On Wed, Apr 24, 2019 at 09:33:44AM +0200, Laurent Dufour wrote: > Le 23/04/2019 à 11:38, Peter Zijlstra a écrit : > > On Mon, Apr 22, 2019 at 02:29:16PM -0700, Michel Lespinasse wrote: > > > The proposed spf mechanism only handles anon vmas. Is there a > > > fundamental reason why it couldn't handle mapped files too ? > > > My understanding is that the mechanism of verifying the vma after > > > taking back the ptl at the end of the fault would work there too ? > > > The file has to stay referenced during the fault, but holding the vma's > > > refcount could be made to cover that ? the vm_file refcount would have > > > to be released in __free_vma() instead of remove_vma; I'm not quite sure > > > if that has more implications than I realize ? > > > > IIRC (and I really don't remember all that much) the trickiest bit was > > vs unmount. Since files can stay open past the 'expected' duration, > > umount could be delayed. > > > > But yes, I think I had a version that did all that just 'fine'. Like > > mentioned, I didn't keep the refcount because it sucked just as hard as > > the mmap_sem contention, but the SRCU callback did the fput() just fine > > (esp. now that we have delayed_fput). > > I had to use a refcount for the VMA because I'm using RCU in place of SRCU > and only protecting the RB tree using RCU. > > Regarding the file pointer, I decided to release it synchronously to avoid > the latency of RCU during the file closing. As you mentioned this could > delayed the umount but not only, as Linus Torvald demonstrated by the past > [1]. Anyway, since the file support is not yet here there is no need for > that currently. > > [1] https://lore.kernel.org/linux-mm/alpine.LFD.2.00.1001041904250.3630@localhost.localdomain/ Just to make sure I understand this correctly. If a program tries to munmap a region while page faults are occuring (which means that the program has a race condition in the first place), before spf the mmap_sem would delay the munmap until the page fault completes. With spf the munmap will happen immediately, while the vm_ops->fault() is running, with spf holding a ref to the file. vm_ops->fault is expected to execute a read from the file to the page cache, and the page cache page will never be mapped into the process because after taking the ptl, spf will notice the vma changed. So, the side effects that may be observed after munmap completes would be: - side effects from reading a file into the page cache - I'm not sure what they are, the main one I can think of is that userspace may observe the file's atime changing ? - side effects from holding a reference to the file - which userspace may observe by trying to unmount(). Is that the extent of the side effects, or are there more that I have not thought of ? > Regarding the file mapping support, the concern is to ensure that > vm_ops->fault() will not try to release the mmap_sem. This is true for most > of the file system operation using the generic one, but there is currently > no clever way to identify that except by checking the vm_ops->fault pointer. > Adding a flag to the vm_operations_struct structure is another option. > > that's doable as far as the underlying fault() function is not dealing with > the mmap_sem, and I made a try by the past but was thinking that first the > anonymous case should be accepted before moving forward this way. Yes, that makes sense. Updating all of the fault handlers would be a lot of work - but there doesn't seem to be anything fundamental that wouldn't work there (except for the side effects of reordering spf against munmap, as discussed above, which doesn't look easy to fully hide.). -- Michel "Walken" Lespinasse A program is never fully debugged until the last user dies.