From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1175C43334 for ; Fri, 1 Jul 2022 19:13:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E7F906B0071; Fri, 1 Jul 2022 15:13:01 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E2F3F6B0073; Fri, 1 Jul 2022 15:13:01 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CA9DB6B0074; Fri, 1 Jul 2022 15:13:01 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id B5A1F6B0071 for ; Fri, 1 Jul 2022 15:13:01 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 8359460657 for ; Fri, 1 Jul 2022 19:13:01 +0000 (UTC) X-FDA: 79639478562.22.5EAFC00 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf23.hostedemail.com (Postfix) with ESMTP id 1035414004B for ; Fri, 1 Jul 2022 19:13:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1656702780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=h152FewPrKnZVbE5g81JHsdbsg+iR3FNew4h05nwfCo=; b=BnP/WvBmqA82YXljhB2myERFQVO1lpXQ7xwGV0PI/5aQy03AvggkMiM1O0OdUv24JTDrPK ONlH8nNl/mnQsmrOxY/J7Ql9iIElcnPD4+9tSYnJQReK8Lk4tGmj/0iONrRIIui1QnfD6M PJG6PzPso74HQ37+VjTJsL71murcfQc= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-75-Iq0IdimxMnqhtIuWeREOqw-1; Fri, 01 Jul 2022 15:12:59 -0400 X-MC-Unique: Iq0IdimxMnqhtIuWeREOqw-1 Received: by mail-wm1-f70.google.com with SMTP id v8-20020a05600c214800b003a1819451b1so1770781wml.7 for ; Fri, 01 Jul 2022 12:12:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:organization:subject :in-reply-to:content-transfer-encoding; bh=h152FewPrKnZVbE5g81JHsdbsg+iR3FNew4h05nwfCo=; b=EpgjIv2MYNcXvOzDgpZkhQbMCynoYsftCohbQJ2OcFYZMuts7D6Q2cx6jBqEIYRMt9 023loVpteHzGniBhOl9wfhK71/P6ZY8bwpAqpzr0Xw7Q8wbFfTwqezNFBNcF4x7hfMmF 5FV/9uk5X1Y6wFhknVK6hnFWXxkS5Wy7SzGHUU5q52v1nUNGTTiIzzwRR8zBLm4MJ1eN MiAqy0YGNsw3lGIhiJ2YbAdGLh8MB2HqwagPg2/pmdMy5uu7H18ElEXnwwQiYxQW+bjX VeLwwDfbUhwUUnUZAYG5rtjh/xLPl+aogY/cJ7oeDivpFSBbqGSCND0ddgG2PvqVNM0g 3a+Q== X-Gm-Message-State: AJIora8XXbN0ZktMaEIgBJkfGoX7ET6B/xcndoYFb2laSQCfcLZ+gxNR bH2eW7ieOsx2O3bZGBsX6rQxzwkZ1+yPJpPTvOytd11AptqzPNq8jSYtuKuUaafRpOLCrhbSyvr /PMGm9Kcv++o= X-Received: by 2002:a05:600c:4f11:b0:3a1:8631:b6b4 with SMTP id l17-20020a05600c4f1100b003a18631b6b4mr9168387wmq.94.1656702778199; Fri, 01 Jul 2022 12:12:58 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sLzZyIb1fG4orx1PBfl+peet0Bt+n/odU70W6XVArPjhw07JD2zK/VbipQTMb95tN7YpKNoQ== X-Received: by 2002:a05:600c:4f11:b0:3a1:8631:b6b4 with SMTP id l17-20020a05600c4f1100b003a18631b6b4mr9168376wmq.94.1656702777926; Fri, 01 Jul 2022 12:12:57 -0700 (PDT) Received: from ?IPV6:2003:cb:c709:e300:d7a0:7fc3:8428:43e5? (p200300cbc709e300d7a07fc3842843e5.dip0.t-ipconnect.de. [2003:cb:c709:e300:d7a0:7fc3:8428:43e5]) by smtp.gmail.com with ESMTPSA id m21-20020a05600c4f5500b003a0502c620dsm7331653wmq.44.2022.07.01.12.12.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 Jul 2022 12:12:57 -0700 (PDT) Message-ID: <11d28e6d-edb0-7d11-b476-c5808f3b7c5d@redhat.com> Date: Fri, 1 Jul 2022 21:12:56 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0 To: Michal Hocko Cc: cgel.zte@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, vbabka@suse.cz, minchan@kernel.org, oleksandr@redhat.com, xu xin , Jann Horn , Andrew Morton References: <20220701084323.1261361-1-xu.xin16@zte.com.cn> <93e1e19a-deff-2dad-0b3c-ef411309ec58@redhat.com> <203548a6-cf70-30ce-6756-f6c909e7ef21@redhat.com> <54b67d6b-f600-1b9b-3d3f-e91b13d04c91@redhat.com> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH linux-next] mm/madvise: allow KSM hints for process_madvise In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="BnP/WvBm"; dmarc=pass (policy=none) header.from=redhat.com; spf=none (imf23.hostedemail.com: domain of david@redhat.com has no SPF policy when checking 170.10.129.124) smtp.mailfrom=david@redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1656702781; a=rsa-sha256; cv=none; b=EQenQSyxRpR2Qm/F12p+ACmWUbWGa9OBI5+XwmXBEEUmbpES7q4yYuUtvaIhpJglWJ9dIq wiwqXaUh0ef4+ypMRXJkv7oSwxoa1ldXPJvzl8Gj0iFXy/e1aCXRqfxCq4+e/QvgLERKdq CUz8XeUmpXZBdEELdW88yg5NQX+iTj8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1656702781; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=h152FewPrKnZVbE5g81JHsdbsg+iR3FNew4h05nwfCo=; b=BKmopWj6hifl6vpsPlFKF27Y30XJP2c9xSFss7oq5zo2nFNL8esO65YV+leTHYTS8+e8LY BI7Yyj6b7ii60yTrFHaQpuJgIOGYWZW+QDBhJgRFfXaJxi7xCeUQua5l6KernKIbF+6GpZ OqoSq/weWtP//gHngmGO77VkNCTaPh8= X-Rspam-User: Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="BnP/WvBm"; dmarc=pass (policy=none) header.from=redhat.com; spf=none (imf23.hostedemail.com: domain of david@redhat.com has no SPF policy when checking 170.10.129.124) smtp.mailfrom=david@redhat.com X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 1035414004B X-Stat-Signature: 95gcjo7jx7dfu7636j8zau4thg4esd81 X-HE-Tag: 1656702780-999085 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 01.07.22 15:19, Michal Hocko wrote: > On Fri 01-07-22 14:39:24, David Hildenbrand wrote: >>> I am not sure about exact details of the KSM implementation but if that >>> is not a desirable behavior then it should be handled on the KSM level. >>> The very sam thing can easily happen in a multithreaded (or in general >>> multi-process with shared mm) environment as well. >> >> I don't quite get what you mean. > > I meant to say that if KSM needs to be aware of a special CoW semantic > then it should be handled on the KSM layer regardless whether the KSM > has been set by the process itself or any other process that has acccess > to the MM. process_madvise is just another way to access a remote MM > other than sharing the full MM. Okay. KSM has been a corner case feature that was restricted to well-defined and well-tested environments. Until recently, R/O pins of any KSM pages was essentially completely unreliably. And applications don't expect such surprises. The shared zeropage is most probably the last problematic piece. Yes, we're getting there that it's a real feature that can see more (forced) wide-spread use. However, until the known issues in KSM have been fixed (e.g., below -- there is a whole list of papers regarding attacks on memory deduplication), it should be limited to well defined environments and applications only -- IMHO. So what I want to express here is that if we're adding an interface that can be used to just enable KSM on the whole system easily, it might be a bit to soon for that. No matter what you document, people will ignore it. OTOH, if this is a real debug feature that will only be available in specific debug/test scenarios (kernel config? toggle? whatsoever?), then it's "better". If that is already the case, good. > > [...] >>> Are you saying that any remote handling of the KSM has to deal with a >>> pre-existing semantic as well? Are we aware of any existing application >>> that really uses MADV_UNMERGEABLE in a hope to disable KSM for any of >>> its sensitive memory ranges? My understanding is that this is simply a >>> on/off knob and a remote way to do the same is in line with the existing >>> API. >> >> "its sensitive memory ranges" that's exactly what I am concerned of. >> There should be a toggle, and existing applciations will not be using it. > > The thing is that most applications (are there any?) do not actively > say that something is not KSM safe, right? They expect they opt in where They can't. But knowing about stuff like https://access.redhat.com/security/cve/cve-2021-3714 makes me be sure that there are applications that don't want this force-enabled ever. > it makes sense. So my question is, whether any remote way to opt in for > KSM has to redefine the existing semantic or the same should be achieved > by a sufficient privileges? > > The former would have really hard times to be applicable to the very > likely first hand usecase - unmodifiable binaries... Yes, I know. I also don't have a good answer to all of that. > >>> To be completely honest I do not really buy an argument that this might >>> break something much more than the original application can do already. >> >> How can you get a shared zeropage in a private mapping after a previous >> write if not via KSM? > > I was not referring to KSM specifically here. My recollection is that > PTRACE_MODE_READ_FSCREDS is quite powerful already. Ah, you mean process_madvise() permissions. -- Thanks, David / dhildenb