Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2748458rwd;
        Fri, 19 May 2023 09:38:41 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ6z56+9ujVFSn0xUFbKOae6loSyM0v2Ef3//PCj+LNshm1sUX6ISi6MvHEsEU+ftwP8ZpN9
X-Received: by 2002:a17:902:fe18:b0:1aa:e5cd:6478 with SMTP id g24-20020a170902fe1800b001aae5cd6478mr3281215plj.58.1684514321250;
        Fri, 19 May 2023 09:38:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684514321; cv=none;
        d=google.com; s=arc-20160816;
        b=ngQgHBVHVASZp6fSlcBxkCtYuPJMBizDhZJKRoaAVgeXSbnYSuLP0hjyyoFAHkokSh
         wUg1SDbfiEZUzh/PXWjQWK1sHYSt1DnjGwLOxtZi0PFgZedJMeb468jXhEKsI0cktwl4
         vkh/DFG3PAblariPbc/2KpUn2lxL2dYjhEzPTYx7zDhL7y7MjskkIZgtIfF2kQpoeFmn
         8ltPj4oifm2ILoE/cGTd9kDSZMzRLUBj03NaowV0JzJkxSv5v5TgozzjmslxeMrKxHOu
         qxH8Hy0jmR0C/imVuUEwf9J/5DOujpSzNw5/XJz403pxU8h382rVZaTPaHD7uKfEsoxU
         7YBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=PhXJXT80hjlIVA8C9efdiNr9myekTSBO7D5CbfC3JCw=;
        b=a27psaya/LvFPbn6cnsPolcmkmig5RVQ9F62VeL78zFIcvbGexDpvnnxhTzB7NEoCl
         koP9QRofE9N6hXOoYsSO3ho/7CeRHBaKxqfHnsVnF2W+qdVTL/XYqLnPmE252GwQWC80
         HJwcJggwy4vsY9jy+Q3uRa75+Jm1GWEt5FKHNeYSRZ2nPoixMC6sNzjgDD9rGiWklJT/
         p/ePmB30wGBgB8zDawHzzd3uRxnufsJate/JGcLESuzBbla0ozWjqHPzxtSM7t5R5mjS
         RflBs3rz+Z3afuEKsqp4EvXZy6aAqPnnWcc8yih/gh/QhZ3YK4BDAEQpbHV98l7pDptv
         x+dA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IVXVk9u2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id i5-20020a17090332c500b001ae6b1c3fb6si3849012plr.470.2023.05.19.09.38.20;
        Fri, 19 May 2023 09:38:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IVXVk9u2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230247AbjESQVY (ORCPT <rfc822;a225855305@gmail.com> + 99 others);
        Fri, 19 May 2023 12:21:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49230 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230097AbjESQVT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 May 2023 12:21:19 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 545A1FB
        for <linux-kernel@vger.kernel.org>; Fri, 19 May 2023 09:20:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1684513229;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=PhXJXT80hjlIVA8C9efdiNr9myekTSBO7D5CbfC3JCw=;
        b=IVXVk9u2A1sivGIu24gmKXniGfrefnhsKok5PlbFuo7BBSg3pMDuWR9f2e2Hyg6YdlO1ce
        jypmB/ct2SROQJNuidIh1eHbnZMT9XoS9RmTPUJjDPHXADqsW906jzsGV0JkIQ19hAnu2V
        LzvCjgGDk31Gu75AQOUs/3QpB33h1hk=
Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com
 [209.85.219.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-520-w3cQwlMJNqWeUzClxZH3Yg-1; Fri, 19 May 2023 12:20:28 -0400
X-MC-Unique: w3cQwlMJNqWeUzClxZH3Yg-1
Received: by mail-qv1-f69.google.com with SMTP id 6a1803df08f44-623a54565e6so839076d6.0
        for <linux-kernel@vger.kernel.org>; Fri, 19 May 2023 09:20:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1684513228; x=1687105228;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PhXJXT80hjlIVA8C9efdiNr9myekTSBO7D5CbfC3JCw=;
        b=d+AyxF1mG2iyRZwiQYb0X5DeUbFC1ay1XiK8UR6SXvytny4FNgY2PBvI9z7HO8XAzM
         bGNciqzP6MDj4cmpdr94vafDyCtqCdKC2o5vjqWpWbo96gWkGkBBLpdyw4YtdxfbiJFN
         cwl0ZntHVTat1ty3YtK+NDW7uEJMDUfEKJpW67/TYt+4Naw/HoAwJKlbC4lFsxsHPqvX
         LHyD5Di42mui4mjJSFpkeF7lDOQKa+QU5eWskpEVvgHTlmePiPnrUxbqKqWRoEHMl3yN
         khbZdDc0zyLSq9GxkiloduPNWprepjXBsW/Kw+uzERBRK7m2vkZQwGFZQIiAkS1GmjzY
         HVCQ==
X-Gm-Message-State: AC+VfDwXZdExis1CWpL8ETzZgKf7FBUxFhujlW4NTEZ7d8iRa6OLGIi5
        Ow/YvWhPgR1KJ+sXn5WSP1nL76S0ExBq6Ax2eO7A2mCg098VeZL14+qq+tvxTo9d1veYeDQf/B5
        PUnlQKnATYY4OlPvjnzqY3B8F
X-Received: by 2002:a05:6214:4009:b0:5ed:c96e:ca4a with SMTP id kd9-20020a056214400900b005edc96eca4amr5184453qvb.1.1684513227859;
        Fri, 19 May 2023 09:20:27 -0700 (PDT)
X-Received: by 2002:a05:6214:4009:b0:5ed:c96e:ca4a with SMTP id kd9-20020a056214400900b005edc96eca4amr5184405qvb.1.1684513227530;
        Fri, 19 May 2023 09:20:27 -0700 (PDT)
Received: from x1n (bras-base-aurron9127w-grc-62-70-24-86-62.dsl.bell.ca. [70.24.86.62])
        by smtp.gmail.com with ESMTPSA id z24-20020a05620a101800b00751517fd46esm1211930qkj.26.2023.05.19.09.20.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 19 May 2023 09:20:26 -0700 (PDT)
Date:   Fri, 19 May 2023 12:20:25 -0400
From:   Peter Xu <peterx@redhat.com>
To:     Jiaqi Yan <jiaqiyan@google.com>
Cc:     Axel Rasmussen <axelrasmussen@google.com>,
        David Hildenbrand <david@redhat.com>,
        James Houghton <jthoughton@google.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Andrew Morton <akpm@linux-foundation.org>,
        Christian Brauner <brauner@kernel.org>,
        Hongchen Zhang <zhanghongchen@loongson.cn>,
        Huang Ying <ying.huang@intel.com>,
        "Liam R. Howlett" <Liam.Howlett@oracle.com>,
        Miaohe Lin <linmiaohe@huawei.com>,
        "Mike Rapoport (IBM)" <rppt@kernel.org>,
        Nadav Amit <namit@vmware.com>,
        Naoya Horiguchi <naoya.horiguchi@nec.com>,
        Shuah Khan <shuah@kernel.org>,
        ZhangPeng <zhangpeng362@huawei.com>,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-mm@kvack.org, linux-kselftest@vger.kernel.org,
        Anish Moorthy <amoorthy@google.com>
Subject: Re: [PATCH 1/3] mm: userfaultfd: add new UFFDIO_SIGBUS ioctl
Message-ID: <ZGehyTCtAtTneiE8@x1n>
References: <20230511182426.1898675-1-axelrasmussen@google.com>
 <CADrL8HXFiTL-RDnETS2BUg_qH8CvcCMZiX-kutsrS1-8Uy25=w@mail.gmail.com>
 <ZGVRUeCWr8209m8d@x1n>
 <ZGVTMnVKNcQDM0x4@x1n>
 <CAJHvVcgXynHcuoS6eCfOAB2SgzqYy_zMGrRMR2kFuxOtSdUwvQ@mail.gmail.com>
 <CACw3F52MNOVv6KA5n7wRYDT2ujwYkco=aYngbo-zGA3zW1yq+w@mail.gmail.com>
 <ZGZMtK6PzoTuLZ1b@x1n>
 <CAJHvVcgcYPu-G3RDVrkrM_J48NUiUY0SH0G1sd+=X9BDgnQEuQ@mail.gmail.com>
 <32fdc2c8-b86b-92f3-1d5e-64db6be29126@redhat.com>
 <CACw3F50qvf13-fUx4XrL1jkhbo2mQ5sPV=E_i7_Gt2NaWXJfnQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CACw3F50qvf13-fUx4XrL1jkhbo2mQ5sPV=E_i7_Gt2NaWXJfnQ@mail.gmail.com>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi, Jiaqi,

On Fri, May 19, 2023 at 08:04:09AM -0700, Jiaqi Yan wrote:
> I don't think CAP_ADMIN is something we can work around: a VMM must be
> a good citizen to avoid introducing any vulnerability to the host or
> guest.
> 
> On the other hand, "Userfaults allow the implementation of on-demand
> paging from userland and more generally they allow userland to take
> control of various memory page faults, something otherwise only the
> kernel code could do." [3]. I am not familiar with the UFFD internals,
> but our use case seems to match what UFFD wants to provide: without
> affecting the whole world, give a specific userspace (without
> CAP_ADMIN) the ability to handle page faults (indirectly emulate a
> HWPOISON page (in my mind I treat it as SetHWPOISON(page) +
> TestHWPOISON(page) operation in kernel's PF code)). So is it fair to
> say what Axel provided here is "provide !ADMIN somehow"?
> 
> [3]https://docs.kernel.org/admin-guide/mm/userfaultfd.html

Userfault keywords on "user", IMHO.  We don't strictly need userfault to
resolve anything regarding CAP_ADMIN problems.  MADV_DONTNEED also dosn't
need CAP_ADMIN, same to any new madvise() if we want to make it useful for
injecting poisoned ptes with !ADMIN and limit it within current->mm.

But I think you're right that userfaultfd always tried to avoid having
ADMIN and keep everything within its own scope of permissions.

So again, totally no objection on make it uffd specific for now if you guys
are all happy with it, but just to be clear that it's (to me) mostly for
avoiding another WAKE, and afaics that's not really for solving the ADMIN
issue here.

Thanks,

-- 
Peter Xu