Any
pointers are appreciated.
4. The default should probably be a value like
net.ipv4.tcp_delayed_ack=1 that preserves the current
behavior and hence is backwards compatible for user
space. A value of net.ipv4.tcp_delayed_ack=0 should
globally (for IPv4) disable TCP delayed ACK. Would
also like to add the option for IPv6, but see point
(1).
In case a similar sysctl has already been proposed
and rejected in the past, please point me to the
mailing list archives, if that is not too
inconvenient.
Which questions have I failed to ask that I should
have asked?
Errors and lack of research are on me.
Thank you for sharing your time.
Andrew
[-- Attachment #2: 0001-Add-sysctl-net.ipv4.tcp_delayed_ack-for-disabling-TC.patch --]
[-- Type: application/octet-stream, Size: 6655 bytes --]
From 5e92e3f9dafe58d363b433356f5d6ca1c9e14aba Mon Sep 17 00:00:00 2001
From: Andrew Easton <Andrew@Easton24.com>
Date: Sun, 9 Mar 2025 19:52:28 -0500
Subject: [PATCH] Add sysctl net.ipv4.tcp_delayed_ack for disabling TCP delayed
acknowledgements from IETF RFC 1122.
---
.../networking/net_cachelines/netns_ipv4_sysctl.rst | 1 +
include/net/netns/ipv4.h | 1 +
include/net/netns/ipv6.h | 1 +
include/uapi/linux/sysctl.h | 2 ++
net/core/net_namespace.c | 2 ++
net/ipv4/sysctl_net_ipv4.c | 12 ++++++++++++
net/ipv4/tcp_input.c | 3 ++-
net/ipv6/tcp_ipv6.c | 5 +++++
8 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
index de0263302f16..88eaed807c94 100644
--- a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
+++ b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
@@ -110,6 +110,7 @@ int sysctl_tcp_min_rtt_wlen rea
u8 sysctl_tcp_min_tso_segs unlikely(icsk_ca_ops-written)
u8 sysctl_tcp_tso_rtt_log read_mostly tcp_tso_autosize
u8 sysctl_tcp_autocorking read_mostly tcp_push/tcp_should_autocork
+u8 sysctl_tcp_delayed_ack read_mostly tcp_in_quickack_mode
u8 sysctl_tcp_reflect_tos tcp_v(4/6)_send_synack
int sysctl_tcp_invalid_ratelimit
int sysctl_tcp_pacing_ss_ratio default_cong_cont(tcp_update_pacing_rate)
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 46452da35206..5777f95af02e 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -59,6 +59,7 @@ struct netns_ipv4 {
u8 sysctl_tcp_tso_win_divisor;
u8 sysctl_tcp_tso_rtt_log;
u8 sysctl_tcp_autocorking;
+ u8 sysctl_tcp_delayed_ack;
int sysctl_tcp_min_snd_mss;
unsigned int sysctl_tcp_notsent_lowat;
int sysctl_tcp_limit_output_bytes;
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index 5f2cfd84570a..ec8b891e09ca 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -56,6 +56,7 @@ struct netns_sysctl_ipv6 {
u8 skip_notify_on_dev_down;
u8 fib_notify_on_flag_change;
u8 icmpv6_error_anycast_as_unicast;
+ u8 tcp_delayed_ack;
};
struct netns_ipv6 {
diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
index 8981f00204db..669b3775bd31 100644
--- a/include/uapi/linux/sysctl.h
+++ b/include/uapi/linux/sysctl.h
@@ -426,6 +426,7 @@ enum
NET_TCP_ALLOWED_CONG_CONTROL=123,
NET_TCP_MAX_SSTHRESH=124,
NET_TCP_FRTO_RESPONSE=125,
+ NET_IPV4_TCP_DELAYED_ACK=126, /* TCP_QUICKACK but globally. */
};
enum {
@@ -530,6 +531,7 @@ enum {
NET_IPV6_IP6FRAG_TIME=23,
NET_IPV6_IP6FRAG_SECRET_INTERVAL=24,
NET_IPV6_MLD_MAX_MSF=25,
+ NET_IPV6_TCP_DELAYED_ACK=26, /* TCP_QUICKACK but globally. */
};
enum {
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 4303f2a49262..b101707ab9e4 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -1155,6 +1155,8 @@ static void __init netns_ipv4_struct_check(void)
sysctl_tcp_tso_rtt_log);
CACHELINE_ASSERT_GROUP_MEMBER(struct netns_ipv4, netns_ipv4_read_tx,
sysctl_tcp_autocorking);
+ CACHELINE_ASSERT_GROUP_MEMBER(struct netns_ipv4, netns_ipv4_read_tx,
+ sysctl_tcp_delayed_ack);
CACHELINE_ASSERT_GROUP_MEMBER(struct netns_ipv4, netns_ipv4_read_tx,
sysctl_tcp_min_snd_mss);
CACHELINE_ASSERT_GROUP_MEMBER(struct netns_ipv4, netns_ipv4_read_tx,
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 42cb5dc9cb24..8aa00eee8247 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -28,6 +28,8 @@ static int tcp_adv_win_scale_max = 31;
static int tcp_app_win_max = 31;
static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS;
static int tcp_min_snd_mss_max = 65535;
+static int tcp_delayed_ack_min = 0;
+static int tcp_delayed_ack_max = 255;
static int ip_privileged_port_min;
static int ip_privileged_port_max = 65535;
static int ip_ttl_min = 1;
@@ -959,6 +961,16 @@ static struct ctl_table ipv4_net_table[] = {
.mode = 0644,
.proc_handler = proc_allowed_congestion_control,
},
+ {
+ .ctl_name = NET_IPV4_TCP_DELAYED_ACK,
+ .procname = "tcp_delayed_ack",
+ .data = &init_net.ipv4.sysctl_tcp_delayed_ack,
+ .maxlen = sizeof(u8),
+ .mode = 0644,
+ .proc_handler = proc_dou8vec_minmax,
+ .extra1 = &tcp_delayed_ack_min,
+ .extra2 = &tcp_delayed_ack_max
+ },
{
.procname = "tcp_keepalive_time",
.data = &init_net.ipv4.sysctl_tcp_keepalive_time,
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 0cbf81bf3d45..5c5e934816cd 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -334,7 +334,8 @@ static bool tcp_in_quickack_mode(struct sock *sk)
const struct dst_entry *dst = __sk_dst_get(sk);
return (dst && dst_metric(dst, RTAX_QUICKACK)) ||
- (icsk->icsk_ack.quick && !inet_csk_in_pingpong_mode(sk));
+ (icsk->icsk_ack.quick && !inet_csk_in_pingpong_mode(sk) ||
+ sk->sk_net.ipv4.sysctl_tcp_delayed_ack > 0);
}
static void tcp_ecn_queue_cwr(struct tcp_sock *tp)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2debdf085a3b..b040ceea9f22 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1149,6 +1149,11 @@ static void tcp_v6_send_ack(const struct sock *sk, struct sk_buff *skb, u32 seq,
struct tcp_key *key, u8 tclass,
__be32 label, u32 priority, u32 txhash)
{
+ /* Where does this condition need to go?
+ * It doesn't seem clear where exactly the
+ * TCP ACK is delayed (IETF RFC 1122) for
+ * IPv6.
+ * (sk->net.ipv6.sysctl.tcp_delayed_ack > 0) */
tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, 0,
tclass, label, priority, txhash, key);
}
--
2.48.0
[-- Attachment #3: Type: text/plain, Size: 2 bytes --]
^ permalink raw reply related
* Re: Add sysctl for tcp_delayed_ack
From: Jason Xing @ 2025-03-10 5:17 UTC (permalink / raw)
To: Andrew Easton
Cc: David S. Miller, David S. Ahern, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman,
Linux Kernel Mailing List, Network Subsystem,
Linux Kernel Mailing List, Sysctl API ABI
In-Reply-To: <FC9BF302-0724-49F3-AD7C-6761D65024A1@Easton24.com>
Hi Andrew,
On Mon, Mar 10, 2025 at 2:33 AM Andrew Easton <Andrew@easton24.com> wrote:
>
> Subject: Add sysctl for tcp_delayed_ack
>
> Hi everyone,
>
> this is a proposed patch for adding a sysctl for
> disabling TCP delayed ACK (IETF RFC 1122) without
> having to patch software to constantly poke sockets
> with TCP_QUICKACK which apparently resets on
> subsequent operations, see tcp(7).
>
> For my personal computer networks experimenting with
> globally disabling TCP delayed ACK across two other
> operating systems seems to have considerably improved
> congestion control. (While I propose only anecdotal
> evidence, there is more to it. Am open to the
> ensuing technical discussion, but only if that turns
> out to be a good use of other people's time.)
>
> This is my first proposed kernel patch and it is
Thanks for proposing this patch :)
As to the idea itself, my personal feelings are:
1) It might be suitable for local kernels instead of public kernels,
even though we internally have a similar patch a few years ago
already.
2) The reason why I hesitated to submit a patch like this before is it
may change/override the default socket behavior which may bring
unexpected impacts. It's a global knob...
3) To be frank, the delayed ack mechanism prevails for so many years
and truly solves too many pure ack packets on the wire issue. And I
believe only a minority of clients try to turn it off.
4) Recently, I was thinking of implementing a delayed ack max timeout
(which you can refer to tcp_delack_max() and see how it works). As I
mentioned, I also hesitate to do so.
Of course, no matter what my thoughts are, it finally depends on the
TCP maintainer's call :)
Thanks,
Jason
> likely missing a whole bunch of details. For
> example:
>
> 1. Where is the TCP ACK delay computed for IPv6?
> Could not identify this in file net/ipv6/tcp_ipv6.c .
>
> 2. Perhaps, adding kernel configuration options for
> the ncurses interface is desireable. What is a good
> example to learn from?
>
> 3. Perhaps, setting constants in file
> include/uapi/linux/sysctl.h may be unnecessary, but I
> have not found any guidelines on when these CTL
> numbers are necessary. Likely, because I did not
> read the documentation carefully enough. Any
> pointers are appreciated.
>
> 4. The default should probably be a value like
> net.ipv4.tcp_delayed_ack=1 that preserves the current
> behavior and hence is backwards compatible for user
> space. A value of net.ipv4.tcp_delayed_ack=0 should
> globally (for IPv4) disable TCP delayed ACK. Would
> also like to add the option for IPv6, but see point
> (1).
>
>
> In case a similar sysctl has already been proposed
> and rejected in the past, please point me to the
> mailing list archives, if that is not too
> inconvenient.
>
>
> Which questions have I failed to ask that I should
> have asked?
>
> Errors and lack of research are on me.
>
> Thank you for sharing your time.
>
> Andrew
>
>
>
>
>
^ permalink raw reply
* Re: Add sysctl for tcp_delayed_ack
From: Eric Dumazet @ 2025-03-10 7:02 UTC (permalink / raw)
To: Andrew Easton
Cc: David S. Miller, David S. Ahern, Jakub Kicinski, Paolo Abeni,
Simon Horman, Linux Kernel Mailing List, Network Subsystem,
Linux Kernel Mailing List, Sysctl API ABI
In-Reply-To: <FC9BF302-0724-49F3-AD7C-6761D65024A1@Easton24.com>
On Mon, Mar 10, 2025 at 2:20 AM Andrew Easton <Andrew@easton24.com> wrote:
>
> Subject: Add sysctl for tcp_delayed_ack
>
> Hi everyone,
Hi Andrew
>
> this is a proposed patch for adding a sysctl for
> disabling TCP delayed ACK (IETF RFC 1122) without
> having to patch software to constantly poke sockets
> with TCP_QUICKACK which apparently resets on
> subsequent operations, see tcp(7).
>
> For my personal computer networks experimenting with
> globally disabling TCP delayed ACK across two other
> operating systems seems to have considerably improved
> congestion control. (While I propose only anecdotal
> evidence, there is more to it. Am open to the
> ensuing technical discussion, but only if that turns
> out to be a good use of other people's time.)
>
> This is my first proposed kernel patch and it is
> likely missing a whole bunch of details. For
> example:
>
> 1. Where is the TCP ACK delay computed for IPv6?
> Could not identify this in file net/ipv6/tcp_ipv6.c .
No need to change tcp_ipv6.c
Generating ACK is generic, thus code is in net/ipv4
>
> 2. Perhaps, adding kernel configuration options for
> the ncurses interface is desireable. What is a good
> example to learn from?
No need. per net-ns sysctl and/or per-socket options are far better
for this case.
>
> 3. Perhaps, setting constants in file
> include/uapi/linux/sysctl.h may be unnecessary, but I
> have not found any guidelines on when these CTL
> numbers are necessary. Likely, because I did not
> read the documentation carefully enough. Any
> pointers are appreciated.
sysctl.h is absolutely deprecated.
No need for NET_IPV4_TCP_DELAYED_ACK,
No ctl_name in 'struct ctl_table'
>
> 4. The default should probably be a value like
> net.ipv4.tcp_delayed_ack=1 that preserves the current
> behavior and hence is backwards compatible for user
> space. A value of net.ipv4.tcp_delayed_ack=0 should
> globally (for IPv4) disable TCP delayed ACK. Would
> also like to add the option for IPv6, but see point
> (1).
>
>
> In case a similar sysctl has already been proposed
> and rejected in the past, please point me to the
> mailing list archives, if that is not too
> inconvenient.
>
>
> Which questions have I failed to ask that I should
> have asked?
>
> Errors and lack of research are on me.
>
Make sure to compile/test your patch on top of net-next tree, and send
it inline,
not as an attachment, so that we can comment on it.
Also next time add benchmark results
like netperf -t TCP_RR (200 flows)
of netper/tcp_rr -F 1000
No delaying ACK for small RPC is essentially doubling the number of
packets to send and receive.
> Thank you for sharing your time.
>
> Andrew
>
>
>
>
>
^ permalink raw reply
* Re: [RFC PATCH 5/9] Define user structure for events and responses.
From: Mickaël Salaün @ 2025-03-11 19:29 UTC (permalink / raw)
To: Tingmao Wang
Cc: Tycho Andersen, Günther Noack, Jan Kara,
linux-security-module, Amir Goldstein, Matthew Bobrowski,
linux-fsdevel, Christian Brauner, Kees Cook, Jann Horn,
Andy Lutomirski, Paul Moore, linux-api
In-Reply-To: <4b0b693d-a152-42c0-bb2c-73e705c3c9b0@maowtm.org>
On Mon, Mar 10, 2025 at 12:39:08AM +0000, Tingmao Wang wrote:
> On 3/8/25 19:07, Mickaël Salaün wrote:
> > On Thu, Mar 06, 2025 at 03:05:10AM +0000, Tingmao Wang wrote:
> > > On 3/4/25 19:49, Mickaël Salaün wrote:
> > > > On Tue, Mar 04, 2025 at 01:13:01AM +0000, Tingmao Wang wrote:
> > > [...]
> > > > > + /**
> > > > > + * @cookie: Opaque identifier to be included in the response.
> > > > > + */
> > > > > + __u32 cookie;
> > > >
> > > > I guess we could use a __u64 index counter per layer instead. That
> > > > would also help to order requests if they are treated by different
> > > > supervisor threads.
> > >
> > > I don't immediately see a use for ordering requests (if we get more than one
> > > event at once, they are coming from different threads anyway so there can't
> > > be any dependencies between them, and the supervisor threads can use
> > > timestamps), but I think making it a __u64 is probably a good idea
> > > regardless, as it means we don't have to do some sort of ID allocation, and
> > > can just increment an atomic.
> >
> > Indeed, we should follow the seccomp unotify approach with a random u64
> > incremented per request.
>
> Do you mean a random starting value, incremented by one per request, or
Yes
> something like the landlock_id in the audit patch (random increments too)?
There is no need for that because the supervisor is more privileged than
the sandbox.
>
> >
> > >
> > > > > +};
> > > > > +
> > > > > +struct landlock_supervise_event {
> > > > > + struct landlock_supervise_event_hdr hdr;
> > > > > + __u64 access_request;
> > > > > + __kernel_pid_t accessor;
> > > > > + union {
> > > > > + struct {
> > > > > + /**
> > > > > + * @fd1: An open file descriptor for the file (open,
> > > > > + * delete, execute, link, readdir, rename, truncate),
> > > > > + * or the parent directory (for create operations
> > > > > + * targeting its child) being accessed. Must be
> > > > > + * closed by the reader.
> > > > > + *
> > > > > + * If this points to a parent directory, @destname
> > > > > + * will contain the target filename. If @destname is
> > > > > + * empty, this points to the target file.
> > > > > + */
> > > > > + int fd1;
> > > > > + /**
> > > > > + * @fd2: For link or rename requests, a second file
> > > > > + * descriptor for the target parent directory. Must
> > > > > + * be closed by the reader. @destname contains the
> > > > > + * destination filename. This field is -1 if not
> > > > > + * used.
> > > > > + */
> > > > > + int fd2;
> > > >
> > > > Can we just use one FD but identify the requested access instead and
> > > > send one event for each, like for the audit patch series?
> > >
> > > I haven't managed to read or test out the audit patch yet (I will do), but I
> > > think having the ability to specifically tell whether the child is trying to
> > > move / rename / create a hard link of an existing file, and what it's trying
> > > to use as destination, might be useful (either for security, or purely for
> > > UX)?
> > >
> > > For example, imagine something trying to link or move ~/.ssh/id_ecdsa to
> > > /tmp/innocent-tmp-file then read the latter. The supervisor can warn the
> > > user on the initial link attempt, and the shenanigan will probably be
> > > stopped there (although still, being able to say "[program] wants to link
> > > ~/.ssh/id_ecdsa to /tmp/innocent-tmp-file" seems better than just "[program]
> > > wants to create a link for ~/.ssh/id_ecdsa"), but even if somehow this ends
> > > up allowed, later on for the read request it could say something like
> > >
> > > [program] wants to read /tmp/innocent-tmp-file
> > > (previously moved from ~/.ssh/id_ecdsa)
> > >
> > > Maybe this is a bit silly, but there might be other use cases for knowing
> > > the exact details of a rename/link request, either for at-the-time decision
> > > making, or tracking stuff for future requests?
> >
> > This pattern looks like datagram packets. I think we should use the
> > netlink attributes. There were concern about using a netlink socket for
> > the seccomp unotification though:
> > https://lore.kernel.org/all/CALCETrXeZZfVzXh7SwKhyB=+ySDk5fhrrdrXrcABsQ=JpQT7Tg@mail.gmail.com/
> >
> > There are two main differences with seccomp unotify:
> > - the supervisor should be able to receive arbitrary-sized data (e.g.
> > file name, not path);
> > - the supervisor should be able to receive file descriptors (instead of
> > path).
> >
> > Sockets are created with socket(2) whereas in our case we should only
> > get a supervisor FD (indirectly) through landlock_restrict_self(2),
> > which clearly identifies a kernel object. Another issue would be to
> > deal with network namespaces, probably by creating a private one.
> > Sockets are powerful but we don't needs all the routing complexity.
> > Moreover, we should only need a blocking communication channel to avoid
> > issues managing in-flight object references (transformed to FDs when
> > received). That makes me think that a socket might not be the right
> > construct, but we can still rely on the NLA macros to define a proper
> > protocol with dynamically-sized events, received and send with dedicated
> > IOCTL commands.
> >
> > Netlink already provides a way to send a cookie, and
> > netlink_attribute_type defines the types we'll need, including string.
> >
> > For instance, a link request/event could include 3 packets, one for each
> > of these properties:
> > 1. the source file FD;
> > 2. the destination directory FD;
> > 3. the destination filename string.
> >
> > This way we would avoid the union defined in this patch.
>
> I had no idea about netlink - I will take a look. Do you know if there is
> any existing code which uses it in a similar way (i.e. not creating an
> actual socket, but using netlink messages)?
I don't know.
>
> I think in the end seccomp-unotify went with an ioctl with a custom struct
> seccomp_notif due to friction with the NL API [1] - do you think we will
> face the same problem here? (I will take a deeper look at netlink after
> sending this.)
>
> (Tycho - could you weigh in?)
>
> [1]: https://lore.kernel.org/all/CAGXu5jKsLDSBjB74SrvCvmGy_RTEjBsMtR5dk1CcRFrHEQfM_g@mail.gmail.com/
We need to check if the NLA API could work. Kees's answer was missing
explanation. Otherwise we should get inspiration from fanotify
messages.
>
> >
> > There is still the question about receiving FDs though. It would be nice
> > to have a (set of?) dedicated IOCTL(s) to receive an FD, but I'm not
> > sure how this could be properly handled wrt NLA.
>
> Also, if we go with netlink messages, why do we need additional IOCTLs? Can
> we open the fd when we write out the message? (Maybe I will end up realizing
> the reason for this after reading netlink code, but I would )
It's much easier to have static-sized struct, both for developers and
for introspection tools (e.g. strace). However, in this case we also
would also have variable-lenght data. See my other reply discussing the
IOCTL idea.
>
> >
> > >
> > > I will try out the audit patch to see how things like these appears in the
> > > log before commenting further on this. Maybe there is a way to achieve this
> > > while still simplifying the event structure?
> > >
> > > >
> > > > > + /**
> > > > > + * @destname: A filename for a file creation target.
> > > > > + *
> > > > > + * If either of fd1 or fd2 points to a parent
> > > > > + * directory rather than the target file, this is the
> > > > > + * NULL-terminated name of the file that will be
> > > > > + * newly created.
> > > > > + *
> > > > > + * Counting the NULL terminator, this field will
> > > > > + * contain one or more NULL padding at the end so
> > > > > + * that the length of the whole struct
> > > > > + * landlock_supervise_event is a multiple of 8 bytes.
> > > > > + *
> > > > > + * This is a variable length member, and the length
> > > > > + * including the terminating NULL(s) can be derived
> > > > > + * from hdr.length - offsetof(struct
> > > > > + * landlock_supervise_event, destname).
> > > > > + */
> > > > > + char destname[];
> > > >
> > > > I'd prefer to avoid sending file names for now. I don't think it's
> > > > necessary, and that could encourage supervisors to filter access
> > > > according to names.
> > > >
> > >
> > > This is also motivated by the potential UX I'm thinking of. For example, if
> > > a newly installed application tries to create ~/.app-name, it will be much
> > > more reassuring and convenient to the user if we can show something like
> > >
> > > [program] wants to mkdir ~/.app-name. Allow this and future
> > > access to the new directory?
> > >
> > > rather than just "[program] wants to mkdir under ~". (The "Allow this and
> > > future access to the new directory" bit is made possible by the supervisor
> > > knowing the name of the file/directory being created, and can remember them
> > > / write them out to a persistent profile etc)
> > >
> > > Note that this is just the filename under the dir represented by fd - this
> > > isn't a path or anything that can be subject to symlink-related attacks,
> > > etc. If a program calls e.g.
> > > mkdirat or openat (dfd -> "/some/", pathname="dir/stuff", O_CREAT)
> > > my understanding is that fd1 will point to /some/dir, and destname would be
> > > "stuff"
> >
> > Right, this file name information would be useful. In the case of
> > audit, the goal is to efficiently and asynchronously log security events
> > (and align with other LSM logs and related limitations), not primarily
> > to debug sandboxed apps nor to enrich this information for decision
> > making, but the supervisor feature would help here. The patch message
> > should include this rationale.
>
> Will do
>
> >
> > >
> > > Actually, in case your question is "why not send a fd to represent the newly
> > > created file, instead of sending the name" -- I'm not sure whether you can
> > > open even an O_PATH fd to a non-existent file.
> >
> > That would not be possible because it would not exist yet, a file name
> > (not file path) is OK for this case.
> >
> > >
> > > > > + };
> > > > > + struct {
> > > > > + __u16 port;
> > > > > + };
> > > > > + };
> > > > > +};
> > > > > +
> > > >
> > > > [...]
> > >
> > >
>
^ permalink raw reply
* [RFC -next 00/10] Add ZC notifications to splice and sendfile
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
Greetings:
Welcome to the RFC.
Currently, when a user app uses sendfile the user app has no way to know
if the bytes were transmit; sendfile simply returns, but it is possible
that a slow client on the other side may take time to receive and ACK
the bytes. In the meantime, the user app which called sendfile has no
way to know whether it can overwrite the data on disk that it just
sendfile'd.
One way to fix this is to add zerocopy notifications to sendfile similar
to how MSG_ZEROCOPY works with sendmsg. This is possible thanks to the
extensive work done by Pavel [1].
To support this, two important user ABI changes are proposed:
- A new splice flag, SPLICE_F_ZC, which allows users to signal that
splice should generate zerocopy notifications if possible.
- A new system call, sendfile2, which is similar to sendfile64 except
that it takes an additional argument, flags, which allows the user
to specify either a "regular" sendfile or a sendfile with zerocopy
notifications enabled.
In either case, user apps can read notifications from the error queue
(like they would with MSG_ZEROCOPY) to determine when their call to
sendfile has completed.
I tested this RFC using the selftest modified in the last patch and also
by using the selftest between two different physical hosts:
# server
./msg_zerocopy -4 -i eth0 -t 2 -v -r tcp
# client (does the sendfiling)
dd if=/dev/zero of=sendfile_data bs=1M count=8
./msg_zerocopy -4 -i eth0 -D $SERVER_IP -v -l 1 -t 2 -z -f sendfile_data tcp
I would love to get high level feedback from folks on a few things:
- Is this functionality, at a high level, something that would be
desirable / useful? I think so, but I'm of course I am biased ;)
- Is this approach generally headed in the right direction? Are the
proposed user ABI changes reasonable?
If the above two points are generally agreed upon then I'd welcome
feedback on the patches themselves :)
This is kind of a net thing, but also kind of a splice thing so hope I
am sending this to right places to get appropriate feedback. I based my
code on the vfs/for-next tree, but am happy to rebase on another tree if
desired. The cc-list got a little out of control, so I manually trimmed
it down quite a bit; sorry if I missed anyone I should have CC'd in the
process.
Thanks,
Joe
[1]: https://lore.kernel.org/netdev/cover.1657643355.git.asml.silence@gmail.com/
Joe Damato (10):
splice: Add ubuf_info to prepare for ZC
splice: Add helper that passes through splice_desc
splice: Factor splice_socket into a helper
splice: Add SPLICE_F_ZC and attach ubuf
fs: Add splice_write_sd to file operations
fs: Extend do_sendfile to take a flags argument
fs: Add sendfile2 which accepts a flags argument
fs: Add sendfile flags for sendfile2
fs: Add sendfile2 syscall
selftests: Add sendfile zerocopy notification test
arch/alpha/kernel/syscalls/syscall.tbl | 1 +
arch/arm/tools/syscall.tbl | 1 +
arch/arm64/tools/syscall_32.tbl | 1 +
arch/m68k/kernel/syscalls/syscall.tbl | 1 +
arch/microblaze/kernel/syscalls/syscall.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 1 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 1 +
arch/parisc/kernel/syscalls/syscall.tbl | 1 +
arch/powerpc/kernel/syscalls/syscall.tbl | 1 +
arch/s390/kernel/syscalls/syscall.tbl | 1 +
arch/sh/kernel/syscalls/syscall.tbl | 1 +
arch/sparc/kernel/syscalls/syscall.tbl | 1 +
arch/x86/entry/syscalls/syscall_32.tbl | 1 +
arch/x86/entry/syscalls/syscall_64.tbl | 1 +
arch/xtensa/kernel/syscalls/syscall.tbl | 1 +
fs/read_write.c | 40 +++++++---
fs/splice.c | 87 +++++++++++++++++----
include/linux/fs.h | 2 +
include/linux/sendfile.h | 10 +++
include/linux/splice.h | 7 +-
include/linux/syscalls.h | 2 +
include/uapi/asm-generic/unistd.h | 4 +-
net/socket.c | 1 +
scripts/syscall.tbl | 1 +
tools/testing/selftests/net/msg_zerocopy.c | 54 ++++++++++++-
tools/testing/selftests/net/msg_zerocopy.sh | 5 ++
27 files changed, 200 insertions(+), 29 deletions(-)
create mode 100644 include/linux/sendfile.h
base-commit: 2e72b1e0aac24a12f3bf3eec620efaca7ab7d4de
--
2.43.0
^ permalink raw reply
* [RFC -next 01/10] splice: Add ubuf_info to prepare for ZC
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
Update struct splice_desc to include ubuf_info to prepare splice for
zero copy notifications.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
include/linux/splice.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/splice.h b/include/linux/splice.h
index 9dec4861d09f..7477df3916e2 100644
--- a/include/linux/splice.h
+++ b/include/linux/splice.h
@@ -10,6 +10,7 @@
#define SPLICE_H
#include <linux/pipe_fs_i.h>
+#include <linux/skbuff.h>
/*
* Flags passed in from splice/tee/vmsplice
@@ -43,6 +44,7 @@ struct splice_desc {
loff_t *opos; /* sendfile: output position */
size_t num_spliced; /* number of bytes already spliced */
bool need_wakeup; /* need to wake up writer */
+ struct ubuf_info *ubuf_info; /* zerocopy infrastructure */
};
struct partial_page {
--
2.43.0
^ permalink raw reply related
* [RFC -next 02/10] splice: Add helper that passes through splice_desc
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
Add do_splice_from_sd which takes splice_desc as an argument. This
helper is just a wrapper around splice_write but will be extended. Use
the helper from existing splice code.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
fs/splice.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/fs/splice.c b/fs/splice.c
index 2898fa1e9e63..9575074a1296 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -941,6 +941,15 @@ static ssize_t do_splice_from(struct pipe_inode_info *pipe, struct file *out,
return out->f_op->splice_write(pipe, out, ppos, len, flags);
}
+static ssize_t do_splice_from_sd(struct pipe_inode_info *pipe, struct file *out,
+ struct splice_desc *sd)
+{
+ if (unlikely(!out->f_op->splice_write))
+ return warn_unsupported(out, "write");
+ return out->f_op->splice_write(pipe, out, sd->opos, sd->total_len,
+ sd->flags);
+}
+
/*
* Indicate to the caller that there was a premature EOF when reading from the
* source and the caller didn't indicate they would be sending more data after
@@ -1161,7 +1170,7 @@ static int direct_splice_actor(struct pipe_inode_info *pipe,
long ret;
file_start_write(file);
- ret = do_splice_from(pipe, file, sd->opos, sd->total_len, sd->flags);
+ ret = do_splice_from_sd(pipe, file, sd);
file_end_write(file);
return ret;
}
@@ -1171,7 +1180,7 @@ static int splice_file_range_actor(struct pipe_inode_info *pipe,
{
struct file *file = sd->u.file;
- return do_splice_from(pipe, file, sd->opos, sd->total_len, sd->flags);
+ return do_splice_from_sd(pipe, file, sd);
}
static void direct_file_splice_eof(struct splice_desc *sd)
--
2.43.0
^ permalink raw reply related
* [RFC -next 03/10] splice: Factor splice_socket into a helper
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
splice_socket becomes a wrapper around splice_socket_generic which takes
a ubuf pointer to prepare for zerocopy notifications.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
fs/splice.c | 40 +++++++++++++++++++++++++---------------
1 file changed, 25 insertions(+), 15 deletions(-)
diff --git a/fs/splice.c b/fs/splice.c
index 9575074a1296..1f27ce6d1c34 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -37,6 +37,8 @@
#include <linux/socket.h>
#include <linux/sched/signal.h>
+#include <net/sock.h>
+
#include "internal.h"
/*
@@ -783,21 +785,10 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
EXPORT_SYMBOL(iter_file_splice_write);
#ifdef CONFIG_NET
-/**
- * splice_to_socket - splice data from a pipe to a socket
- * @pipe: pipe to splice from
- * @out: socket to write to
- * @ppos: position in @out
- * @len: number of bytes to splice
- * @flags: splice modifier flags
- *
- * Description:
- * Will send @len bytes from the pipe to a network socket. No data copying
- * is involved.
- *
- */
-ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out,
- loff_t *ppos, size_t len, unsigned int flags)
+static ssize_t splice_socket_generic(struct pipe_inode_info *pipe,
+ struct file *out, loff_t *ppos,
+ size_t len, unsigned int flags,
+ struct ubuf_info *ubuf_info)
{
struct socket *sock = sock_from_file(out);
struct bio_vec bvec[16];
@@ -920,6 +911,25 @@ ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out,
wakeup_pipe_writers(pipe);
return spliced ?: ret;
}
+
+/**
+ * splice_to_socket - splice data from a pipe to a socket
+ * @pipe: pipe to splice from
+ * @out: socket to write to
+ * @ppos: position in @out
+ * @len: number of bytes to splice
+ * @flags: splice modifier flags
+ *
+ * Description:
+ * Will send @len bytes from the pipe to a network socket. No data copying
+ * is involved.
+ *
+ */
+ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out,
+ loff_t *ppos, size_t len, unsigned int flags)
+{
+ return splice_socket_generic(pipe, out, ppos, len, flags, NULL);
+}
#endif
static int warn_unsupported(struct file *file, const char *op)
--
2.43.0
^ permalink raw reply related
* [RFC -next 04/10] splice: Add SPLICE_F_ZC and attach ubuf
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
Add the SPLICE_F_ZC flag and when it is set, allocate a ubuf and attach
it to generate zerocopy notifications.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
fs/splice.c | 20 ++++++++++++++++++++
include/linux/splice.h | 3 ++-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/fs/splice.c b/fs/splice.c
index 1f27ce6d1c34..6dc60f47f84e 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -875,6 +875,11 @@ static ssize_t splice_socket_generic(struct pipe_inode_info *pipe,
if (out->f_flags & O_NONBLOCK)
msg.msg_flags |= MSG_DONTWAIT;
+ if (unlikely(flags & SPLICE_F_ZC) && ubuf_info) {
+ msg.msg_flags = MSG_ZEROCOPY;
+ msg.msg_ubuf = ubuf_info;
+ }
+
iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, bvec, bc,
len - remain);
ret = sock_sendmsg(sock, &msg);
@@ -1223,12 +1228,27 @@ static ssize_t do_splice_direct_actor(struct file *in, loff_t *ppos,
if (unlikely(out->f_flags & O_APPEND))
return -EINVAL;
+ if (unlikely(flags & SPLICE_F_ZC)) {
+ struct socket *sock = sock_from_file(out);
+ struct sock *sk = sock->sk;
+ struct ubuf_info *ubuf_info;
+
+ ubuf_info = msg_zerocopy_realloc(sk, len, NULL);
+ if (!ubuf_info)
+ return -ENOMEM;
+ sd.ubuf_info = ubuf_info;
+ }
+
ret = splice_direct_to_actor(in, &sd, actor);
if (ret > 0)
*ppos = sd.pos;
+ if (unlikely(flags & SPLICE_F_ZC))
+ refcount_dec(&sd.ubuf_info->refcnt);
+
return ret;
}
+
/**
* do_splice_direct - splices data directly between two files
* @in: file to splice from
diff --git a/include/linux/splice.h b/include/linux/splice.h
index 7477df3916e2..a88588cf2754 100644
--- a/include/linux/splice.h
+++ b/include/linux/splice.h
@@ -21,8 +21,9 @@
/* from/to, of course */
#define SPLICE_F_MORE (0x04) /* expect more data */
#define SPLICE_F_GIFT (0x08) /* pages passed in are a gift */
+#define SPLICE_F_ZC (0x10) /* generate zero copy notifications */
-#define SPLICE_F_ALL (SPLICE_F_MOVE|SPLICE_F_NONBLOCK|SPLICE_F_MORE|SPLICE_F_GIFT)
+#define SPLICE_F_ALL (SPLICE_F_MOVE|SPLICE_F_NONBLOCK|SPLICE_F_MORE|SPLICE_F_GIFT|SPLICE_F_ZC)
/*
* Passed to the actors
--
2.43.0
^ permalink raw reply related
* [RFC -next 05/10] fs: Add splice_write_sd to file operations
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
Introduce splice_write_sd to file operations and export a new helper for
sockets splice_to_socket_sd to pass through the splice_desc context
allowing the allocated ubuf to be attached.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
fs/splice.c | 22 ++++++++++++++++++----
include/linux/fs.h | 2 ++
include/linux/splice.h | 2 ++
net/socket.c | 1 +
4 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/fs/splice.c b/fs/splice.c
index 6dc60f47f84e..d08fa2a6d930 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -935,6 +935,16 @@ ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out,
{
return splice_socket_generic(pipe, out, ppos, len, flags, NULL);
}
+
+ssize_t splice_to_socket_sd(struct pipe_inode_info *pipe,
+ struct file *out, struct splice_desc *sd)
+{
+ ssize_t ret;
+
+ ret = splice_socket_generic(pipe, out, sd->opos, sd->total_len,
+ sd->flags, sd->ubuf_info);
+ return ret;
+}
#endif
static int warn_unsupported(struct file *file, const char *op)
@@ -959,10 +969,14 @@ static ssize_t do_splice_from(struct pipe_inode_info *pipe, struct file *out,
static ssize_t do_splice_from_sd(struct pipe_inode_info *pipe, struct file *out,
struct splice_desc *sd)
{
- if (unlikely(!out->f_op->splice_write))
- return warn_unsupported(out, "write");
- return out->f_op->splice_write(pipe, out, sd->opos, sd->total_len,
- sd->flags);
+ if (likely(!(sd->flags & SPLICE_F_ZC))) {
+ if (unlikely(!out->f_op->splice_write))
+ return warn_unsupported(out, "write");
+ return out->f_op->splice_write(pipe, out, sd->opos,
+ sd->total_len, sd->flags);
+ } else {
+ return out->f_op->splice_write_sd(pipe, out, sd);
+ }
}
/*
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 7e29433c5ecc..843e8b8a1d4d 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2065,6 +2065,7 @@ struct dir_context {
struct iov_iter;
struct io_uring_cmd;
struct offset_ctx;
+struct splice_desc;
typedef unsigned int __bitwise fop_flags_t;
@@ -2093,6 +2094,7 @@ struct file_operations {
int (*check_flags)(int);
int (*flock) (struct file *, int, struct file_lock *);
ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
+ ssize_t (*splice_write_sd)(struct pipe_inode_info *, struct file *, struct splice_desc *);
ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
void (*splice_eof)(struct file *file);
int (*setlease)(struct file *, int, struct file_lease **, void **);
diff --git a/include/linux/splice.h b/include/linux/splice.h
index a88588cf2754..356b8cae4818 100644
--- a/include/linux/splice.h
+++ b/include/linux/splice.h
@@ -100,6 +100,8 @@ static inline long splice_copy_file_range(struct file *in, loff_t pos_in,
ssize_t do_tee(struct file *in, struct file *out, size_t len,
unsigned int flags);
+ssize_t splice_to_socket_sd(struct pipe_inode_info *pipe, struct file *out,
+ struct splice_desc *sd);
ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out,
loff_t *ppos, size_t len, unsigned int flags);
diff --git a/net/socket.c b/net/socket.c
index 9a117248f18f..4baf26a36477 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -165,6 +165,7 @@ static const struct file_operations socket_file_ops = {
.release = sock_close,
.fasync = sock_fasync,
.splice_write = splice_to_socket,
+ .splice_write_sd = splice_to_socket_sd,
.splice_read = sock_splice_read,
.splice_eof = sock_splice_eof,
.show_fdinfo = sock_show_fdinfo,
--
2.43.0
^ permalink raw reply related
* [RFC -next 06/10] fs: Extend do_sendfile to take a flags argument
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
Extend the internal do_sendfile to take a flags argument, which will be
used in future commits to signal that userland wants zerocopy
notifications.
This commit does not change anything about sendfile or sendfile64.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
fs/read_write.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/fs/read_write.c b/fs/read_write.c
index a6133241dfb8..03d2a93c3d1b 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1293,7 +1293,7 @@ COMPAT_SYSCALL_DEFINE6(pwritev2, compat_ulong_t, fd,
#endif /* CONFIG_COMPAT */
static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
- size_t count, loff_t max)
+ size_t count, loff_t max, int flags)
{
struct inode *in_inode, *out_inode;
struct pipe_inode_info *opipe;
@@ -1398,13 +1398,13 @@ SYSCALL_DEFINE4(sendfile, int, out_fd, int, in_fd, off_t __user *, offset, size_
if (unlikely(get_user(off, offset)))
return -EFAULT;
pos = off;
- ret = do_sendfile(out_fd, in_fd, &pos, count, MAX_NON_LFS);
+ ret = do_sendfile(out_fd, in_fd, &pos, count, MAX_NON_LFS, 0);
if (unlikely(put_user(pos, offset)))
return -EFAULT;
return ret;
}
- return do_sendfile(out_fd, in_fd, NULL, count, 0);
+ return do_sendfile(out_fd, in_fd, NULL, count, 0, 0);
}
SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd, loff_t __user *, offset, size_t, count)
@@ -1415,13 +1415,13 @@ SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd, loff_t __user *, offset, si
if (offset) {
if (unlikely(copy_from_user(&pos, offset, sizeof(loff_t))))
return -EFAULT;
- ret = do_sendfile(out_fd, in_fd, &pos, count, 0);
+ ret = do_sendfile(out_fd, in_fd, &pos, count, 0, 0);
if (unlikely(put_user(pos, offset)))
return -EFAULT;
return ret;
}
- return do_sendfile(out_fd, in_fd, NULL, count, 0);
+ return do_sendfile(out_fd, in_fd, NULL, count, 0, 0);
}
#ifdef CONFIG_COMPAT
@@ -1436,13 +1436,13 @@ COMPAT_SYSCALL_DEFINE4(sendfile, int, out_fd, int, in_fd,
if (unlikely(get_user(off, offset)))
return -EFAULT;
pos = off;
- ret = do_sendfile(out_fd, in_fd, &pos, count, MAX_NON_LFS);
+ ret = do_sendfile(out_fd, in_fd, &pos, count, MAX_NON_LFS, 0);
if (unlikely(put_user(pos, offset)))
return -EFAULT;
return ret;
}
- return do_sendfile(out_fd, in_fd, NULL, count, 0);
+ return do_sendfile(out_fd, in_fd, NULL, count, 0, 0);
}
COMPAT_SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd,
@@ -1454,13 +1454,13 @@ COMPAT_SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd,
if (offset) {
if (unlikely(copy_from_user(&pos, offset, sizeof(loff_t))))
return -EFAULT;
- ret = do_sendfile(out_fd, in_fd, &pos, count, 0);
+ ret = do_sendfile(out_fd, in_fd, &pos, count, 0, 0);
if (unlikely(put_user(pos, offset)))
return -EFAULT;
return ret;
}
- return do_sendfile(out_fd, in_fd, NULL, count, 0);
+ return do_sendfile(out_fd, in_fd, NULL, count, 0, 0);
}
#endif
--
2.43.0
^ permalink raw reply related
* [RFC -next 07/10] fs: Add sendfile2 which accepts a flags argument
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
Add sendfile2 which is similar to sendfile64, but takes a flags
argument.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
fs/read_write.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/fs/read_write.c b/fs/read_write.c
index 03d2a93c3d1b..057e5f37645d 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1424,6 +1424,23 @@ SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd, loff_t __user *, offset, si
return do_sendfile(out_fd, in_fd, NULL, count, 0, 0);
}
+SYSCALL_DEFINE5(sendfile2, int, out_fd, int, in_fd, loff_t __user *, offset, size_t, count, int, flags)
+{
+ loff_t pos;
+ ssize_t ret;
+
+ if (offset) {
+ if (unlikely(copy_from_user(&pos, offset, sizeof(loff_t))))
+ return -EFAULT;
+ ret = do_sendfile(out_fd, in_fd, &pos, count, 0, flags);
+ if (unlikely(put_user(pos, offset)))
+ return -EFAULT;
+ return ret;
+ }
+
+ return do_sendfile(out_fd, in_fd, NULL, count, 0, flags);
+}
+
#ifdef CONFIG_COMPAT
COMPAT_SYSCALL_DEFINE4(sendfile, int, out_fd, int, in_fd,
compat_off_t __user *, offset, compat_size_t, count)
--
2.43.0
^ permalink raw reply related
* [RFC -next 08/10] fs: Add sendfile flags for sendfile2
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
Add a default flag (SENDFILE_DEFAULT) and a flag for requesting zerocopy
notifications (SENDFILE_ZC). do_sendfile is updated to pass through the
corresponding splice flag to enable zerocopy notifications.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
fs/read_write.c | 5 +++++
include/linux/sendfile.h | 10 ++++++++++
2 files changed, 15 insertions(+)
create mode 100644 include/linux/sendfile.h
diff --git a/fs/read_write.c b/fs/read_write.c
index 057e5f37645d..e3929fd0f605 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -16,6 +16,7 @@
#include <linux/export.h>
#include <linux/syscalls.h>
#include <linux/pagemap.h>
+#include <linux/sendfile.h>
#include <linux/splice.h>
#include <linux/compat.h>
#include <linux/mount.h>
@@ -1360,6 +1361,10 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
retval = rw_verify_area(WRITE, fd_file(out), &out_pos, count);
if (retval < 0)
return retval;
+
+ if (flags & SENDFILE_ZC)
+ fl |= SPLICE_F_ZC;
+
retval = do_splice_direct(fd_file(in), &pos, fd_file(out), &out_pos,
count, fl);
} else {
diff --git a/include/linux/sendfile.h b/include/linux/sendfile.h
new file mode 100644
index 000000000000..0bd3c76ea6f2
--- /dev/null
+++ b/include/linux/sendfile.h
@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef SENDFILE_H
+#define SENDFILE_H
+
+#define SENDFILE_DEFAULT (0x1) /* normal sendfile */
+#define SENDFILE_ZC (0x2) /* sendfile which generates ZC notifications */
+
+#define SENDFILE_ALL (SENDFILE_DEFAULT|SENDFILE_ZC)
+
+#endif
--
2.43.0
^ permalink raw reply related
* [RFC -next 09/10] fs: Add sendfile2 syscall
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
The sendfile2 system call is similar to sendfile64, but takes a flags
argument allowing the user to select either a default sendfile or for
sendfile to generate zerocopy notifications similar to MSG_ZEROCOPY and
sendmsg.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
arch/alpha/kernel/syscalls/syscall.tbl | 1 +
arch/arm/tools/syscall.tbl | 1 +
arch/arm64/tools/syscall_32.tbl | 1 +
arch/m68k/kernel/syscalls/syscall.tbl | 1 +
arch/microblaze/kernel/syscalls/syscall.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 1 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 1 +
arch/parisc/kernel/syscalls/syscall.tbl | 1 +
arch/powerpc/kernel/syscalls/syscall.tbl | 1 +
arch/s390/kernel/syscalls/syscall.tbl | 1 +
arch/sh/kernel/syscalls/syscall.tbl | 1 +
arch/sparc/kernel/syscalls/syscall.tbl | 1 +
arch/x86/entry/syscalls/syscall_32.tbl | 1 +
arch/x86/entry/syscalls/syscall_64.tbl | 1 +
arch/xtensa/kernel/syscalls/syscall.tbl | 1 +
include/linux/syscalls.h | 2 ++
include/uapi/asm-generic/unistd.h | 4 +++-
scripts/syscall.tbl | 1 +
19 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl
index c59d53d6d3f3..124313c745b6 100644
--- a/arch/alpha/kernel/syscalls/syscall.tbl
+++ b/arch/alpha/kernel/syscalls/syscall.tbl
@@ -506,3 +506,4 @@
574 common getxattrat sys_getxattrat
575 common listxattrat sys_listxattrat
576 common removexattrat sys_removexattrat
+577 common sendfile2 sys_sendfile2
diff --git a/arch/arm/tools/syscall.tbl b/arch/arm/tools/syscall.tbl
index 49eeb2ad8dbd..ca61b5792148 100644
--- a/arch/arm/tools/syscall.tbl
+++ b/arch/arm/tools/syscall.tbl
@@ -481,3 +481,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
diff --git a/arch/arm64/tools/syscall_32.tbl b/arch/arm64/tools/syscall_32.tbl
index 69a829912a05..71695a61a1df 100644
--- a/arch/arm64/tools/syscall_32.tbl
+++ b/arch/arm64/tools/syscall_32.tbl
@@ -478,3 +478,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
diff --git a/arch/m68k/kernel/syscalls/syscall.tbl b/arch/m68k/kernel/syscalls/syscall.tbl
index f5ed71f1910d..6096a22b4472 100644
--- a/arch/m68k/kernel/syscalls/syscall.tbl
+++ b/arch/m68k/kernel/syscalls/syscall.tbl
@@ -466,3 +466,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
diff --git a/arch/microblaze/kernel/syscalls/syscall.tbl b/arch/microblaze/kernel/syscalls/syscall.tbl
index 680f568b77f2..0429dc26ceee 100644
--- a/arch/microblaze/kernel/syscalls/syscall.tbl
+++ b/arch/microblaze/kernel/syscalls/syscall.tbl
@@ -472,3 +472,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/syscalls/syscall_n32.tbl
index 0b9b7e25b69a..f6571c8ecb15 100644
--- a/arch/mips/kernel/syscalls/syscall_n32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_n32.tbl
@@ -405,3 +405,4 @@
464 n32 getxattrat sys_getxattrat
465 n32 listxattrat sys_listxattrat
466 n32 removexattrat sys_removexattrat
+467 n32 sendfile2 sys_sendfile2
diff --git a/arch/mips/kernel/syscalls/syscall_n64.tbl b/arch/mips/kernel/syscalls/syscall_n64.tbl
index c844cd5cda62..532ce99478ee 100644
--- a/arch/mips/kernel/syscalls/syscall_n64.tbl
+++ b/arch/mips/kernel/syscalls/syscall_n64.tbl
@@ -381,3 +381,4 @@
464 n64 getxattrat sys_getxattrat
465 n64 listxattrat sys_listxattrat
466 n64 removexattrat sys_removexattrat
+467 n64 sendfile2 sys_sendfile2
diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl
index 349b8aad1159..9cacbbff6b12 100644
--- a/arch/mips/kernel/syscalls/syscall_o32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_o32.tbl
@@ -454,3 +454,4 @@
464 o32 getxattrat sys_getxattrat
465 o32 listxattrat sys_listxattrat
466 o32 removexattrat sys_removexattrat
+467 o32 sendfile2 sys_sendfile2
diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl
index d9fc94c86965..ca5a3e6eb8f3 100644
--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -465,3 +465,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl
index d8b4ab78bef0..450392aed1eb 100644
--- a/arch/powerpc/kernel/syscalls/syscall.tbl
+++ b/arch/powerpc/kernel/syscalls/syscall.tbl
@@ -557,3 +557,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/syscalls/syscall.tbl
index e9115b4d8b63..e7e1b16f4d39 100644
--- a/arch/s390/kernel/syscalls/syscall.tbl
+++ b/arch/s390/kernel/syscalls/syscall.tbl
@@ -469,3 +469,4 @@
464 common getxattrat sys_getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat sys_removexattrat
+467 64 sendfile2 sys_sendfile2 -
diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/syscall.tbl
index c8cad33bf250..c75a0e69c033 100644
--- a/arch/sh/kernel/syscalls/syscall.tbl
+++ b/arch/sh/kernel/syscalls/syscall.tbl
@@ -470,3 +470,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl
index 727f99d333b3..fd15465b5330 100644
--- a/arch/sparc/kernel/syscalls/syscall.tbl
+++ b/arch/sparc/kernel/syscalls/syscall.tbl
@@ -512,3 +512,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 4d0fb2fba7e2..f711ee6068ec 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -472,3 +472,4 @@
464 i386 getxattrat sys_getxattrat
465 i386 listxattrat sys_listxattrat
466 i386 removexattrat sys_removexattrat
+467 i386 sendfile2 sys_sendfile2
diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl
index 5eb708bff1c7..0ba4edb1e4c0 100644
--- a/arch/x86/entry/syscalls/syscall_64.tbl
+++ b/arch/x86/entry/syscalls/syscall_64.tbl
@@ -390,6 +390,7 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
#
# Due to a historical design error, certain syscalls are numbered differently
diff --git a/arch/xtensa/kernel/syscalls/syscall.tbl b/arch/xtensa/kernel/syscalls/syscall.tbl
index 37effc1b134e..142597c92baf 100644
--- a/arch/xtensa/kernel/syscalls/syscall.tbl
+++ b/arch/xtensa/kernel/syscalls/syscall.tbl
@@ -437,3 +437,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index c6333204d451..3ee0e997d6c6 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -491,6 +491,8 @@ asmlinkage long sys_pwritev(unsigned long fd, const struct iovec __user *vec,
unsigned long vlen, unsigned long pos_l, unsigned long pos_h);
asmlinkage long sys_sendfile64(int out_fd, int in_fd,
loff_t __user *offset, size_t count);
+asmlinkage long sys_sendfile2(int out_fd, int in_fd,
+ loff_t __user *offset, size_t count, int flags);
asmlinkage long sys_pselect6(int, fd_set __user *, fd_set __user *,
fd_set __user *, struct __kernel_timespec __user *,
void __user *);
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 88dc393c2bca..ec0ac5a8d519 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -849,9 +849,11 @@ __SYSCALL(__NR_getxattrat, sys_getxattrat)
__SYSCALL(__NR_listxattrat, sys_listxattrat)
#define __NR_removexattrat 466
__SYSCALL(__NR_removexattrat, sys_removexattrat)
+#define __NR_sendfile2 467
+__SYSCALL(__NR_sendfile2, sys_sendfile2)
#undef __NR_syscalls
-#define __NR_syscalls 467
+#define __NR_syscalls 468
/*
* 32 bit systems traditionally used different
diff --git a/scripts/syscall.tbl b/scripts/syscall.tbl
index ebbdb3c42e9f..1911a64d3b33 100644
--- a/scripts/syscall.tbl
+++ b/scripts/syscall.tbl
@@ -407,3 +407,4 @@
464 common getxattrat sys_getxattrat
465 common listxattrat sys_listxattrat
466 common removexattrat sys_removexattrat
+467 common sendfile2 sys_sendfile2
--
2.43.0
^ permalink raw reply related
* [RFC -next 10/10] selftests: Add sendfile zerocopy notification test
From: Joe Damato @ 2025-03-19 0:15 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, asml.silence, linux-fsdevel, edumazet, pabeni,
horms, linux-api, linux-arch, viro, jack, kuba, shuah, sdf, mingo,
arnd, brauner, akpm, tglx, jolsa, linux-kselftest, Joe Damato
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
Extend the existing the msg_zerocopy test to allow testing sendfile to
ensure that notifications are generated.
Signed-off-by: Joe Damato <jdamato@fastly.com>
---
tools/testing/selftests/net/msg_zerocopy.c | 54 ++++++++++++++++++++-
tools/testing/selftests/net/msg_zerocopy.sh | 5 ++
2 files changed, 58 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c
index 7ea5fb28c93d..20e334b25fbd 100644
--- a/tools/testing/selftests/net/msg_zerocopy.c
+++ b/tools/testing/selftests/net/msg_zerocopy.c
@@ -30,6 +30,7 @@
#include <arpa/inet.h>
#include <error.h>
#include <errno.h>
+#include <fcntl.h>
#include <limits.h>
#include <linux/errqueue.h>
#include <linux/if_packet.h>
@@ -50,6 +51,7 @@
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
+#include <sys/sendfile.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/time.h>
@@ -74,6 +76,14 @@
#define MSG_ZEROCOPY 0x4000000
#endif
+#ifndef SENDFILE_ZC
+#define SENDFILE_ZC (0x2)
+#endif
+
+#ifndef __NR_sendfile2
+#define __NR_sendfile2 467
+#endif
+
static int cfg_cork;
static bool cfg_cork_mixed;
static int cfg_cpu = -1; /* default: pin to last cpu */
@@ -87,6 +97,8 @@ static int cfg_verbose;
static int cfg_waittime_ms = 500;
static int cfg_notification_limit = 32;
static bool cfg_zerocopy;
+static bool cfg_sendfile;
+static const char *cfg_sendfile_path;
static socklen_t cfg_alen;
static struct sockaddr_storage cfg_dst_addr;
@@ -182,6 +194,37 @@ static void add_zcopy_cookie(struct msghdr *msg, uint32_t cookie)
memcpy(CMSG_DATA(cm), &cookie, sizeof(cookie));
}
+static bool do_sendfile(int fd)
+{
+ int from_fd = open(cfg_sendfile_path, O_RDONLY, 0);
+ struct stat buf;
+ ssize_t total = 0;
+ ssize_t ret = 0;
+ off_t off = 0;
+
+ if (fd < 0)
+ error(1, errno, "couldn't open sendfile path");
+
+ if (fstat(from_fd, &buf))
+ error(1, errno, "couldn't fstat");
+
+ while (total < buf.st_size) {
+ ret = syscall(__NR_sendfile2, fd, from_fd, &off, buf.st_size,
+ SENDFILE_ZC);
+ if (ret < 0)
+ error(1, errno, "unable to sendfile");
+ total += ret;
+ sends_since_notify++;
+ bytes += ret;
+ packets++;
+ if (ret > 0)
+ expected_completions++;
+ }
+
+ close(from_fd);
+ return total == buf.st_size;
+}
+
static bool do_sendmsg(int fd, struct msghdr *msg, bool do_zerocopy, int domain)
{
int ret, len, i, flags;
@@ -550,6 +593,8 @@ static void do_tx(int domain, int type, int protocol)
do {
if (cfg_cork)
do_sendmsg_corked(fd, &msg);
+ else if (cfg_sendfile)
+ do_sendfile(fd);
else
do_sendmsg(fd, &msg, cfg_zerocopy, domain);
@@ -715,7 +760,7 @@ static void parse_opts(int argc, char **argv)
cfg_payload_len = max_payload_len;
- while ((c = getopt(argc, argv, "46c:C:D:i:l:mp:rs:S:t:vz")) != -1) {
+ while ((c = getopt(argc, argv, "46c:C:D:i:l:mp:rs:S:t:vzf:w:")) != -1) {
switch (c) {
case '4':
if (cfg_family != PF_UNSPEC)
@@ -767,9 +812,16 @@ static void parse_opts(int argc, char **argv)
case 'v':
cfg_verbose++;
break;
+ case 'f':
+ cfg_sendfile = true;
+ cfg_sendfile_path = optarg;
+ break;
case 'z':
cfg_zerocopy = true;
break;
+ case 'w':
+ cfg_waittime_ms = 200 + strtoul(optarg, NULL, 10) * 1000;
+ break;
}
}
diff --git a/tools/testing/selftests/net/msg_zerocopy.sh b/tools/testing/selftests/net/msg_zerocopy.sh
index 89c22f5320e0..c735e4ab86b5 100755
--- a/tools/testing/selftests/net/msg_zerocopy.sh
+++ b/tools/testing/selftests/net/msg_zerocopy.sh
@@ -74,6 +74,7 @@ esac
cleanup() {
ip netns del "${NS2}"
ip netns del "${NS1}"
+ rm -f sendfile_data
}
trap cleanup EXIT
@@ -106,6 +107,9 @@ ip -netns "${NS2}" addr add fd::2/64 dev "${DEV}" nodad
# Optionally disable sg or csum offload to test edge cases
# ip netns exec "${NS1}" ethtool -K "${DEV}" sg off
+# create sendfile test data
+dd if=/dev/zero of=sendfile_data bs=1M count=8 2> /dev/null
+
do_test() {
local readonly ARGS="$1"
@@ -118,4 +122,5 @@ do_test() {
do_test "${EXTRA_ARGS}"
do_test "-z ${EXTRA_ARGS}"
+do_test "-z -f sendfile_data ${EXTRA_ARGS}"
echo ok
--
2.43.0
^ permalink raw reply related
* Re: [RFC -next 00/10] Add ZC notifications to splice and sendfile
From: Christoph Hellwig @ 2025-03-19 8:04 UTC (permalink / raw)
To: Joe Damato
Cc: netdev, linux-kernel, asml.silence, linux-fsdevel, edumazet,
pabeni, horms, linux-api, linux-arch, viro, jack, kuba, shuah,
sdf, mingo, arnd, brauner, akpm, tglx, jolsa, linux-kselftest
In-Reply-To: <20250319001521.53249-1-jdamato@fastly.com>
On Wed, Mar 19, 2025 at 12:15:11AM +0000, Joe Damato wrote:
> One way to fix this is to add zerocopy notifications to sendfile similar
> to how MSG_ZEROCOPY works with sendmsg. This is possible thanks to the
> extensive work done by Pavel [1].
What is a "zerocopy notification" and why aren't you simply plugging
this into io_uring and generate a CQE so that it works like all other
asynchronous operations?
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox