On Wed, Mar 11, 2026 at 10:15:12AM +0100, David Hildenbrand (Arm) wrote: > On 3/9/26 15:29, Jason Gunthorpe wrote: > > On Fri, Feb 27, 2026 at 09:08:47PM +0100, David Hildenbrand (Arm) wrote: > >> There is demand for also zapping page table entries by drivers in > >> VM_MIXEDMAP VMAs[1]. > >> > >> Nothing really speaks against supporting VM_MIXEDMAP for driver use. We > >> just don't want arbitrary drivers to zap in ordinary (non-special) VMAs. > >> > >> [1] https://lore.kernel.org/r/[email protected] > > > > Are we sure about this? > > Yes, I don't think relaxing this for drivers to use it on VM_MIXEDMAP is > a problem. > > > > > This whole function seems like a hack to support drivers that are not > > using an address_space. > > I assume, then using > unmap_mapping_folio()/unmap_mapping_pages()/unmap_mapping_range() instead. > > > > > I say that as one of the five driver authors who have made this > > mistake. > > > > The locking to safely use this function is really hard to do properly, > > IDK if binder can shift to use address_space ?? > I cannot really tell. > > Skimming over the code, it looks like it really always handles "single > VMA" stuff ("Since a binder_alloc can only be mapped once, we ensure the > vma corresponds to this mapping by checking whether the binder_alloc is > still mapped"), which makes the locking rather trivial. > > It does seem to mostly allocate/free pages in a single VMA, where I > think the existing usage of zap_vma_range() makes sense. > > So I'm not sure if using address_space would really be an improvement there. > > Having that said, maybe binder folks can be motivated to look into that. > But I would consider that future work.
It doesn't really make sense to have multiple binder VMAs. What happens with Rust Binder is that process A is receiving transactions and has the VMA mapped once. * Process B sends a transaction to process A, and the ioctl (running in process B) will memcpy the message to A directly into the pages of A's VMA. * Then, B wakes up A, which causes A to return from the receive ioctl. * The return value of the receive ioctl is a pointer, which points somewhere inside A's VMA to the location containing the message from B. * Process A will deref the pointer to read the message from B. * Once Process A is done handling the transaction, it invokes another ioctl to tell the kernel that it is done with this transaction, that is, it is not safe for the kernel to reuse that subset of the VMA for new incoming transactions. When Binder returns from its ioctl and gives you a pointer, it needs to know where the VMA is mapped, because otherwise it can't really give you a pointer into the VMA. It's generally not safe for userspace to touch its Binder VMA unless it has been told that there is a message there. Pages that do not contain any messages may be entirely missing, and trying to read them leads to segfault. (Though such pages may also be present if there was previously a message in the page. The unused pages are kept around to reuse them for future messages, unless there is memory pressure.) Alice
