From: Laura Abbott <labbott@redhat.com>
To: Igor Stoppa <igor.stoppa@huawei.com>,
Jes Sorensen <jes@trained-monkey.org>
Cc: Michal Hocko <mhocko@kernel.org>,
James Morris <james.l.morris@oracle.com>,
Jerome Glisse <jglisse@redhat.com>,
Paul Moore <paul@paul-moore.com>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
linux-security-module@vger.kernel.org
Subject: Re: [kernel-hardening] [RFC] memory allocations in genalloc
Date: Fri, 18 Aug 2017 06:57:37 -0700 [thread overview]
Message-ID: <bea38f28-b311-dd54-9323-f90e2b157e35@redhat.com> (raw)
In-Reply-To: <299c22f9-2e34-36dc-a6da-22eadbc0a59d@huawei.com>
On 08/17/2017 09:26 AM, Igor Stoppa wrote:
> Foreword:
> If I should direct this message to someone else, please let me know.
> I couldn't get a clear idea, by looking at both MAINTAINERS and git blame.
>
> ****
>
> Hi,
>
> I'm currently trying to convert the SE Linux policy db into using a
> protectable memory allocator (pmalloc) that I have developed.
>
> Such allocator is based on genalloc: I had come up with an
> implementation that was pretty similar to what genalloc already does, so
> it was pointed out to me that I could have a look at it.
>
> And, indeed, it seemed a perfect choice.
>
> But ... when freeing memory, genalloc wants that the caller also states
> how large each specific memory allocation is.
>
> This, per se, is not an issue, although genalloc doesn't seen to check
> if the memory being freed is really matching a previous allocation request.
>
> However, this design doesn't sit well with the use case I have in mind.
>
> In particular, when the SE Linux policy db is populated, the creation of
> one or more specific entry of the db might fail.
> In this case, the memory previously allocated for said entry, is
> released with kfree, which doesn't need to know the size of the chunk
> being freed.
>
> I would like to add similar capability to genalloc.
>
> genalloc already uses bitmaps, to track what words are allocated (1) and
> which are free (0)
>
> What I would like to do is to add another bitmap, which would track the
> beginning of each individual allocation (1 on the first allocation unit
> of each allocation, 0 otherwise).
>
> Such enhancement would enable also the detection of calls to free with
> incorrect / misaligned addresses - right now it is possible to
> successfully free a memory area that overlaps the interface of two
> adjacent allocations, without fully covering either of them.
>
> Would this change be acceptable?
> Is there any better way to achieve what I want?
>
In general, I don't see anything wrong with wanting to let gen_pool_free
not take a size. It's hard to say anything more without a patch to review.
My biggest concern would be keeping existing behavior and managing two
bitmaps locklessly.
>
> ---
>
> I have also a question wrt the use of spinlocks in genalloc.
> Why a spinlock?
>
> Freeing a chunk of memory previously allocated with vmalloc requires
> invoking vfree_atomic, instead of vfree, because the list of chunks is
> walked with the spinlock held, and vfree can sleep.
>
> Why not using a mutex?
>
>From the git history, gen_pool used to use a reader/writer lock and
was switched to be lockless so it could be used in NMI contexts
7f184275aa30 ("lib, Make gen_pool memory allocator lockless").
This looks to be an intentional choice, presumably so regions can be
added in atomic contexts. Again, if you have a specific patch or
proposal this would be easier to review.
Thanks,
Laura
>
> --
> TIA, igor
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-08-18 13:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-17 16:26 Igor Stoppa
2017-08-18 13:57 ` Laura Abbott [this message]
2017-08-18 14:47 ` [kernel-hardening] " Igor Stoppa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bea38f28-b311-dd54-9323-f90e2b157e35@redhat.com \
--to=labbott@redhat.com \
--cc=igor.stoppa@huawei.com \
--cc=james.l.morris@oracle.com \
--cc=jes@trained-monkey.org \
--cc=jglisse@redhat.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mhocko@kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox