From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751262AbdEDISp (ORCPT ); Thu, 4 May 2017 04:18:45 -0400 Received: from lhrrgout.huawei.com ([194.213.3.17]:25682 "EHLO lhrrgout.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750758AbdEDISf (ORCPT ); Thu, 4 May 2017 04:18:35 -0400 Subject: Re: RFC v2: post-init-read-only protection for data allocated dynamically To: Dave Hansen , Michal Hocko References: <9200d87d-33b6-2c70-0095-e974a30639fd@huawei.com> <70a9d4db-f374-de45-413b-65b74c59edcb@intel.com> CC: , From: Igor Stoppa Message-ID: Date: Thu, 4 May 2017 11:17:25 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <70a9d4db-f374-de45-413b-65b74c59edcb@intel.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.122.225.51] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.590AE3D5.0093,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 6b59a0021462a4f9b0519fd6afc9be29 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, I suspect this was accidentally a Reply-To instead of a Reply-All, so I'm putting back the CCs that were dropped. On 03/05/17 21:41, Dave Hansen wrote: > On 05/03/2017 05:06 AM, Igor Stoppa wrote: >> My starting point are the policy DB of SE Linux and the LSM Hooks, but >> eventually I would like to extend the protection also to other >> subsystems, in a way that can be merged into mainline. > > Have you given any thought to just having a set of specialized slabs? No, the idea of the RFC was to get this sort of comments about options I might have missed :-) > Today, for instance, we have a separate set of kmalloc() slabs for DMA: > dma-kmalloc-{4096,2048,...}. It should be quite possible to have > another set for your post-init-read-only protected data. I will definitely investigate it and report back, thanks. But In the meanwhile I'd appreciate further clarifications. Please see below ... > This doesn't take care of vmalloc(), but I have the feeling that > implementing this for vmalloc() isn't going to be horribly difficult. ok >> * The mechanism used for locking down the memory region is to program >> the MMU to trap writes to said region. It is fairly efficient and >> HW-backed, so it doesn't introduce any major overhead, > > I'd take a bit of an issue with this statement. It *will* fracture > large pages unless you manage to pack all of these allocations entirely > within a large page. This is problematic because we use the largest > size available, and that's 1GB on x86. I am not sure I fully understand this part. I am probably missing some point about the way kmalloc works. I get the problem you describe, but I do not understand why it should happen. Going back for a moment to my original idea of the zone, as a physical address range, why wouldn't it be possible to define it as one large page? Btw, I do not expect to have much memory occupation, in terms of sheer size, although there might be many small "variables" scattered across the code. That's where I hope using kmalloc, instead of a custom made allocator can make a difference, in terms of optimal occupation. > IOW, if you scatter these things throughout the address space, you may > end up fracturing/demoting enough large pages to cause major overhead > refilling the TLB. But why would I? Or, better, what would cause it, unless I take special care? Or, let me put it differently: my goal is to not fracture more pages than needed. It will probably require some profiling to figure out what is the ballpark of the memory footprint. I might have overlooked some aspect of this, but the overall goal is to have a memory range (I won't call it zone, to avoid referring to a specific implementation) which is as tightly packed as possible, stuffed with all the data that is expected to become read-only. > Note that this only applies for kmalloc() allocations, *not* vmalloc() > since kmalloc() uses the kernel linear map and vmalloc() uses it own, > separate mappings. Yes. --- thanks, igor