Re: [PATCH v7 3/3] mm: add a field to store names for private anonymous memory

From: Dave Hansen <dave.hansen@intel.com>
To: Kees Cook <keescook@chromium.org>,
	Sumit Semwal <sumit.semwal@linaro.org>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	"Alexey Dobriyan" <adobriyan@gmail.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Mauro Carvalho Chehab" <mchehab+huawei@kernel.org>,
	"Michal Hocko" <mhocko@suse.com>,
	"Colin Cross" <ccross@google.com>,
	"Alexey Gladkov" <gladkov.alexey@gmail.com>,
	"Matthew Wilcox" <willy@infradead.org>,
	"Jason Gunthorpe" <jgg@ziepe.ca>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	"Michel Lespinasse" <walken@google.com>,
	"Michal Koutný" <mkoutny@suse.com>,
	"Song Liu" <songliubraving@fb.com>,
	"Huang Ying" <ying.huang@intel.com>,
	"Vlastimil Babka" <vbabka@suse.cz>,
	"Yang Shi" <yang.shi@linux.alibaba.com>,
	chenqiwu <chenqiwu@xiaomi.com>,
	"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
	"John Hubbard" <jhubbard@nvidia.com>,
	"Mike Christie" <mchristi@redhat.com>,
	"Bart Van Assche" <bvanassche@acm.org>,
	"Amit Pundir" <amit.pundir@linaro.org>,
	"Thomas Gleixner" <tglx@linutronix.de>,
	"Christian Brauner" <christian.brauner@ubuntu.com>,
	"Daniel Jordan" <daniel.m.jordan@oracle.com>,
	"Adrian Reber" <areber@redhat.com>,
	"Nicolas Viennot" <Nicolas.Viennot@twosigma.com>,
	"Al Viro" <viro@zeniv.linux.org.uk>,
	linux-fsdevel@vger.kernel.org,
	"John Stultz" <john.stultz@linaro.org>,
	"Pekka Enberg" <penberg@kernel.org>,
	"Peter Zijlstra" <peterz@infradead.org>,
	"Ingo Molnar" <mingo@kernel.org>,
	"Oleg Nesterov" <oleg@redhat.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	"Jan Glauber" <jan.glauber@gmail.com>,
	"Rob Landley" <rob@landley.net>,
	"Cyrill Gorcunov" <gorcunov@openvz.org>,
	"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
	"David Rientjes" <rientjes@google.com>,
	"Hugh Dickins" <hughd@google.com>,
	"Rik van Riel" <riel@redhat.com>, "Mel Gorman" <mgorman@suse.de>,
	"Tang Chen" <tangchen@cn.fujitsu.com>,
	"Robin Holt" <holt@sgi.com>, "Shaohua Li" <shli@fusionio.com>,
	"Sasha Levin" <sasha.levin@oracle.com>,
	"Johannes Weiner" <hannes@cmpxchg.org>,
	"Minchan Kim" <minchan@kernel.org>
Subject: Re: [PATCH v7 3/3] mm: add a field to store names for private anonymous memory
Date: Thu, 3 Sep 2020 11:09:16 -0700	[thread overview]
Message-ID: <393be893-6379-8adb-217c-4064f5052702@intel.com> (raw)
In-Reply-To: <202009031031.D32EF57ED@keescook>

On 9/3/20 11:00 AM, Kees Cook wrote:
> Why is a kernel-copied string insufficient for this? I don't think VMA
> merging is a fast-path operation, so doing a strcmp isn't going to wreck
> anything...
> 
> Let me try to find the earlier thread with Dave Hansen... okay, found it:
> https://lore.kernel.org/linux-mm/51DDF071.5000309@intel.com/
> 
> Right, so, this idea predates userfaultfd. :)
> 
> More notes below, but I *really* think this should not be a userspace
> pointer. And since a separate union has been found, let's just do a
> strndup_user() for the name, validate it as containing only printable
> characters without \n \r \v \f and move the merging logic into a
> separate patch.

FWIW, I don't have any objections to this.

Refcounting strings was what I think I had the strongest reaction to
back in the good old days of 2013.  strdup() on split plus strcmp() on
merge doesn't sound afwul to me, and it is darn straightforward.  The
biggest downside is probably kernel memory consumption.  We should
probably just think through whether having so many duplicates changes
things materially.

For instance, should/could we penalize a task's vm.max_map_count when
it's using this mechanism?