Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Tue, 28 Mar 2023 15:45:10 -0400
From:   Peter Xu <peterx@redhat.com>
To:     Axel Rasmussen <axelrasmussen@google.com>
Cc:     Alexander Viro <viro@zeniv.linux.org.uk>,
        Andrew Morton <akpm@linux-foundation.org>,
        linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] userfaultfd: don't fail on unrecognized features
Message-ID: <ZCNDxhANoQmgcufM@x1n>
References: <20220722201513.1624158-1-axelrasmussen@google.com>
 <ZCIEGblnsWHKF8RD@x1n>
 <CAJHvVcj5ysY-xqKLL8f48-vFhpAB+qf4cN0AesQEd7Kvsi9r_A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAJHvVcj5ysY-xqKLL8f48-vFhpAB+qf4cN0AesQEd7Kvsi9r_A@mail.gmail.com>
Precedence: bulk

On Tue, Mar 28, 2023 at 12:28:59PM -0700, Axel Rasmussen wrote:
> On Mon, Mar 27, 2023 at 2:01 PM Peter Xu <peterx@redhat.com> wrote:
> >
> > I think I overlooked this patch..
> >
> > Axel, could you explain why this patch is correct?  Comments inline.
> >
> > On Fri, Jul 22, 2022 at 01:15:13PM -0700, Axel Rasmussen wrote:
> > > The basic interaction for setting up a userfaultfd is, userspace issues
> > > a UFFDIO_API ioctl, and passes in a set of zero or more feature flags,
> > > indicating the features they would prefer to use.
> > >
> > > Of course, different kernels may support different sets of features
> > > (depending on kernel version, kconfig options, architecture, etc).
> > > Userspace's expectations may also not match: perhaps it was built
> > > against newer kernel headers, which defined some features the kernel
> > > it's running on doesn't support.
> > >
> > > Currently, if userspace passes in a flag we don't recognize, the
> > > initialization fails and we return -EINVAL. This isn't great, though.
> >
> > Why?  IIUC that's the major way for user app to detect any misconfig of
> > feature list so it can bail out early.
> >
> > Quoting from man page (ioctl_userfaultfd(2)):
> >
> > UFFDIO_API
> >        (Since Linux 4.3.)  Enable operation of the userfaultfd and perform API handshake.
> >
> >        ...
> >
> >            struct uffdio_api {
> >                __u64 api;        /* Requested API version (input) */
> >                __u64 features;   /* Requested features (input/output) */
> >                __u64 ioctls;     /* Available ioctl() operations (output) */
> >            };
> >
> >        ...
> >
> >        For Linux kernel versions before 4.11, the features field must be
> >        initialized to zero before the call to UFFDIO_API, and zero (i.e.,
> >        no feature bits) is placed in the features field by the kernel upon
> >        return from ioctl(2).
> >
> >        ...
> >
> >        To enable userfaultfd features the application should set a bit
> >        corresponding to each feature it wants to enable in the features
> >        field.  If the kernel supports all the requested features it will
> >        enable them.  Otherwise it will zero out the returned uffdio_api
> >        structure and return EINVAL.
> >
> > IIUC the right way to use this API is first probe with features==0, then
> > the kernel will return all the supported features, then the user app should
> > enable only a subset (or all, but not a superset) of supported ones in the
> > next UFFDIO_API with a new uffd.
> 
> Hmm, I think doing a two-step handshake just overcomplicates things.
> 
> Isn't it simpler to just have userspace ask for the features it wants
> up front, and then the kernel responds with the subset of features it
> actually supports? In the common case (all features were supported),
> there is nothing more to do. Userspace is free to detect the uncommon
> case where some features it asked for are missing, and handle that
> however it likes.
> 
> I think this patch is backwards compatible with the two-step approach, too.
> 
> I do agree the man page could use some work. I don't think it
> describes the two-step handshake process correctly, either. It just
> says, "ask for the features you want, and the kernel will either give
> them to you or fail". If we really did want to keep the two-step
> process, it should describe it (set features == 0 first, then ask only
> for the ones you want which are supported), and the example program
> should demonstrate it.
> 
> But, I think it's simpler to just have the kernel do what the man page
> describes. Userspace asks for the features up front, kernel responds
> with the subset that are actually supported. No need to return EINVAL
> if unsupported features were requested.

The uffdio_api.features passed into the ioctl(UFFDIO_API) should be such
request to enable features specified in the kernel.  If the kernel doesn't
support any of the features in the list, IMHO it's very natural to fail it
as described in the man page.  That's also most of the kernel apis do
afaik, by failing any enablement of features if not supported.

> 
> >
> > > Userspace doesn't have an obvious way to react to this; sure, one of the
> > > features I asked for was unavailable, but which one? The only option it
> > > has is to turn off things "at random" and hope something works.
> > >
> > > Instead, modify UFFDIO_API to just ignore any unrecognized feature
> > > flags. The interaction is now that the initialization will succeed, and
> > > as always we return the *subset* of feature flags that can actually be
> > > used back to userspace.
> > >
> > > Now userspace has an obvious way to react: it checks if any flags it
> > > asked for are missing. If so, it can conclude this kernel doesn't
> > > support those, and it can either resign itself to not using them, or
> > > fail with an error on its own, or whatever else.
> > >
> > > Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>
> > > ---
> > >  fs/userfaultfd.c | 6 ++----
> > >  1 file changed, 2 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> > > index e943370107d0..4974da1f620c 100644
> > > --- a/fs/userfaultfd.c
> > > +++ b/fs/userfaultfd.c
> > > @@ -1923,10 +1923,8 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
> > >       ret = -EFAULT;
> > >       if (copy_from_user(&uffdio_api, buf, sizeof(uffdio_api)))
> > >               goto out;
> > > -     features = uffdio_api.features;
> > > -     ret = -EINVAL;
> > > -     if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES))
> > > -             goto err_out;
> >
> > What's worse is that I think you removed the only UFFD_API check.  Although
> > I'm not sure whether it'll be extended in the future or not at all (very
> > possible we keep using 0xaa forever..), but removing this means we won't be
> > able to extend it to a new api version in the future, and misconfig of
> > uffdio_api will wrongly succeed I think:
> >
> >         /* Test wrong UFFD_API */
> >         uffdio_api.api = 0xab;
> >         uffdio_api.features = 0;
> >         if (ioctl(uffd, UFFDIO_API, &uffdio_api) == 0)
> >                 err("UFFDIO_API should fail but didn't");
> 
> Agreed, we should add back the UFFD_API check - I am happy to send a
> patch for this.

Do you plan to just revert the patch?  If so, please go ahead.  IMHO we
should just follow the man page.

What I agree here is the api isn't that perfect, in that we need to create
a separate userfault file descriptor just to probe.  Currently the features
will be returned in the initial test with features=0 passed in, but it also
initializes the uffd handle even if it'll never be used but for probe only.

However since that existed in the 1st day I guess we'd better keep it
as-is.  And it's not so bad either: user app does open/close one more time,
but only once for each app's lifecycle.

Thanks,

-- 
Peter Xu