Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2748458rwd; Fri, 19 May 2023 09:38:41 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6z56+9ujVFSn0xUFbKOae6loSyM0v2Ef3//PCj+LNshm1sUX6ISi6MvHEsEU+ftwP8ZpN9 X-Received: by 2002:a17:902:fe18:b0:1aa:e5cd:6478 with SMTP id g24-20020a170902fe1800b001aae5cd6478mr3281215plj.58.1684514321250; Fri, 19 May 2023 09:38:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684514321; cv=none; d=google.com; s=arc-20160816; b=ngQgHBVHVASZp6fSlcBxkCtYuPJMBizDhZJKRoaAVgeXSbnYSuLP0hjyyoFAHkokSh wUg1SDbfiEZUzh/PXWjQWK1sHYSt1DnjGwLOxtZi0PFgZedJMeb468jXhEKsI0cktwl4 vkh/DFG3PAblariPbc/2KpUn2lxL2dYjhEzPTYx7zDhL7y7MjskkIZgtIfF2kQpoeFmn 8ltPj4oifm2ILoE/cGTd9kDSZMzRLUBj03NaowV0JzJkxSv5v5TgozzjmslxeMrKxHOu qxH8Hy0jmR0C/imVuUEwf9J/5DOujpSzNw5/XJz403pxU8h382rVZaTPaHD7uKfEsoxU 7YBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=PhXJXT80hjlIVA8C9efdiNr9myekTSBO7D5CbfC3JCw=; b=a27psaya/LvFPbn6cnsPolcmkmig5RVQ9F62VeL78zFIcvbGexDpvnnxhTzB7NEoCl koP9QRofE9N6hXOoYsSO3ho/7CeRHBaKxqfHnsVnF2W+qdVTL/XYqLnPmE252GwQWC80 HJwcJggwy4vsY9jy+Q3uRa75+Jm1GWEt5FKHNeYSRZ2nPoixMC6sNzjgDD9rGiWklJT/ p/ePmB30wGBgB8zDawHzzd3uRxnufsJate/JGcLESuzBbla0ozWjqHPzxtSM7t5R5mjS RflBs3rz+Z3afuEKsqp4EvXZy6aAqPnnWcc8yih/gh/QhZ3YK4BDAEQpbHV98l7pDptv x+dA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IVXVk9u2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i5-20020a17090332c500b001ae6b1c3fb6si3849012plr.470.2023.05.19.09.38.20; Fri, 19 May 2023 09:38:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IVXVk9u2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230247AbjESQVY (ORCPT + 99 others); Fri, 19 May 2023 12:21:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49230 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230097AbjESQVT (ORCPT ); Fri, 19 May 2023 12:21:19 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 545A1FB for ; Fri, 19 May 2023 09:20:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684513229; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=PhXJXT80hjlIVA8C9efdiNr9myekTSBO7D5CbfC3JCw=; b=IVXVk9u2A1sivGIu24gmKXniGfrefnhsKok5PlbFuo7BBSg3pMDuWR9f2e2Hyg6YdlO1ce jypmB/ct2SROQJNuidIh1eHbnZMT9XoS9RmTPUJjDPHXADqsW906jzsGV0JkIQ19hAnu2V LzvCjgGDk31Gu75AQOUs/3QpB33h1hk= Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-520-w3cQwlMJNqWeUzClxZH3Yg-1; Fri, 19 May 2023 12:20:28 -0400 X-MC-Unique: w3cQwlMJNqWeUzClxZH3Yg-1 Received: by mail-qv1-f69.google.com with SMTP id 6a1803df08f44-623a54565e6so839076d6.0 for ; Fri, 19 May 2023 09:20:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684513228; x=1687105228; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=PhXJXT80hjlIVA8C9efdiNr9myekTSBO7D5CbfC3JCw=; b=d+AyxF1mG2iyRZwiQYb0X5DeUbFC1ay1XiK8UR6SXvytny4FNgY2PBvI9z7HO8XAzM bGNciqzP6MDj4cmpdr94vafDyCtqCdKC2o5vjqWpWbo96gWkGkBBLpdyw4YtdxfbiJFN cwl0ZntHVTat1ty3YtK+NDW7uEJMDUfEKJpW67/TYt+4Naw/HoAwJKlbC4lFsxsHPqvX LHyD5Di42mui4mjJSFpkeF7lDOQKa+QU5eWskpEVvgHTlmePiPnrUxbqKqWRoEHMl3yN khbZdDc0zyLSq9GxkiloduPNWprepjXBsW/Kw+uzERBRK7m2vkZQwGFZQIiAkS1GmjzY HVCQ== X-Gm-Message-State: AC+VfDwXZdExis1CWpL8ETzZgKf7FBUxFhujlW4NTEZ7d8iRa6OLGIi5 Ow/YvWhPgR1KJ+sXn5WSP1nL76S0ExBq6Ax2eO7A2mCg098VeZL14+qq+tvxTo9d1veYeDQf/B5 PUnlQKnATYY4OlPvjnzqY3B8F X-Received: by 2002:a05:6214:4009:b0:5ed:c96e:ca4a with SMTP id kd9-20020a056214400900b005edc96eca4amr5184453qvb.1.1684513227859; Fri, 19 May 2023 09:20:27 -0700 (PDT) X-Received: by 2002:a05:6214:4009:b0:5ed:c96e:ca4a with SMTP id kd9-20020a056214400900b005edc96eca4amr5184405qvb.1.1684513227530; Fri, 19 May 2023 09:20:27 -0700 (PDT) Received: from x1n (bras-base-aurron9127w-grc-62-70-24-86-62.dsl.bell.ca. [70.24.86.62]) by smtp.gmail.com with ESMTPSA id z24-20020a05620a101800b00751517fd46esm1211930qkj.26.2023.05.19.09.20.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 May 2023 09:20:26 -0700 (PDT) Date: Fri, 19 May 2023 12:20:25 -0400 From: Peter Xu To: Jiaqi Yan Cc: Axel Rasmussen , David Hildenbrand , James Houghton , Alexander Viro , Andrew Morton , Christian Brauner , Hongchen Zhang , Huang Ying , "Liam R. Howlett" , Miaohe Lin , "Mike Rapoport (IBM)" , Nadav Amit , Naoya Horiguchi , Shuah Khan , ZhangPeng , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, Anish Moorthy Subject: Re: [PATCH 1/3] mm: userfaultfd: add new UFFDIO_SIGBUS ioctl Message-ID: References: <20230511182426.1898675-1-axelrasmussen@google.com> <32fdc2c8-b86b-92f3-1d5e-64db6be29126@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Jiaqi, On Fri, May 19, 2023 at 08:04:09AM -0700, Jiaqi Yan wrote: > I don't think CAP_ADMIN is something we can work around: a VMM must be > a good citizen to avoid introducing any vulnerability to the host or > guest. > > On the other hand, "Userfaults allow the implementation of on-demand > paging from userland and more generally they allow userland to take > control of various memory page faults, something otherwise only the > kernel code could do." [3]. I am not familiar with the UFFD internals, > but our use case seems to match what UFFD wants to provide: without > affecting the whole world, give a specific userspace (without > CAP_ADMIN) the ability to handle page faults (indirectly emulate a > HWPOISON page (in my mind I treat it as SetHWPOISON(page) + > TestHWPOISON(page) operation in kernel's PF code)). So is it fair to > say what Axel provided here is "provide !ADMIN somehow"? > > [3]https://docs.kernel.org/admin-guide/mm/userfaultfd.html Userfault keywords on "user", IMHO. We don't strictly need userfault to resolve anything regarding CAP_ADMIN problems. MADV_DONTNEED also dosn't need CAP_ADMIN, same to any new madvise() if we want to make it useful for injecting poisoned ptes with !ADMIN and limit it within current->mm. But I think you're right that userfaultfd always tried to avoid having ADMIN and keep everything within its own scope of permissions. So again, totally no objection on make it uffd specific for now if you guys are all happy with it, but just to be clear that it's (to me) mostly for avoiding another WAKE, and afaics that's not really for solving the ADMIN issue here. Thanks, -- Peter Xu