On Thu, 3 Jun 2021, Linus Torvalds wrote: > On Wed, Jun 2, 2021 at 5:46 PM Hugh Dickins <hughd@xxxxxxxxxx> wrote: > > > > Ideally you can simply call do_anonymous_page() from __do_fault() > > in the VM_FAULT_SIGBUS on VM_NOSIGBUS case. > > Heh. > > We're actually then back to my original patch. > > That one doesn't handle shared mappings (even read-only ones), for the > simple reason that do_anonymous_page() refuses to insert anonymous > pages into a shared mapping, and has > > /* File mapping without ->vm_ops ? */ > if (vma->vm_flags & VM_SHARED) > return VM_FAULT_SIGBUS; > > at the very top. > > But yes, if we just remove that check, I think my original patch > should actually "JustWork(tm)". But no! Sorry, I don't have time for this at present, so haven't looked at your original patch. But the point that we've arrived at, that I'm actually now fairly happy with, is do *not* permit MAP_NOSIGBUS on MAP_SHARED mappings. I didn't check the placement yet, easy to get wrong, but I believe Ming Lin is now enforcing that over at the mmap() end. On a MAP_PRIVATE mapping, the nasty opaque blob of zeroes can claim some precedent in what already happens with COW'ed pages. Which leaves MAP_NOSIGBUS on MAP_SHARED as currently unsupported, perhaps never supported on anything, perhaps one day supported on shmem; but if it's ever supported then that one will naturally be transparent to future changes in page cache - we call that "shared". Of course, internally, there's the in-between case of MAP_SHARED without PROT_WRITE and without writable fd: VM_MAYSHARE without VM_SHARED or VM_MAYWRITE. We *could* let that one accept MAP_NOSIGBUS, but who wants to write the manpage for it? Please stick to MAP_PRIVATE: that's good enough. > > I'm attaching it again, with old name and old commentary (ie that > > /* FIXME! We don't have a VM_NOFAULT bit */ > > should just be replaced with that VM_NOSIGBUS bit instead, and the > #if'ed out region should be enabled. > > Oh, and we need to think hard about one more case: mprotect(). > > In particular, I think the attached patch fails horribly for the case > of a shared mapping that starts out read-only, then inserts a zero > page, then somebody does mprotect(MAP_WRITE), and then writes to the > page. I haven't checked what the write protect fault handler does, but > I think that for a shared mapping it will just make the page dirty and > writable. Obviously the finished patch will need to be scrutinized carefully, but I think the mprotect() questions vanish when restricted to MAP_PRIVATE. > > Which would be horribly wrong for VM_NOSIGBUS. > > So that support infrastructure that adds MAP_NOSIGBUS, and checks that > it is only done on a read-only mapping, also has to make sure that it > clears the VM_MAYWRITE bit when it sets VM_NOSIGBUS. > > That way mprotect can't then later make it writable. > > Hugh, comments on this approach? Comments above, just stick to MAP_PRIVATE. Hugh > > Again: this patch is my *OLD* one, I didn't try to update it to the > new world order. It requires > > - Ming's MAP_NOSIGBUS ccode > > - removal of that "File mapping without ->vm_ops" case > > - that FIXME fixed and name updated > > - and that VM_MAYWRITE clearing if VM_NOSIGBUS is set, to avoid the > mprotect issue. > > Hmm? > > Linus
