From: Peter Collingbourne <pcc@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kostya Kortchinsky <kostyak@google.com>, linux-mm@kvack.org
Subject: Re: [PATCH] mm: improve mprotect(R|W) efficiency on pages referenced once
Date: Mon, 28 Dec 2020 18:09:28 -0800 [thread overview]
Message-ID: <CAMn1gO7JBzyFs-qMDM5Cu3oMTw5vL3zabYgUWbnrKWFGDOx08w@mail.gmail.com> (raw)
In-Reply-To: <20201223143411.e889bcad32e5a1c0252c745c@linux-foundation.org>
On Wed, Dec 23, 2020 at 2:34 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Fri, 11 Dec 2020 21:31:52 -0800 Peter Collingbourne <pcc@google.com> wrote:
>
> > In the Scudo memory allocator [1] we would like to be able to
> > detect use-after-free vulnerabilities involving large allocations
> > by issuing mprotect(PROT_NONE) on the memory region used for the
> > allocation when it is deallocated. Later on, after the memory
> > region has been "quarantined" for a sufficient period of time we
> > would like to be able to use it for another allocation by issuing
> > mprotect(PROT_READ|PROT_WRITE).
> >
> > Before this patch, after removing the write protection, any writes
> > to the memory region would result in page faults and entering
> > the copy-on-write code path, even in the usual case where the
> > pages are only referenced by a single PTE, harming performance
> > unnecessarily. Make it so that any pages in anonymous mappings that
> > are only referenced by a single PTE are immediately made writable
> > during the mprotect so that we can avoid the page faults.
> >
>
> I worry that some other application out there does a similar thing, but
> only expects to very sparsely write to the area. It will see a big increase
> in mprotect() latency.
>
> Would it be better to implement this as a separate operation, rather
> than unconditionally tying it into mprotect()? Say, a new madvise()
> operation?
So the case that you're concerned about would be highlighted by this
program, correct?
#include <string.h>
#include <sys/mman.h>
enum { kSize = 131072 };
int main(int argc, char **argv) {
char *addr = (char *)mmap(0, kSize, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
memset(addr, 1, kSize);
for (int i = 0; i != 100000; ++i) {
mprotect((void *)addr, kSize, PROT_NONE);
mprotect((void *)addr, kSize, PROT_READ | PROT_WRITE);
}
}
I measured the before/after real time execution time of this program
(median of 100 runs) on the DragonBoard and the results were:
Before: 0.325928s
After: 0.365493s
So there's an increase of around 12%. It doesn't seem very large to me
when compared to the 400-500% improvement that we get in the case
where every page is touched.
I also tried this program to measure the impact in the case where a
single page is touched after the mprotect:
#include <string.h>
#include <sys/mman.h>
enum { kSize = 131072 };
int main(int argc, char **argv) {
char *addr = (char *)mmap(0, kSize, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
memset(addr, 1, kSize);
for (int i = 0; i != 100000; ++i) {
memset(addr + (i * 4096) % kSize, i, 4096);
mprotect((void *)addr, kSize, PROT_NONE);
mprotect((void *)addr, kSize, PROT_READ | PROT_WRITE);
}
}
With this program the numbers were:
Before: 0.441516s
After: 0.380251s
So it seems that even with a single page fault the new approach is faster.
I saw similar results if I adjusted the programs to use a larger
mapping size. With kSize = 1048576 I get these numbers for the first
program:
Before: 1.563078s
After: 1.607476s
i.e. around 3%.
And these for the second:
Before: 1.684663s
After: 1.683272s
i.e. about the same.
What I think we may conclude from these results is that for smaller
mappings the advantage of the previous approach, although measurable,
is wiped out by a single page fault. I think we may expect that there
should be at least one access resulting in a page fault (under the
previous approach) after making the pages writable, since the program
presumably made the pages writable for a reason.
For larger mappings we may guesstimate that the new approach wins if
the density of future page faults is > 0.4%. But for the mappings that
are large enough for density to matter (not just the absolute number
of page faults) it doesn't seem like the increase in mprotect latency
would be very large relative to the total mprotect execution time.
So my inclination is that I don't really see a strong need for it to
be toggleable, but if we do, the behavior implemented by this patch
should be the default. Perhaps something like madvise(MADV_COLD) could
be used to get the previous behavior but I wouldn't implement that
straight away.
Peter
next prev parent reply other threads:[~2020-12-29 2:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-12 5:31 Peter Collingbourne
2020-12-23 22:34 ` Andrew Morton
2020-12-29 2:09 ` Peter Collingbourne [this message]
2020-12-29 19:25 ` Andrew Morton
2020-12-30 0:43 ` Peter Collingbourne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMn1gO7JBzyFs-qMDM5Cu3oMTw5vL3zabYgUWbnrKWFGDOx08w@mail.gmail.com \
--to=pcc@google.com \
--cc=akpm@linux-foundation.org \
--cc=kostyak@google.com \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox