mbox series

[v4,0/4] arm64/mm: Enable userfaultfd write-protect

Message ID 20240503144604.151095-1-ryan.roberts@arm.com (mailing list archive)
Headers show
Series arm64/mm: Enable userfaultfd write-protect | expand

Message

Ryan Roberts May 3, 2024, 2:45 p.m. UTC 
Hi All,

This series adds uffd write-protect support for arm64.

Previous attempts to add uffd-wp (and soft-dirty) have failed because of a
perceived lack of available PTE SW bits. However it actually turns out that
there are 2 available but they are hidden. PTE_PROT_NONE was previously
occupying a SW bit, but can be moved, freeing up the SW bit. Bit 63 is marked as
"IGNORED" in the Arm ARM, but it does not currently indicate "reserved for SW
use" like it does for the other SW bits. I've confirmed with the spec owner that
this is an oversight; the bit is intended to be reserved for SW use and the spec
will clarify this in a future update.

So now we have two spare bits; patch 4 enables uffd-wp on arm64, using the SW
bit freed up by moving PTE_PROT_NONE. This leaves bit 63 spare for future use
(e.g. soft-dirty - see RFC at [4] - or some other usage).

---

This applies on top of v6.9-rc5.

All mm selftests involving uffd-wp now run. However, this work exposed a bug in
core-mm that was leading to some test uffd-wp failures in the pagemap_ioctl
test. The fix for that is posted at [5], and is in mm-hotfixes-unstable. With
the fix applied, all the uffd-wp tests pass and no other selftest regressions
are observed.


Changes since v3 [3]
====================

patch 1 & 2 (was patch 1):
  - Split into 2 patches (per Anshuman):
     - patch 1: generalizes PMD_PRESENT_INVALID
     - patch 2: removes PTE_PROT_NONE
  - Re-aded comment for PTE_PRESENT_INVALID (per Anshuman)


Changes since v2 [2]
====================

patch 1:
  - Renamed PTE_INVALID -> PTE_PRESENT_INVALID, pte_invalid() ->
    pte_present_invalid() (per Catalin)
  - Added comment explaining test in pte_protnone() (per Will)
  - Added R-b (thanks to Catalin)
patch 2:
  - Move PTE_PRESENT_INVALID to PTE_NG instead of PTE_NS (per Will)
  - Added R-b (thanks to Catalin)
patch 3:
  - Added R-b (thanks to Catalin, David)


Changes since v1 [1]
====================

patch 1 & 2 (was patch 1):
  - generalized PMD_PRESENT_INVALID into PTE_INVALID
  - removed explicit PTE_PROT_NONE bit
patch 3 (was patch 2):
  - collected R-b/A-b from Peter and Catalin - thanks!


[1] https://lore.kernel.org/linux-arm-kernel/20240424111017.3160195-1-ryan.roberts@arm.com/
[2] https://lore.kernel.org/linux-arm-kernel/20240429140208.238056-1-ryan.roberts@arm.com/
[3] https://lore.kernel.org/linux-arm-kernel/20240501145419.1390363-1-ryan.roberts@arm.com/
[4] https://lore.kernel.org/all/20240419074344.2643212-1-ryan.roberts@arm.com/
[5] https://lore.kernel.org/all/20240429114104.182890-1-ryan.roberts@arm.com/

Thanks,
Ryan

Ryan Roberts (4):
  arm64/mm: generalize PMD_PRESENT_INVALID for all levels
  arm64/mm: Remove PTE_PROT_NONE bit
  arm64/mm: Move PTE_PRESENT_INVALID to overlay PTE_NG
  arm64/mm: Add uffd write-protect support

 arch/arm64/Kconfig                    |   1 +
 arch/arm64/include/asm/pgtable-prot.h |  19 +++--
 arch/arm64/include/asm/pgtable.h      | 104 +++++++++++++++++++-------
 3 files changed, 91 insertions(+), 33 deletions(-)

--
2.43.0

Comments

Will Deacon May 7, 2024, 11:07 a.m. UTC | #1 
Hi Ryan,

On Fri, May 03, 2024 at 03:45:58PM +0100, Ryan Roberts wrote:
> This series adds uffd write-protect support for arm64.
> 
> Previous attempts to add uffd-wp (and soft-dirty) have failed because of a
> perceived lack of available PTE SW bits. However it actually turns out that
> there are 2 available but they are hidden. PTE_PROT_NONE was previously
> occupying a SW bit, but can be moved, freeing up the SW bit. Bit 63 is marked as
> "IGNORED" in the Arm ARM, but it does not currently indicate "reserved for SW
> use" like it does for the other SW bits. I've confirmed with the spec owner that
> this is an oversight; the bit is intended to be reserved for SW use and the spec
> will clarify this in a future update.
> 
> So now we have two spare bits; patch 4 enables uffd-wp on arm64, using the SW
> bit freed up by moving PTE_PROT_NONE. This leaves bit 63 spare for future use
> (e.g. soft-dirty - see RFC at [4] - or some other usage).
> 
> ---
> 
> This applies on top of v6.9-rc5.

I chucked this into the CI on Friday and it looks to have survived the
long weekend, so I've gone ahead and merged it into for-next/core. Short
of any last minute failures (touch wood), this should land in 6.10.

Thanks!

Will
Ryan Roberts May 7, 2024, 11:17 a.m. UTC | #2 
On 07/05/2024 12:07, Will Deacon wrote:
> Hi Ryan,
> 
> On Fri, May 03, 2024 at 03:45:58PM +0100, Ryan Roberts wrote:
>> This series adds uffd write-protect support for arm64.
>>
>> Previous attempts to add uffd-wp (and soft-dirty) have failed because of a
>> perceived lack of available PTE SW bits. However it actually turns out that
>> there are 2 available but they are hidden. PTE_PROT_NONE was previously
>> occupying a SW bit, but can be moved, freeing up the SW bit. Bit 63 is marked as
>> "IGNORED" in the Arm ARM, but it does not currently indicate "reserved for SW
>> use" like it does for the other SW bits. I've confirmed with the spec owner that
>> this is an oversight; the bit is intended to be reserved for SW use and the spec
>> will clarify this in a future update.
>>
>> So now we have two spare bits; patch 4 enables uffd-wp on arm64, using the SW
>> bit freed up by moving PTE_PROT_NONE. This leaves bit 63 spare for future use
>> (e.g. soft-dirty - see RFC at [4] - or some other usage).
>>
>> ---
>>
>> This applies on top of v6.9-rc5.
> 
> I chucked this into the CI on Friday and it looks to have survived the
> long weekend, so I've gone ahead and merged it into for-next/core. Short
> of any last minute failures (touch wood), this should land in 6.10.

Oh great - thanks!

Catalin was previously proposing to hold this until 6.11 - I'll leave you two to
fight it out in case that's still his preference ;-)

> 
> Thanks!
> 
> Will
Catalin Marinas May 7, 2024, 11:45 a.m. UTC | #3 
On Tue, May 07, 2024 at 12:17:18PM +0100, Ryan Roberts wrote:
> On 07/05/2024 12:07, Will Deacon wrote:
> > On Fri, May 03, 2024 at 03:45:58PM +0100, Ryan Roberts wrote:
> >> This series adds uffd write-protect support for arm64.
> >>
> >> Previous attempts to add uffd-wp (and soft-dirty) have failed because of a
> >> perceived lack of available PTE SW bits. However it actually turns out that
> >> there are 2 available but they are hidden. PTE_PROT_NONE was previously
> >> occupying a SW bit, but can be moved, freeing up the SW bit. Bit 63 is marked as
> >> "IGNORED" in the Arm ARM, but it does not currently indicate "reserved for SW
> >> use" like it does for the other SW bits. I've confirmed with the spec owner that
> >> this is an oversight; the bit is intended to be reserved for SW use and the spec
> >> will clarify this in a future update.
> >>
> >> So now we have two spare bits; patch 4 enables uffd-wp on arm64, using the SW
> >> bit freed up by moving PTE_PROT_NONE. This leaves bit 63 spare for future use
> >> (e.g. soft-dirty - see RFC at [4] - or some other usage).
> >>
> >> ---
> >>
> >> This applies on top of v6.9-rc5.
> > 
> > I chucked this into the CI on Friday and it looks to have survived the
> > long weekend, so I've gone ahead and merged it into for-next/core. Short
> > of any last minute failures (touch wood), this should land in 6.10.
> 
> Oh great - thanks!
> 
> Catalin was previously proposing to hold this until 6.11 - I'll leave you two to
> fight it out in case that's still his preference ;-)

Fine by me as well to go in 6.10. Will is taking the blame if it all
falls apart ;).
Anshuman Khandual May 8, 2024, 10 a.m. UTC | #4 
On 5/7/24 16:37, Will Deacon wrote:
> Hi Ryan,
> 
> On Fri, May 03, 2024 at 03:45:58PM +0100, Ryan Roberts wrote:
>> This series adds uffd write-protect support for arm64.
>>
>> Previous attempts to add uffd-wp (and soft-dirty) have failed because of a
>> perceived lack of available PTE SW bits. However it actually turns out that
>> there are 2 available but they are hidden. PTE_PROT_NONE was previously
>> occupying a SW bit, but can be moved, freeing up the SW bit. Bit 63 is marked as
>> "IGNORED" in the Arm ARM, but it does not currently indicate "reserved for SW
>> use" like it does for the other SW bits. I've confirmed with the spec owner that
>> this is an oversight; the bit is intended to be reserved for SW use and the spec
>> will clarify this in a future update.
>>
>> So now we have two spare bits; patch 4 enables uffd-wp on arm64, using the SW
>> bit freed up by moving PTE_PROT_NONE. This leaves bit 63 spare for future use
>> (e.g. soft-dirty - see RFC at [4] - or some other usage).
>>
>> ---
>>
>> This applies on top of v6.9-rc5.
> 
> I chucked this into the CI on Friday and it looks to have survived the
> long weekend, so I've gone ahead and merged it into for-next/core. Short
> of any last minute failures (touch wood), this should land in 6.10.

It would be great to have some memory migration tests (including THP and HugeTLB)
thrown at this series, which should test the mapped, migration entry transitions
etc. But not sure if there are any such tests off the shelf and readily available
in the CI system.
Ryan Roberts May 8, 2024, 10:14 a.m. UTC | #5 
On 08/05/2024 11:00, Anshuman Khandual wrote:
> 
> 
> On 5/7/24 16:37, Will Deacon wrote:
>> Hi Ryan,
>>
>> On Fri, May 03, 2024 at 03:45:58PM +0100, Ryan Roberts wrote:
>>> This series adds uffd write-protect support for arm64.
>>>
>>> Previous attempts to add uffd-wp (and soft-dirty) have failed because of a
>>> perceived lack of available PTE SW bits. However it actually turns out that
>>> there are 2 available but they are hidden. PTE_PROT_NONE was previously
>>> occupying a SW bit, but can be moved, freeing up the SW bit. Bit 63 is marked as
>>> "IGNORED" in the Arm ARM, but it does not currently indicate "reserved for SW
>>> use" like it does for the other SW bits. I've confirmed with the spec owner that
>>> this is an oversight; the bit is intended to be reserved for SW use and the spec
>>> will clarify this in a future update.
>>>
>>> So now we have two spare bits; patch 4 enables uffd-wp on arm64, using the SW
>>> bit freed up by moving PTE_PROT_NONE. This leaves bit 63 spare for future use
>>> (e.g. soft-dirty - see RFC at [4] - or some other usage).
>>>
>>> ---
>>>
>>> This applies on top of v6.9-rc5.
>>
>> I chucked this into the CI on Friday and it looks to have survived the
>> long weekend, so I've gone ahead and merged it into for-next/core. Short
>> of any last minute failures (touch wood), this should land in 6.10.
> 
> It would be great to have some memory migration tests (including THP and HugeTLB)
> thrown at this series, which should test the mapped, migration entry transitions
> etc. But not sure if there are any such tests off the shelf and readily available
> in the CI system.

The "private_anon_thp" migration test in mm selftests is doing that for THP. and
invoking pmd_mkinvalid() as I recall; that's what originally led to me finding
the pmd_mkinvalid()-on-a-swap-pmd bug. There is nothing in that suite for
HugeTLB though - happy to run if someone can recommend anything.