On Thu, Oct 21, 2021 at 7:09 PM Catalin Marinas <catalin.marinas@xxxxxxx> wrote: > On Thu, Oct 21, 2021 at 04:42:33PM +0200, Andreas Gruenbacher wrote: > > On Thu, Oct 21, 2021 at 12:06 PM Catalin Marinas > > <catalin.marinas@xxxxxxx> wrote: > > > On Thu, Oct 21, 2021 at 02:46:10AM +0200, Andreas Gruenbacher wrote: > > > > When a page fault would occur, we > > > > get back an error instead, and then we try to fault in the offending > > > > pages. If a page is resident and we still get a fault trying to access > > > > it, trying to fault in the same page again isn't going to help and we > > > > have a true error. > > > > > > You can't be sure the second fault is a true error. The unlocked > > > fault_in_*() may race with some LRU scheme making the pte not accessible > > > or a write-back making it clean/read-only. copy_to_user() with > > > pagefault_disabled() fails again but that's a benign fault. The > > > filesystem should re-attempt the fault-in (gup would correct the pte), > > > disable page faults and copy_to_user(), potentially in an infinite loop. > > > If you bail out on the second/third uaccess following a fault_in_*() > > > call, you may get some unexpected errors (though very rare). Maybe the > > > filesystems avoid this problem somehow but I couldn't figure it out. > > > > Good point, we can indeed only bail out if both the user copy and the > > fault-in fail. > > > > But probing the entire memory range in fault domain granularity in the > > page fault-in functions still doesn't actually make sense. Those > > functions really only need to guarantee that we'll be able to make > > progress eventually. From that point of view, it should be enough to > > probe the first byte of the requested memory range, so when one of > > those functions reports that the next N bytes should be accessible, > > this really means that the first byte surely isn't permanently > > inaccessible and that the rest is likely accessible. Functions > > fault_in_readable and fault_in_writeable already work that way, so > > this only leaves function fault_in_safe_writeable to worry about. > > I agree, that's why generic_perform_write() works. It does a get_user() > from the first byte in that range and the subsequent copy_from_user() > will make progress of at least one byte if it was readable. Eventually > it will hit the byte that faults. The gup-based fault_in_*() are a bit > more problematic. > > Your series introduces fault_in_safe_writeable() and I think for MTE > doing a _single_ get_user(uaddr) (in addition to the gup checks for > write) would be sufficient as long as generic_file_read_iter() advances > by at least one byte (eventually). > > This discussion started with the btrfs search_ioctl() where, even if > some bytes were written in copy_to_sk(), it always restarts from an > earlier position, reattempting to write the same bytes. Since > copy_to_sk() doesn't guarantee forward progress even if some bytes are > writable, Linus' suggestion was for fault_in_writable() to probe the > whole range. I consider this overkill since btrfs is the only one that > needs probing every 16 bytes. The other cases like the new > fault_in_safe_writeable() can be fixed by probing the first byte only > followed by gup. Hmm. Direct I/O request sizes are multiples of the underlying device block size, so we'll also get stuck there if fault-in won't give us a full block. This is getting pretty ugly. So scratch that idea; let's stick with probing the whole range. Thanks, Andreas > I think we need to better define the semantics of the fault_in + uaccess > sequences. For uaccess, we document "a hard requirement that not storing > anything at all (i.e. returning size) should happen only when nothing > could be copied" (from linux/uaccess.h). I think we can add a > requirement for the new size_t-based fault_in_* variants without > mandating that the whole range is probed, something like: "returning > leftover < size guarantees that a subsequent user access at uaddr copies > at least one byte eventually". I said "eventually" but maybe we can come > up with some clearer wording for a liveness property. > > Such requirement would ensure that infinite loops of fault_in_* + > uaccess make progress as long as they don't reset the probed range. Code > like btrfs search_ioctl() would need to be adjusted to avoid such range > reset and guarantee forward progress. > > -- > Catalin >
