linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Igor Stoppa <igor.stoppa@huawei.com>
To: Laura Abbott <labbott@redhat.com>, Michal Hocko <mhocko@kernel.org>
Cc: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
	"kernel-hardening@lists.openwall.com" 
	<kernel-hardening@lists.openwall.com>
Subject: Re: RFC v2: post-init-read-only protection for data allocated dynamically
Date: Tue, 9 May 2017 12:38:58 +0300	[thread overview]
Message-ID: <72cc9d16-305e-1856-0bbb-59010b067589@huawei.com> (raw)
In-Reply-To: <b3fab9c3-fa35-eb7b-204c-f85a0d392e12@redhat.com>

On 08/05/17 18:25, Laura Abbott wrote:
> On 05/05/2017 03:42 AM, Igor Stoppa wrote:
>> On 04/05/17 19:49, Laura Abbott wrote:

[...]

> PAGE_SIZE is still 4K/16K/64K but the underlying page table mappings
> may use larger mappings (2MB, 32M, 512M, etc.). The ARM architecture
> has a break-before-make requirement which requires old mappings be
> fully torn down and invalidated to avoid TLB conflicts. This is nearly
> impossible to do correctly on live page tables so the current policy
> is to not break down larger mappings.

ok, but if a system integrator chooses to have the mapping set to 512M
(let's consider a case that is definitely unoptimized), this granularity
will apply to anything that needs to be marked as R/O and is allocated
through linear mapping.

If the issue inherently sits with linear allocation, then maybe the
correct approach is to confirm if linear allocation is really needed, in
the first place.
Maybe not, at least for the type of data I have in mind.

However, that would require changes in the users of the interface,
rather than the interface itself.

I don't see this change as a problem, in general, but OTOH I do not know
yet if there are legitimate reasons to use kmalloc for any
post-init-read-only data.

Of course, if you have any proposal that would solve this problem with
large pages, I'd be interested to know.

Also, for me to better understand the magnitude of the problem, do you
know if there is any specific scenario where larger mappings would be
used/recommended?

The major reason for using larger mapping that I can think of, is to
improve the efficiency of the TLB when under pressure, however I
wouldn't be able to judge how much this can affect the overall
performance a big iron or in a small device.

Do you know if there is any similar case that has to deal with locking
down large pages?
Doesn't the kernel text have potentially a similar risks of leaving
large amount of memory unused?
Is rodata only virtual?

> I'd rather see this designed as being mandatory from the start and then
> provide a mechanism to turn it off if necessary. The uptake and
> coverage from opt-in features tends to be very low based on past experience.

I have nothing against such wish, actually I'd love it, but I'm not sure
I have the answer for it.

Yet, a partial solution is better than nothing, if there is no truly
flexible one.

--
igor

  reply	other threads:[~2017-05-09  9:40 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-03 12:06 RFC v2: post-init-read-only protection for data allocated dynamically Igor Stoppa
     [not found] ` <70a9d4db-f374-de45-413b-65b74c59edcb@intel.com>
2017-05-04  8:17   ` Igor Stoppa
2017-05-04 14:30     ` Dave Hansen
2017-05-05  8:53       ` Igor Stoppa
2017-05-04 11:21 ` Michal Hocko
2017-05-04 12:14   ` Igor Stoppa
2017-05-04 13:11     ` Michal Hocko
2017-05-04 13:37       ` Igor Stoppa
2017-05-04 14:01         ` Michal Hocko
2017-05-04 17:24           ` Dave Hansen
2017-05-05 12:08             ` Igor Stoppa
2017-05-05 12:19           ` Igor Stoppa
2017-05-10  7:45             ` Michal Hocko
2017-05-04 16:49 ` Laura Abbott
2017-05-05 10:42   ` Igor Stoppa
2017-05-08 15:25     ` Laura Abbott
2017-05-09  9:38       ` Igor Stoppa [this message]
2017-05-10  8:05     ` Michal Hocko
2017-05-10  8:57       ` Igor Stoppa
2017-05-10 11:43         ` Michal Hocko
2017-05-10 15:19           ` Igor Stoppa
2017-05-10 15:45             ` Dave Hansen
2017-05-19 10:51               ` Igor Stoppa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=72cc9d16-305e-1856-0bbb-59010b067589@huawei.com \
    --to=igor.stoppa@huawei.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=labbott@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).