Userfaultfd – Create a file descriptor for handling page faults in user space (opens in new tab)

(man7.org)

62 pointsphab4y ago15 comments

15 comments

One of my favorite examples of userfaultfd: transparently mapping databases on cloud storage into RAM.

https://tech.nextroll.com/blog/data/2016/11/29/traildb-mmap-...

Could something like this enable SSI distributed computing entirely in user space? Is it practical to run some sort of distributed shared memory, relying on user-managed page faults to ensure coherence?

vtuulos4y ago

Thanks for sharing! I am still proud of this hack :)

Retr0id4y ago

A fun application of userfaultfd:

https://github.com/whitequark/unfork

Past discussions of unfork:

https://news.ycombinator.com/item?id=21394678

https://news.ycombinator.com/item?id=27287930

rwmj4y ago

It's a great feature, but it had a few unintended side-effects:

https://lwn.net/Articles/819834/ "Blocking userfaultfd() kernel-fault handling" (patches to fix a security issue, more detail in https://duasynt.com/blog/linux-kernel-heap-spray)

https://lwn.net/Articles/849876/ "Patching until the COWs come home" (complicated interaction with copy-on-write)

mattgreenrocks4y ago

Possibly dumb question, but if I have some code that tries to blindly jump to, say, address 0x4000, would userfaultfd let me redirect accesses to 0x4000 to an address I've allocated elsewhere?

kentonv4y ago

Sort of, but not exactly. You can't redirect the program to a different address, but you can respond to the fault by mapping memory at address 0x4000 and placing whatever you want in it. Perhaps, you can map the memory as an alias of some other page, so that they refer to the same underlying physical memory. But the program will still see the memory as living at 0x4000, it won't jump to a different address. (Though I suppose if you're specifically thinking of the instruction pointer faulting at 0x4000, you could respond by filling in that address with a jump instruction jumping to the address of your choice...)

To map memory at a specific address, you use mmap() with the MAP_FIXED flag. This lets you tell the kernel: "Please put these pages at this virtual address, replacing what's already there."

Note that userfaultfd is not the only way to detect and handle faults. You can also register a signal handler for SIGSEGV. The signal handler function receives information from the kernel specifying what address caused the fault. If, in the signal handler, you use mmap() to map memory at that address, and then return, the program will continue as if nothing happened.

userfaultfd allows you to do the same but from a different thread or process. The SIGSEGV signal handler would actually run inside the thread that faulted, but with userfaultfd the faulting thread pauses and some other thread or process receives the notification.

kragen4y ago

I think specifically for 0x4000 you can't map anything there with a default Linux kernel configuration. The minimum address where you can map things now is 0x10000. This broke my StoneKnifeForth and Max Bernstein fixed it: https://github.com/tekknolagi/stoneknifecpp/commit/905105b44...

2 more replies

mattgreenrocks4y ago

Thank you for in-depth answer! It was partially motivated by seeing if userfaultfd could work around mmap_min_addr (it can’t) and partially to see if it is possible to use it to use it for things like emulation.

10000truths4y ago

You don't need userfaultfd for that. Just mmap the same file twice, at different addresses:

    int mem_fd = memfd_create("", 0);
    ftruncate(fd, 4096);
    void* mem = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_SHARED, mem_fd, 0);
    void* alias = mmap((void*) 0x4000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, mem_fd, 0);
    close(mem_fd);
    // alias now points to the same physical memory as mem

This is commonly used to create ring buffers that wrap around transparently.

tsavola4y ago

Do you have a link or can you suggest search terms for an example? I can't imagine that being useful, as you have to wrap around at some point anyway.

1 more reply

j / k navigate · click thread line to collapse

15 comments

annonacct384y ago

One of my favorite examples of userfaultfd: transparently mapping databases on cloud storage into RAM.

https://tech.nextroll.com/blog/data/2016/11/29/traildb-mmap-...

zozbot2344y ago

vtuulos4y ago

Thanks for sharing! I am still proud of this hack :)

Retr0id4y ago

A fun application of userfaultfd:

https://github.com/whitequark/unfork

Past discussions of unfork:

https://news.ycombinator.com/item?id=21394678

https://news.ycombinator.com/item?id=27287930

rwmj4y ago

It's a great feature, but it had a few unintended side-effects:

https://lwn.net/Articles/819834/ "Blocking userfaultfd() kernel-fault handling" (patches to fix a security issue, more detail in https://duasynt.com/blog/linux-kernel-heap-spray)

https://lwn.net/Articles/849876/ "Patching until the COWs come home" (complicated interaction with copy-on-write)

mattgreenrocks4y ago

Possibly dumb question, but if I have some code that tries to blindly jump to, say, address 0x4000, would userfaultfd let me redirect accesses to 0x4000 to an address I've allocated elsewhere?

kentonv4y ago

To map memory at a specific address, you use mmap() with the MAP_FIXED flag. This lets you tell the kernel: "Please put these pages at this virtual address, replacing what's already there."

kragen4y ago

2 more replies

mattgreenrocks4y ago

10000truths4y ago

You don't need userfaultfd for that. Just mmap the same file twice, at different addresses:

    int mem_fd = memfd_create("", 0);
    ftruncate(fd, 4096);
    void* mem = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_SHARED, mem_fd, 0);
    void* alias = mmap((void*) 0x4000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, mem_fd, 0);
    close(mem_fd);
    // alias now points to the same physical memory as mem

This is commonly used to create ring buffers that wrap around transparently.

tsavola4y ago

Do you have a link or can you suggest search terms for an example? I can't imagine that being useful, as you have to wrap around at some point anyway.

1 more reply

j / k navigate · click thread line to collapse