From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3CDBCC3A5A7
	for <linux-mm@archiver.kernel.org>; Tue,  6 Dec 2022 19:09:52 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8632C8E0003; Tue,  6 Dec 2022 14:09:51 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8133B8E0001; Tue,  6 Dec 2022 14:09:51 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6DABE8E0003; Tue,  6 Dec 2022 14:09:51 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 5D7228E0001
	for <linux-mm@kvack.org>; Tue,  6 Dec 2022 14:09:51 -0500 (EST)
Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 265BBAB3DC
	for <linux-mm@kvack.org>; Tue,  6 Dec 2022 19:09:51 +0000 (UTC)
X-FDA: 80212820982.14.C22BEE1
Received: from mail-oa1-f49.google.com (mail-oa1-f49.google.com [209.85.160.49])
	by imf13.hostedemail.com (Postfix) with ESMTP id D266E2000B
	for <linux-mm@kvack.org>; Tue,  6 Dec 2022 19:09:50 +0000 (UTC)
Authentication-Results: imf13.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=NzZ9GEK2;
	spf=pass (imf13.hostedemail.com: domain of hughd@google.com designates 209.85.160.49 as permitted sender) smtp.mailfrom=hughd@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670353790; a=rsa-sha256;
	cv=none;
	b=PdkVUz5FqRTRZF4+XmxDAnMeHfKK4rtLtd5gEojicQWjg5LPwZVNXtSQaqX6pT2VkXcINZ
	Y1X6QvYXf2Apa+6L0nE7YYaF4LBYNhibriG5bHMAd8cxh+ck0FakQJfm/WwpiM1oGq4AKY
	v+C23gDs2EzTLYM0v4g1Szz3i7Yb5WE=
ARC-Authentication-Results: i=1;
	imf13.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=NzZ9GEK2;
	spf=pass (imf13.hostedemail.com: domain of hughd@google.com designates 209.85.160.49 as permitted sender) smtp.mailfrom=hughd@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1670353790;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=BdEVe1fkQEKVdGERRafaR9y25MuuPSNdqysHtrFxhBc=;
	b=fn7OJoPfTz2WG13vPHcHHH0F6zdfIrd5EtQ2R+4G8uHy1cUs+dlVKBocEMqPmnsn2QrM7r
	0V7q53BcFjYzU7w3e/6HlkKr2rcIBa7Y7C49AVWF0OjqQNqkmDx/E0Q8mRmbBTVBpWasK8
	2kndFQ0JDaIZ2g0RCQPa91nBQe+Fc4Q=
Received: by mail-oa1-f49.google.com with SMTP id 586e51a60fabf-1443a16b71cso15076704fac.13
        for <linux-mm@kvack.org>; Tue, 06 Dec 2022 11:09:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:message-id:in-reply-to:subject:cc:to:from
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=BdEVe1fkQEKVdGERRafaR9y25MuuPSNdqysHtrFxhBc=;
        b=NzZ9GEK2anazrjrWt8gm6BsL3RX9wGBqD0SD/nVRp+4i5wDcqbnK1HBEoEcik3nw/0
         KxgQWAtwcx7Az+bFJU0ZTKREJjSD1QfLbCoIBQ6J37UVPFymYsEBYQd+0WhtmCHG4R8m
         V1U95jTzB29gWmrrKg63QSTm5R30jjoCL9muHVq5BAPI5uGHnO/oQ3kLfpXU6zO8Hrot
         oO00ki8ruN9BAFZKQ/5TB9s8cAv/Hyg7DZxPymRHn27d1PcDKlZUNbisAcFJPAfwqi2E
         5uB19jFuR1j5dzyvpwyW7Fk2mdioyp28NpuTgHB5vDjQnVfvuCuMU0iKsd7aGjYXzPAa
         xcDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=mime-version:references:message-id:in-reply-to:subject:cc:to:from
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=BdEVe1fkQEKVdGERRafaR9y25MuuPSNdqysHtrFxhBc=;
        b=Sfkh32jpQfyl14gyMqxDqAE/4c2oKD8Xh/UnWFxXIzErZhUOrPkOxKHDT7fyjn+P7V
         cnf3mAVOAqdHFoIY0jp2Em3KOPM+18AOj93RkERiGDxQBWrhjsj9fpQOPqgGD2dAGwAZ
         4iJit66M5KOtY4Gk5Z0sI9I1fZEOQrc6JxJXbXq6AhdycxO+5y43gHSum/S3/QvVmVLC
         IuBenGCWOG3YnhtumJQ/OCyOW+//C4CyrgniKZ69Z648lKrFxaBc3sctrWZitq/G6OXh
         ihRBeKf38olDgVcypO3jT4la4SF9AOsHnO75pNLjyp6bITD8TU+emKHczf8zuJU7QRnX
         LtKA==
X-Gm-Message-State: ANoB5pkWNSEIrStjEChJjy47X2NYzAZTM11UBDw++qgqC70918rI8z8H
	ywP62k6QRiBq9cltY3/dAwv0sw==
X-Google-Smtp-Source: AA0mqf7l0XL7uOo6BoG/g25r+wke4Y2gze6v3cH4Tc/K3CHqPCRxv+QBzSm0vFQeyELpckQ3fcD+rg==
X-Received: by 2002:a05:6870:c8c:b0:143:b006:7be9 with SMTP id mn12-20020a0568700c8c00b00143b0067be9mr22835025oab.69.1670353789957;
        Tue, 06 Dec 2022 11:09:49 -0800 (PST)
Received: from ripple.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147])
        by smtp.gmail.com with ESMTPSA id r16-20020a05687080d000b00142d7f2fd4fsm11141637oab.48.2022.12.06.11.09.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 06 Dec 2022 11:09:49 -0800 (PST)
Date: Tue, 6 Dec 2022 11:09:40 -0800 (PST)
From: Hugh Dickins <hughd@google.com>
X-X-Sender: hugh@ripple.attlocal.net
To: Peter Xu <peterx@redhat.com>
cc: David Hildenbrand <david@redhat.com>, linux-kernel@vger.kernel.org, 
    linux-mm@kvack.org, Ives van Hoorne <ives@codesandbox.io>, 
    Andrew Morton <akpm@linux-foundation.org>, Hugh Dickins <hughd@goole.com>, 
    Alistair Popple <apopple@nvidia.com>, 
    Mike Rapoport <rppt@linux.vnet.ibm.com>, Nadav Amit <nadav.amit@gmail.com>, 
    Andrea Arcangeli <aarcange@redhat.com>
Subject: Re: [PATCH RFC] mm/userfaultfd: enable writenotify while userfaultfd-wp
 is enabled for a VMA
In-Reply-To: <92173bad-caa3-6b43-9d1e-9a471fdbc184@redhat.com>
Message-ID: <22d8e8ac-d75-a66-2650-b4d59f89855e@google.com>
References: <20221202122748.113774-1-david@redhat.com> <Y4oo6cN1a4Yz5prh@x1n> <690afe0f-c9a0-9631-b365-d11d98fdf56f@redhat.com> <19800718-9cb6-9355-da1c-c7961b01e922@redhat.com> <Y45duzmGGUT0+u8t@x1n> <92173bad-caa3-6b43-9d1e-9a471fdbc184@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Spamd-Result: default: False [4.39 / 9.00];
	SORBS_IRL_BL(3.00)[209.85.160.49:from];
	SUSPICIOUS_RECIPS(1.50)[];
	BAYES_HAM(-0.21)[65.91%];
	RCVD_NO_TLS_LAST(0.10)[];
	MIME_GOOD(-0.10)[text/plain];
	BAD_REP_POLICIES(0.10)[];
	R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17];
	ARC_NA(0.00)[];
	RCPT_COUNT_SEVEN(0.00)[11];
	DMARC_POLICY_ALLOW(0.00)[google.com,reject];
	FROM_EQ_ENVFROM(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	TO_DN_SOME(0.00)[];
	DKIM_TRACE(0.00)[google.com:+];
	RCVD_COUNT_THREE(0.00)[3];
	PREVIOUSLY_DELIVERED(0.00)[linux-mm@kvack.org];
	TAGGED_RCPT(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	ARC_SIGNED(0.00)[hostedemail.com:s=arc-20220608:i=1];
	R_DKIM_ALLOW(0.00)[google.com:s=20210112];
	FROM_HAS_DN(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-Rspam-User: 
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: D266E2000B
X-Stat-Signature: r43mqgrmwtnerh98ypsrpsrzrdqemq6h
X-HE-Tag: 1670353790-93185
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, 6 Dec 2022, David Hildenbrand wrote:
...
> 
> We never had to remove write permissions so far from the vma->vm_page_prot
> default. We always only added permissions.
> 
> 
> Now, uffd-wp on shmem as of now violates these semantics. vma->vm_page_prot
> cannot always be used as a safe default, because we might have to wrprotect
> individual PTEs. Note that for uffd-wp on anonymous memory this was not an
> issue, because we default to !write in vma->vm_page_prot.
> 
> 
> The two possible ways to approach this for uffd-wp on shmem are:
> 
> (1) Obey existing vma->vm_page_prot semantics. Default to !write and
>     optimize the relevant cases to *add* the write bit. This is
>     essentially what this patch does, minus
>     can_change_pte_writable() optimizations on relevant code paths where
>     we'd want to maintain the write bit. For example, when removing
>     uffd-wp protection we might want to restore the write bit directly.
> 
> (2) Default to write permissions and check each and every code location
>     where we remap for uffd-wp ptes, to manuall wrprotect -- *remove*
>     the write bit. Alternatively, as you said, always wrprotect when
>     setting the PTE bit, which might work as well.
> 
> 
> My claim is that (1) is less error prone, because in the worst case we forget
> to optimize one code location -- instead to resulting in a BUG if we forget to
> wrprotect (what we have now). But I am not going to fight for it, because I
> can see that (2) can be made to work as well, as you outline in your patch.
> 
> You seem to have decided on (2). Fair enough, you know uffd-wp best. We just
> have to fix it properly and make the logic consistent whenever we remap a
> page.
> 
...
> 
> But I'm not going to argue about whats valid and whats not as long as it's
> documented ;). I primarily wanted to showcase that the same logic based on
> vma->vm_page_prot is used elsewhere, and that migration PTE restoration is not
> particularly special.

I have not been following the uffd-wp work, but I believe that David's
painstaking and excellent account of vm_page_prot is correct.  Peter,
please I beg you to follow his advice and go for (1) for uffd-wp.

I do not share David's faith in "documented": documented or not,
depart from safe convention and you will be adding (at least the
opportunity for) serious bugs.

Hugh