From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C5F5C47258 for ; Fri, 2 Feb 2024 05:00:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id ED3036B0078; Fri, 2 Feb 2024 00:00:38 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E817A6B007B; Fri, 2 Feb 2024 00:00:38 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D491F6B007D; Fri, 2 Feb 2024 00:00:38 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id C25EE6B0078 for ; Fri, 2 Feb 2024 00:00:38 -0500 (EST) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 603D2140224 for ; Fri, 2 Feb 2024 05:00:38 +0000 (UTC) X-FDA: 81745663356.07.C38CE16 Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by imf10.hostedemail.com (Postfix) with ESMTP id 9F4D6C0016 for ; Fri, 2 Feb 2024 05:00:36 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=openbsd.org header.s=selector1 header.b=sh1XyYJV; spf=pass (imf10.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706850036; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=JotH6rs4h1syyGeyYqY5McfBenHgwpdRO1IwArpDec4=; b=xCkVuaey09BHPNu/BE0rsFVwHJEiit0qIR3XerWudi9UgcEHKCnpGvo0g9oKizds6BcFBE GSKeQUjKcaGlJ0w3BIsN+dt0vhlrj8iVM9rFC2Ai/fRLLj6J6K8GIKbDT4oJ0LNsGb+eP1 W4haEPG1CSv/Vlh40U/QIgMS6hntnk0= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=openbsd.org header.s=selector1 header.b=sh1XyYJV; spf=pass (imf10.hostedemail.com: domain of deraadt@openbsd.org designates 199.185.137.3 as permitted sender) smtp.mailfrom=deraadt@openbsd.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706850036; a=rsa-sha256; cv=none; b=KegLqJxOdzYncua8+S/ALtChz4BTqfh+IoGw1P7RiXjWpws5x+qX/B8OReFAvRUxzLUCE9 ylClU2Z6SXw4YJvZSOP3kyK0BL5fehOUeA+fS39XS8Zlw2cv84sYlLy3SAewasLPJqvVQE oWP1vJVqX00m9EhSzmtjqwgyy9pefbY= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=selector1; bh=Al3s5n9XbY ajMyMjy8quEUVmt9j6PNC6PhjL+sDVrak=; h=date:references:in-reply-to: subject:cc:to:from; d=openbsd.org; b=sh1XyYJVZYspbYXNo5lPr6eTzSsPxlnzX fUpQ+m0g7osvlXQvcV2G+BhKvz2pnkmgRy3sVTKxdare0Z+M7o58U4MMgKzbCRET9klZsc oaoityDPeqv1qGDLleLPnYPYicdjJuag7OdSxzy341IzrDsWbdrRCEaTWYw12r5aZd3hyr mcd8IEBO6yBRfN5Fz7z8ZIlyNrK9UAHgi3UX4zLwYtrzUPse+VNOk62UmZbSMl6Ep8Isxo dY7bZ+afNtjp+jwl2P7FZeJp52muDmP09AelHIjXZ7q3df86FM2xZDjkxoVIfNiwglMPfI RFfcaD4q2AxYDQzikS7LzNlMfZSRw== Received: from cvs.openbsd.org (localhost [127.0.0.1]) by cvs.openbsd.org (OpenSMTPD) with ESMTP id 96394933; Thu, 1 Feb 2024 22:00:35 -0700 (MST) From: "Theo de Raadt" To: Jeff Xu cc: Jeff Xu , Linus Torvalds , "Liam R. Howlett" , Jonathan Corbet , akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, usama.anjum@collabora.com, rdunlap@infradead.org, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH v8 0/4] Introduce mseal In-reply-to: References: <20240131175027.3287009-1-jeffxu@chromium.org> <20240131193411.opisg5yoyxkwoyil@revolver> <20240201204512.ht3e33yj77kkxi4q@revolver> <58408.1706828083@cvs.openbsd.org> <8744.1706846710@cvs.openbsd.org> Comments: In-reply-to Jeff Xu message dated "Thu, 01 Feb 2024 20:54:28 -0800." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <60913.1706850035.1@cvs.openbsd.org> Date: Thu, 01 Feb 2024 22:00:35 -0700 Message-ID: <29248.1706850035@cvs.openbsd.org> X-Rspamd-Queue-Id: 9F4D6C0016 X-Rspam-User: X-Stat-Signature: k13ywcwboxh1zs7tza5gqh899dqwhh5s X-Rspamd-Server: rspam01 X-HE-Tag: 1706850036-239810 X-HE-Meta: U2FsdGVkX18kgHV47ZQJHwWEGAfpahC2waqx3fDHn+7FRS69M07lExcJs/YPTCwOfmHPoxkaUZ1pWw1Imn9/5235Aq8qFiZ8gahOKAERiurElGJYvJjLIbcbNVbtxCEsbgWwlbf3F02fZZWIAMnMbknaEJqZStnQgbQUeB2bjnFMKit7cXFIU69Q6epiuXUMubg1cxOAb3qc7W4OHoyceRObfp1UOc/yJbzvJCY8xzt0rkmtpPyIWRxg7okFGWUYV5kPBZS61KP/zfVPQfr/WJ4Vp5uqO1NfZfR5z6rBw0Rzx8YcGZuF3rq5b7EWD35oFF6uAf5wU+5uqUzn5MJevGF5b3QurY1FVTMsG4ntJo4MFAfeSOe2IqiAsFWXq3aukvf7Zrgkm60Fhf+Z8SaU7HnSY6o8/9DgWGCZIvSmGEa+3aWf9L01AuLzKwQL70H6cy+HmX/peA5F66+b0UFf6gqMDq8ouHq9hVh8Wr46a3xI74BU/7TbFHK6gsGv0hNo1oKERMQp5ZCo9KUm3phAegiajavZqkpJ7WRK0BC4DsTv8oqnSDBwlTZQRankWOfuJu+lLmF2rePUmGcv5aDg2OJwR8Cz99eWjl8SLOeNN8Gy3P10346EMq3MdjA7XN88LqXpz3J3n7RB/Hh+ENQrlJG+A6rguY+ttS82mG/Pq/nMuOulEnI61AI6Tir/TqnX80Y3BlA3rQI+h5sRxslh9jRE8YN2mJGPApxB3wJXtdCIVSxy7oZlMILdivmq8UHIk+saPAIbHl+fLjEwagwpKfBXP0UNbNVFZoTip6Z5LkVlQ464YqHwl6b1ILtlf5PrHLMYMr4Ke6d6JOj41H2wEGF8ljp4qHUuaTJwnH2z+bYLEEygWVFaR94Q4NDs6r9eHXeJyWkGIJyPCDAEOLK59BYnVa1LuMqS9BH/tRURK0eHyauPdFDfLnsxG/hIzuCyO6xYtAbNvzHICScznwg wz6LTs6p h1hRN+kiRQDxiR4O7O6xsouKkCQa/ta3JHyllcXJ0q1tRKJkoyrJrOXYswvLy4CVr6rDxJYFiBQ4gWupGakRCOuxKRQ2ITIG6eAy/xo/kkkeEkj+9y8PPcVM+CEgE/mw5LSfo4rJiS2QGWGHnN6nZ7AuCzL0ay0Z2fd367rTr0MbJ0Ft0M0GVjS09/RzRTzp2ytNWLD9mJ7Pyl6c6bU5ILChcgNdEGLB++eYZBd2I0TwnH5Ah9vKQ8EbcFw9IXcPu/ZpcBe9LKiSv6gQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000009, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Jeff Xu wrote: > Even without free. > I personally do not like the heap getting sealed like that. > > Component A. > p=malloc(4096); > writing something to p. > > Component B: > mprotect(p,4096, RO) > mseal(p,4096) > > This will split the heap VMA, and prevent the heap from shrinking, if > this is in a frequent code path, then it might hurt the process's > memory usage. > > The existing code is more likely to use malloc than mmap(), so it is > easier for dev to seal a piece of data belonging to another component. > I hope this pattern is not wide-spreading. > > The ideal way will be just changing the library A to use mmap. I think you are lacking some test programs to see how it actually behaves; the effect is worse than you think, and the impact is immediately visible to the programmer, and the lesson is clear: you can only seal objects which you gaurantee never get recycled. Pushing a sealed object back into reuse is a disasterous bug. Noone should call this interface, unless they understand that. I'll say again, you don't have a test program for various allocators to understand how it behaves. The failure modes described in your docuemnts are not correct.