Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp296704pxj; Thu, 3 Jun 2021 07:00:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJweSgWXyuAsQJLtajmaDHgMp5xL3YA6gOL4Iu0JNdPBW1HWgevhO1ZitDEs7pp2L7bwR5Qh X-Received: by 2002:aa7:c705:: with SMTP id i5mr20290242edq.222.1622728848384; Thu, 03 Jun 2021 07:00:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622728848; cv=none; d=google.com; s=arc-20160816; b=rmm80yqdNebrFl0dHoLKqDnl5V/HjkYyI49+aXIHtTVhWmKpqe9rHMkSOUx7Gg6OrO 5R3w7tzYN7GvpfjQLNfZzX+W5fZpmm4YxbTu95/wDZW+ZIi70xu7C3dQX5RatCNRHO74 snjcAw2XIQxynGbD7xmxOC0KZeOc6Tgs4c01fV706OFOMupq2NTgBthJgP3a/Z/5vWTf IP2UONPd1hU0yrJOlHRqAosRTFBT4x6OPofFZUwTlAXBvXPsVxeSWMFt7H6w5b55mQuk +0vY7i+yo0h1Q7rqeAnY9YMsix0nnJl5Ji2WMLJqIyQ3oJxhiwN6f+ZLIdYzbdF9z5gF a4Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=+FpiVrMEbOqRGaeMB09DrnctJgDKR4e1rzAT2/F3j5Y=; b=xNahuatqDvCJyRn0R9qNOVEhyN9cyd9geEds6rgASn5cD+cUki69JnaxiLs+yg0cql QQM/8D/2fVNXtsOy/LmGhCoPBNfXiznP/x0q0ESCZEuJRtppGvvucv0jlyZxAxTIhp6z PIp5jvZBBJ2CAe6usmZaXTlomrdbjuJn+750gSiEyDkMDI/mUbzbOolKJCk1eU9LMxLy dvGSR8ysOUlORi/Yq3GsFetja0HtG+O3gjpvNmYbeLTLaRj/BfxnSHr1tVbG9q0uQ4HA unCsXhQEH/JxKX/ynr8Hps6lqXpN0bB72igbudOCfi0qVrro2ndD/jKo+A8ZpPQHt88C fLTw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=NzEdjOLT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dd11si2234298edb.528.2021.06.03.07.00.25; Thu, 03 Jun 2021 07:00:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=NzEdjOLT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231437AbhFCOAW (ORCPT + 99 others); Thu, 3 Jun 2021 10:00:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231415AbhFCOAV (ORCPT ); Thu, 3 Jun 2021 10:00:21 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C856DC06174A for ; Thu, 3 Jun 2021 06:58:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=+FpiVrMEbOqRGaeMB09DrnctJgDKR4e1rzAT2/F3j5Y=; b=NzEdjOLTc4TIfA385DUiwiv9uV tBRBe3N2XKdxbiVKP2gfi1QztN63Cup2qCX3MbRjB/QeuyreB1xU+/uVGph1xSO5bUCz60LdN4xXH om/LQGbAcdREA/zxcdr4Tn1ZzKZ9D9LpxDJzfEtC1VRNGjce5AKHdEFnb95/hIu5vhUrcgsXYZFvf uR089iqb2JiFxtDsv5yLPfjcVvVLWeUpkam2Puv48OcScdMikD0QxxIjMQiha9mSm9xAvWuQFa5BL j7z6SdJMZQt7i55LI2t8fiEe9cdguaeaCp/TfFNzrRzkK3787Sf4Jww6V5iLlY+nu0JqKYqV+DjlC uXuOymzA==; Received: from willy by casper.infradead.org with local (Exim 4.94 #2 (Red Hat Linux)) id 1lonqu-00CDEP-Lu; Thu, 03 Jun 2021 13:57:45 +0000 Date: Thu, 3 Jun 2021 14:57:40 +0100 From: Matthew Wilcox To: Simon Ser Cc: Hugh Dickins , Linus Torvalds , "Lin, Ming" , Peter Xu , "Kirill A. Shutemov" , Dan Williams , "Kirill A. Shutemov" , Will Deacon , Linux Kernel Mailing List , David Herrmann , "linux-mm@kvack.org" , Greg Kroah-Hartman , "tytso@mit.edu" Subject: Re: Sealed memfd & no-fault mmap Message-ID: References: <7718ec5b-0a9e-ffa6-16f2-bc0b6afbd9ab@gmail.com> <80c87e6b-6050-bf23-2185-ded408df4d0f@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 03, 2021 at 01:14:47PM +0000, Simon Ser wrote: > On Saturday, May 29th, 2021 at 10:15 PM, Hugh Dickins wrote: > > > And IIUC it would have to be the recipient (Wayland compositor) doing > > the NOFAULT business, because (going back to the original mail) we are > > only considering this so that Wayland might satisfy clients who predate > > or refuse Linux-only APIs. So, an ioctl (or fcntl, as sealing chose) > > at the client end cannot be expected; and could not be relied on anyway. > > Yes, that is correct. > > > NOFAULT? Does BSD use "fault" differently, and in Linux terms we > > would say NOSIGBUS to mean the same? > > > > Can someone point to a specification of BSD's __MAP_NOFAULT? > > Searching just found me references to bugs. > > __MAP_NOFAULT isn't documented, sadly. The commit that introduces the > flag [1] is the best we're going to get, I think. > > > What mainly worries me about the suggestion is: what happens to the > > zero page inserted into NOFAULT mappings, when later a page for that > > offset is created and added to page cache? > > Not 100% sure exactly this means what I think it means, but from my PoV, > it's fine if the contents of an expanded shm file aren't visible from the > process that has mapped it with MAP_NOFAULT/MAP_NOSIGBUS. In other words, > it's fine if: > > - The client sets up a 1KiB shm file and sends it to the compositor. > - The compositor maps it with MAP_NOFAULT/MAP_NOSIGBUS. > - The client expands the file to 2KiB and writes interesting data in it. > - The compositor still sees zeros past the 1KiB mark. The compositor needs > to unmap and re-map the file to see the data past the 1KiB mark. > > If the MAP_NOFAULT/MAP_NOSIGBUS flag only affects the mapping itself and > nothing else, this should be fine? This is going to operate at a page boundary, so the example you gave will work. How about this: - The client sets up a 1KiB shm file and sends it to the compositor. - The client expands the file to 5KiB - The compositor sees the new data up to 4KiB but zeroes past the 4KiB mark. Does that still make userspace happy?