feat: enable write-protection on guest memory

bchalios · bchalios · commit 61fdd9d688ad · 2026-02-12T14:51:29.000-08:00
UFFD provides an API to enable write-protection for memory ranges tracked by a userfault file descriptor. Detailed information can be found here: https://docs.kernel.org/admin-guide/mm/userfaultfd.html. To use the feature, users need to register the memory region with UFFDIO_REGISTER_MODE_WP. Then, users need to enable explicitly write-protection for sub-ranges of the registered region. Writes in pages within write-protected memory ranges can be handled in one of two ways. In synchronous mode, writes in a protected page will cause kernel to send a write protection event over the userfaultfd. In asynchronous mode, the kernel will automatically handle writes to protected pages by clearing the write-protection bit. Userspace can later observe the write protection bit by looking into the corresponding entry of /proc/<pid>/pagemap. This commit, uncoditionally, enables write protection for guest memory using the asynchronous mode. !NOTE!: asynchronous write protection requires (host) kernel version 6.7 or later). Signed-off-by: Babis Chalios <babis.chalios@e2b.dev>
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/vmm/Cargo.toml b/src/vmm/Cargo.toml
@@ -47,7 +47,11 @@ serde_json = "1.0.145"
 slab = "0.4.11"
 thiserror = "2.0.17"
 timerfd = "1.5.0"
-userfaultfd = "0.9.0"
+userfaultfd = { git = "https://github.com/e2b-dev/userfaultfd-rs", branch = "feat_write_protection", features = [
+  "linux5_7",
+  "linux5_13",
+  "linux6_7"
+] }
 utils = { path = "../utils" }
 uuid = "1.18.1"
 vhost = { version = "0.15.0", features = ["vhost-user-frontend"] }
diff --git a/src/vmm/src/lib.rs b/src/vmm/src/lib.rs
@@ -795,7 +795,8 @@ impl Vmm {
             // Use mincore_bitmap to get resident pages at guest page size granularity
             let resident_bitmap = vstate::vm::mincore_bitmap(base_addr as *mut u8, len, page_size)?;
 
-            // TODO: if we don't support UFFD/async WP, we can completely skip this bit. For the
+            // TODO: if we don't support UFFD/async WP, we can completely skip this bit, as the
+            // UFFD handler already tracks dirty pages through the WriteProtected events. For the
             // time being, we always do.
             //
             // Build dirty bitmap: check pagemap only for pages that mincore reports resident.
diff --git a/src/vmm/src/persist.rs b/src/vmm/src/persist.rs
@@ -14,7 +14,7 @@ use std::sync::{Arc, Mutex};
 
 use semver::Version;
 use serde::{Deserialize, Serialize};
-use userfaultfd::{FeatureFlags, Uffd, UffdBuilder};
+use userfaultfd::{FeatureFlags, RegisterMode, Uffd, UffdBuilder};
 use vmm_sys_util::sock_ctrl_msg::ScmSocket;
 
 #[cfg(target_arch = "aarch64")]
@@ -483,6 +483,8 @@ pub enum GuestMemoryFromUffdError {
     Create(userfaultfd::Error),
     /// Failed to register memory address range with the userfaultfd object: {0}
     Register(userfaultfd::Error),
+    /// Failed to enable write protection on memory address range with the userfaultfd object: {0}
+    WriteProtect(userfaultfd::Error),
     /// Failed to connect to UDS Unix stream: {0}
     Connect(#[from] std::io::Error),
     /// Failed to sends file descriptor: {0}
@@ -504,7 +506,9 @@ fn guest_memory_from_uffd(
     // because the only place the kernel checks this is in a hook from madvise, e.g. it doesn't
     // actively change the behavior of UFFD, only passively. Without balloon devices
     // we never call madvise anyway, so no need to put this into a conditional.
-    uffd_builder.require_features(FeatureFlags::EVENT_REMOVE);
+    uffd_builder.require_features(
+        FeatureFlags::EVENT_REMOVE | FeatureFlags::MISSING_HUGETLBFS | FeatureFlags::WP_ASYNC,
+    );
 
     let uffd = uffd_builder
         .close_on_exec(true)
@@ -514,8 +518,22 @@ fn guest_memory_from_uffd(
         .map_err(GuestMemoryFromUffdError::Create)?;
 
     for mem_region in guest_memory.iter() {
-        uffd.register(mem_region.as_ptr().cast(), mem_region.size() as _)
-            .map_err(GuestMemoryFromUffdError::Register)?;
+        uffd.register_with_mode(
+            mem_region.as_ptr().cast(),
+            mem_region.size() as _,
+            RegisterMode::MISSING | RegisterMode::WRITE_PROTECT,
+        )
+        .map_err(GuestMemoryFromUffdError::Register)?;
+
+        // If memory is backed by huge pages, we can immediately write protect it.
+        // Otherwise (memory is backed by anonymous memory), write protecting here
+        // won't have any effect, as the write-protection bit for a bitwill be
+        // wiped when the first page fault occurs. These cases need to be handled
+        // directly from the UFFD handler.
+        if huge_pages.is_hugetlbfs() {
+            uffd.write_protect(mem_region.as_ptr().cast(), mem_region.size() as _)
+                .map_err(GuestMemoryFromUffdError::WriteProtect)?;
+        }
     }
 
     send_uffd_handshake(mem_uds_path, &backend_mappings, &uffd)?;
