Date: Fri, 23 Feb 2018 16:26:49 -0800 From: J Freyensee <why2jjj.linux@...il.com> To: Igor Stoppa <igor.stoppa@...wei.com>, david@...morbit.com, willy@...radead.org, keescook@...omium.org, mhocko@...nel.org Cc: labbott@...hat.com, linux-security-module@...r.kernel.org, linux-mm@...ck.org, linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com Subject: Re: [PATCH 7/7] Documentation for Pmalloc On 2/23/18 6:48 AM, Igor Stoppa wrote: > Detailed documentation about the protectable memory allocator. > > Signed-off-by: Igor Stoppa <igor.stoppa@...wei.com> > --- > Documentation/core-api/index.rst | 1 + > Documentation/core-api/pmalloc.rst | 114 +++++++++++++++++++++++++++++++++++++ > 2 files changed, 115 insertions(+) > create mode 100644 Documentation/core-api/pmalloc.rst > > diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst > index c670a8031786..8f5de42d6571 100644 > --- a/Documentation/core-api/index.rst > +++ b/Documentation/core-api/index.rst > @@ -25,6 +25,7 @@ Core utilities > genalloc > errseq > printk-formats > + pmalloc > > Interfaces for kernel debugging > =============================== > diff --git a/Documentation/core-api/pmalloc.rst b/Documentation/core-api/pmalloc.rst > new file mode 100644 > index 000000000000..d9725870444e > --- /dev/null > +++ b/Documentation/core-api/pmalloc.rst > @@ -0,0 +1,114 @@ > +.. SPDX-License-Identifier: GPL-2.0 > + > +Protectable memory allocator > +============================ > + > +Purpose > +------- > + > +The pmalloc library is meant to provide R/O status to data that, for some > +reason, could neither be declared as constant, nor could it take advantage > +of the qualifier __ro_after_init, but is write-once and read-only in spirit. > +It protects data from both accidental and malicious overwrites. > + > +Example: A policy that is loaded from userspace. > + > + > +Concept > +------- > + > +pmalloc builds on top of genalloc, using the same concept of memory pools. > + > +The value added by pmalloc is that now the memory contained in a pool can > +become R/O, for the rest of the life of the pool. > + > +Different kernel drivers and threads can use different pools, for finer > +control of what becomes R/O and when. And for improved lockless concurrency. > + > + > +Caveats > +------- > + > +- Memory freed while a pool is not yet protected will be reused. > + > +- Once a pool is protected, it's not possible to allocate any more memory > + from it. > + > +- Memory "freed" from a protected pool indicates that such memory is not > + in use anymore by the requester; however, it will not become available > + for further use, until the pool is destroyed. > + > +- Before destroying a pool, all the memory allocated from it must be > + released. Is that true? pmalloc_destroy_pool() has: . . + pmalloc_pool_set_protection(pool, false); + gen_pool_for_each_chunk(pool, pmalloc_chunk_free, NULL); + gen_pool_destroy(pool); + kfree(data); which to me looks like is the opposite, the data (ie, "memory") is being released first, then the pool is destroyed. > + > +- pmalloc does not provide locking support with respect to allocating vs > + protecting an individual pool, for performance reasons. What is the recommendation to using locks then, as the computing real-world mainly operates in multi-threaded/process world? Maybe show an example of an issue that occur if locks aren't used and give a coding example. > + It is recommended not to share the same pool between unrelated functions. > + Should sharing be a necessity, the user of the shared pool is expected > + to implement locking for that pool. > + > +- pmalloc uses genalloc to optimize the use of the space it allocates > + through vmalloc. Some more TLB entries will be used, however less than > + in the case of using vmalloc directly. The exact number depends on the > + size of each allocation request and possible slack. > + > +- Considering that not much data is supposed to be dynamically allocated > + and then marked as read-only, it shouldn't be an issue that the address > + range for pmalloc is limited, on 32-bit systems. Why is 32-bit systems mentioned and not 64-bit? Is there a problem with 64-bit here? Thanks, Jay
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.