From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28012C433B4 for ; Tue, 27 Apr 2021 08:25:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EBC2B613B4 for ; Tue, 27 Apr 2021 08:25:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235043AbhD0IZ5 (ORCPT ); Tue, 27 Apr 2021 04:25:57 -0400 Received: from mail2.protonmail.ch ([185.70.40.22]:29285 "EHLO mail2.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235028AbhD0IZz (ORCPT ); Tue, 27 Apr 2021 04:25:55 -0400 Date: Tue, 27 Apr 2021 08:24:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emersion.fr; s=protonmail3; t=1619511910; bh=4HSy2peeOUh+Sk0/LYpC/GuLIdId71wOZKqgB55PQe8=; h=Date:To:From:Cc:Reply-To:Subject:From; b=IH1gMJIkBL6Rq7XG2TuitQx8L+5vdyeKrcgfGpQugBovC9zRchEZQ+5VydqO6BanU 4rYc2FNQAIOIZgJI3LLEfKbwLAG9uKoI5fLXKbbFonuquWKKeqI2Hf92z63xoB2X0U SQBS0sb2jDbym2sB5fUt/RJ0zTBRygDuf+p2KdW878rylJ8DDyuwOX1lgsLkMSwlbi gs9mgQ5UU1TRtcHY9iVQgz+TZJyBWO0JV+DoJZPuLpuymKRlPymkmm6QhYMeUQv/db QpyrapM5OY53c4g+vZHEjSOScTVjdbfsL2EAGcVLJYfVA+A2RbanplJ5/xgegDfx3s gSPEE4BBkDs+Q== To: Linux Kernel Mailing List From: Simon Ser Cc: David Herrmann , "linux-mm@kvack.org" , Greg Kroah-Hartman , Linus Torvalds , "tytso@mit.edu" Reply-To: Simon Ser Subject: Sealed memfd & no-fault mmap Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi all, I'm a user-space developer working on Wayland compositors. Back in 2014, David Herrmann has posted a patchset [1] to introduce memfd and file sealing. The patchset reads: > 1) Graphics Compositors > If a graphics client creates a memory-backed render-buffer and passe= s a > file-decsriptor to it to the graphics server for display, the server > _has_ to setup SIGBUS handlers whenever mapping the given file. Othe= rwise, > the client might run ftruncate() or O_TRUNC on the on file in parall= el, > thus crashing the server. > With sealing, a compositor can reject any incoming file-descriptor t= hat > does _not_ have SEAL_SHRINK set. This way, any memory-mappings are > guaranteed to stay accessible. Furthermore, we still allow clients t= o > increase the buffer-size in case they want to resize the render-buff= er for > the next frame. We also allow parallel writes so the client can rend= er new > frames into the same buffer (client is responsible of never renderin= g into > a front-buffer if you want to avoid artifacts). > > Real use-case: Wayland wl_shm buffers can be transparently converted Fast-forward to 7 years later, and notice that there doesn't exist a single Wayland compositor that enforces file sealing for its clients. The reason is that there will always exist clients which are either old (and predate file sealing) or refuse to use Linux-only APIs (they don't use memfd and file sealing, instead they use e.g. shm_open). Requiring sealed memfds in compositors would break these clients. I don't believe the situation is about to change. Rather than requiring changes in all compositors *and* clients, can we maybe only require changes in compositors? For instance, OpenBSD has a __MAP_NOFAULT flag. When passed to mmap, it means that out-of-bound accesses will read as zeroes instead of triggering SIGBUS. Such a flag would be very helpful to unblock the annoying SIGBUS situation. Would something among these lines be welcome in the Linux kernel? Thanks, Simon [1]: https://lwn.net/Articles/591108/