Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Content-Type: text/plain;
        charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Subject: Re: [RFC PATCH 01/14] userfaultfd: set dirty and young on
 writeprotect
From:   Nadav Amit <nadav.amit@gmail.com>
In-Reply-To: <4ad140b5-1d5b-2486-0893-7886a9cdfd76@redhat.com>
Date:   Wed, 20 Jul 2022 13:22:15 -0700
Cc:     Peter Xu <peterx@redhat.com>, Linux MM <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Axel Rasmussen <axelrasmussen@google.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andrew Cooper <andrew.cooper3@citrix.com>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Will Deacon <will@kernel.org>, Yu Zhao <yuzhao@google.com>,
        Nick Piggin <npiggin@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <95320077-52CF-4CB0-92F9-523E1AE74A3D@gmail.com>
References: <20220718120212.3180-1-namit@vmware.com>
 <20220718120212.3180-2-namit@vmware.com> <YtcYVMoSRVxRH70Z@xz-m1.local>
 <017facf0-7ef8-3faf-138d-3013a20b37db@redhat.com>
 <Ytf+zIxVPTVXTZdp@xz-m1.local>
 <2b4393ce-95c9-dd3e-8495-058a139e771e@redhat.com>
 <YthUYF3invrjlzUc@xz-m1.local>
 <69022bad-d6f1-d830-224d-eb8e5c90d5c7@redhat.com>
 <YthcC78q1hdd7mNT@xz-m1.local>
 <4ad140b5-1d5b-2486-0893-7886a9cdfd76@redhat.com>
To:     David Hildenbrand <david@redhat.com>
Precedence: bulk

On Jul 20, 2022, at 12:55 PM, David Hildenbrand <david@redhat.com> =
wrote:

> On 20.07.22 21:48, Peter Xu wrote:
>> On Wed, Jul 20, 2022 at 09:33:35PM +0200, David Hildenbrand wrote:
>>> On 20.07.22 21:15, Peter Xu wrote:
>>>> On Wed, Jul 20, 2022 at 05:10:37PM +0200, David Hildenbrand wrote:
>>>>> For pagecache pages it may as well be *plain wrong* to bypass the =
write
>>>>> fault handler and simply mark pages dirty+map them writable.
>>>>=20
>>>> Could you elaborate?
>>>=20
>>> Write-fault handling for some filesystems (that even require this
>>> "slow path") is a bit special.
>>>=20
>>> For example, do_shared_fault() might have to call page_mkwrite().
>>>=20
>>> AFAIK file systems use that for lazy allocation of disk blocks.
>>> If you simply go ahead and map a !dirty pagecache page writable
>>> and mark it dirty, it will not trigger page_mkwrite() and you might
>>> end up corrupting data.
>>>=20
>>> That's why we the old change_pte_range() code never touched
>>> anything if the pte wasn't already dirty.
>>=20
>> I don't think that pte_dirty() check was for the pagecache code. For =
any fs
>> that has page_mkwrite() defined, it'll already have =
vma_wants_writenotify()
>> return 1, so we'll never try to add write bit, hence we'll never even =
try
>> to check pte_dirty().
>=20
> I might be too tired, but the whole reason we had this magic before my
> commit in place was only for the pagecache.
>=20
> With vma_wants_writenotify()=3D0 you can directly map the pages =
writable
> and don't have to do these advanced checks here. In a writable
> MAP_SHARED VMA you'll already have pte_write().
>=20
> We only get !pte_write() in case we have vma_wants_writenotify()=3D1 =
...
>=20
>  try_change_writable =3D vma_wants_writenotify(vma, =
vma->vm_page_prot);
>=20
> and that's the code that checked the dirty bit after all to decide --
> amongst other things -- if we can simply map it writable without going
> via the write fault handler and triggering do_shared_fault() .
>=20
> See crazy/ugly FOLL_FORCE code in GUP that similarly checks the dirty =
bit.

I thought you want to get rid of it at least for anonymous pages. No?

>=20
> But yeah, it's all confusing so I might just be wrong regarding
> pagecache pages.

Just to note: I am not very courageous and I did not intend to change
condition for when non-anonymous pages are set as writable. That=E2=80=99s=
 the
reason I did not change the dirty for non-writable non-anonymous entries =
(as
Peter said). And that=E2=80=99s the reason that setting the dirty bit =
(at least as I
should have done it) is only performed after we made the decision on the
write-bit.

IOW, after you made your decision about the write-bit, then and only =
then
you may be able to set the dirty bit for writable entries. Since the =
entry
is already writeable (i.e., can be written without a fault later =
directly
from userspace), there should be no concern of correctness when you set =
it.