linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Michal Hocko <mhocko@kernel.org>
To: Igor Stoppa <igor.stoppa@huawei.com>
Cc: Laura Abbott <labbott@redhat.com>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	"kernel-hardening@lists.openwall.com" 
	<kernel-hardening@lists.openwall.com>
Subject: Re: RFC v2: post-init-read-only protection for data allocated dynamically
Date: Wed, 10 May 2017 10:05:43 +0200	[thread overview]
Message-ID: <20170510080542.GF31466@dhcp22.suse.cz> (raw)
In-Reply-To: <0b55343e-4305-a9f1-2b17-51c3c734aea6@huawei.com>

On Fri 05-05-17 13:42:27, Igor Stoppa wrote:
> On 04/05/17 19:49, Laura Abbott wrote:
> > [adding kernel-hardening since I think there would be interest]
> 
> thank you, I overlooked this
> 
> 
> > BPF takes the approach of calling set_memory_ro to mark regions as
> > read only. I'm certainly over simplifying but it sounds like this
> > is mostly a mechanism to have this happen mostly automatically.
> > Can you provide any more details about tradeoffs of the two approaches?
> 
> I am not sure I understand the question ...
> For what I can understand, the bpf is marking as read only something
> that spans across various pages, which is fine.
> The payload to be protected is already organized in such pages.
> 
> But in the case I have in mind, I have various, heterogeneous chunks of
> data, coming from various subsystems, not necessarily page aligned.
> And, even if they were page aligned, most likely they would be far
> smaller than a page, even a 4k page.

This aspect of various sizes makes the SLAB allocator not optimal
because it operates on caches (pools of pages) which manage objects of
the same size. You could use the maximum size of all objects and waste
some memory but you would have to know this max in advance which would
make this approach less practical. You could create more caches of
course but that still requires to know those sizes in advance.

So it smells like a dedicated allocator which operates on a pool of
pages might be a better option in the end. This depends on what you
expect from the allocator. NUMA awareness? Very effective hotpath? Very
good fragmentation avoidance? CPU cache awareness? Special alignment
requirements? Reasonable free()? Etc...

To me it seems that this being an initialization mostly thingy a simple
allocator which manages a pool of pages (one set of sealed and one for
allocations) and which only appends new objects as they fit to unsealed
pages would be sufficient for starter.
-- 
Michal Hocko
SUSE Labs

  parent reply	other threads:[~2017-05-10  8:05 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-03 12:06 RFC v2: post-init-read-only protection for data allocated dynamically Igor Stoppa
     [not found] ` <70a9d4db-f374-de45-413b-65b74c59edcb@intel.com>
2017-05-04  8:17   ` Igor Stoppa
2017-05-04 14:30     ` Dave Hansen
2017-05-05  8:53       ` Igor Stoppa
2017-05-04 11:21 ` Michal Hocko
2017-05-04 12:14   ` Igor Stoppa
2017-05-04 13:11     ` Michal Hocko
2017-05-04 13:37       ` Igor Stoppa
2017-05-04 14:01         ` Michal Hocko
2017-05-04 17:24           ` Dave Hansen
2017-05-05 12:08             ` Igor Stoppa
2017-05-05 12:19           ` Igor Stoppa
2017-05-10  7:45             ` Michal Hocko
2017-05-04 16:49 ` Laura Abbott
2017-05-05 10:42   ` Igor Stoppa
2017-05-08 15:25     ` Laura Abbott
2017-05-09  9:38       ` Igor Stoppa
2017-05-10  8:05     ` Michal Hocko [this message]
2017-05-10  8:57       ` Igor Stoppa
2017-05-10 11:43         ` Michal Hocko
2017-05-10 15:19           ` Igor Stoppa
2017-05-10 15:45             ` Dave Hansen
2017-05-19 10:51               ` Igor Stoppa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170510080542.GF31466@dhcp22.suse.cz \
    --to=mhocko@kernel.org \
    --cc=igor.stoppa@huawei.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=labbott@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).