Received: by 10.223.176.5 with SMTP id f5csp167257wra; Tue, 30 Jan 2018 09:36:45 -0800 (PST) X-Google-Smtp-Source: AH8x2263++JE+r7OPCmKKdsepJVnZS+4sU2+QemmmmYsPE4ZT6MukEGYogj5ADFIKHKBrxkRUbzt X-Received: by 10.98.134.206 with SMTP id x197mr19340323pfd.82.1517333805440; Tue, 30 Jan 2018 09:36:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517333805; cv=none; d=google.com; s=arc-20160816; b=h/hd/h2WHCtBmFZX9e3deUXu06+OHkQ7O/FBsd9V8KWdPkqsPf/RLwXObWPNEd81SV H7FhdJZY/z0doddAZGys/sw+m8oLb0eCYI6kwvUPWrBbL/W8HnTEjG2Ip2vqJZyuIw1K ceU4o9J98HH8rTkzTdGVfFnN72ua0DGVd7zZTxb73gb73kwXqN5YHLkbq/GBxTc8feOW J7eePkaEiMWutu4LoD/gtUyDdZG+B1b6CmuOcLRD6QTo0DzQkDmWZ7BVnfaNbq1aH3dK g5Z/JCzKgjuTgP+ad2AGxXSYvUikc1/oM6nlymU4Opt6UDR70O69Hs8TSGdYT5ssaCru EGhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:arc-authentication-results; bh=IAMpzNeq3s7hv3zvpePVwD4WbCo9LuF1/Hw+lHlQsUE=; b=ZtJIZ+JW7MAZshSMwEbUVseco7cgYLl37MJj8biyolI4BliF9jmMkZqTQCAFVGZA2+ /q0tRXbx9mZv7dvb+T0Q6okC4REELm40JyAVznFUkTLcn6IRIZDlJkXKq3cxlHNB67yI NVQ4fLKRrZI7xncQNYeQ5261dmSO4aCOLTkBnCJvvh/DM9QdEy65kYs1solxmSIIscKB lDVj9OJQcPK600BJajecTeMZn3Q17QUlwSg6qg+/lmkMkMaicUYp/dM7dFsXBGhKt9Kt 5NC3xTsaLDQviBJCYFOG0HGU5zBs20EJwnWQM7+igtcGVF5bffnzqBHseR748WCCLZmu oxHQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a84si141153pfk.72.2018.01.30.09.36.30; Tue, 30 Jan 2018 09:36:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753254AbeA3RIz (ORCPT + 99 others); Tue, 30 Jan 2018 12:08:55 -0500 Received: from ms.lwn.net ([45.79.88.28]:41880 "EHLO ms.lwn.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752047AbeA3RIy (ORCPT ); Tue, 30 Jan 2018 12:08:54 -0500 Received: from lwn.net (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ms.lwn.net (Postfix) with ESMTPSA id 8FB542CC; Tue, 30 Jan 2018 17:08:53 +0000 (UTC) Date: Tue, 30 Jan 2018 10:08:52 -0700 From: Jonathan Corbet To: Igor Stoppa Cc: , , , , , , , , , , Subject: Re: [PATCH 5/6] Documentation for Pmalloc Message-ID: <20180130100852.2213b94d@lwn.net> In-Reply-To: <20180130151446.24698-6-igor.stoppa@huawei.com> References: <20180130151446.24698-1-igor.stoppa@huawei.com> <20180130151446.24698-6-igor.stoppa@huawei.com> Organization: LWN.net MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 30 Jan 2018 17:14:45 +0200 Igor Stoppa wrote: > Detailed documentation about the protectable memory allocator. > > Signed-off-by: Igor Stoppa > --- > Documentation/core-api/pmalloc.txt | 104 +++++++++++++++++++++++++++++++++++++ > 1 file changed, 104 insertions(+) > create mode 100644 Documentation/core-api/pmalloc.txt Please don't put plain-text files into core-api - that's a directory full of RST documents. Your document is 99.9% RST already, better to just finish the job and tie it into the rest of the kernel docs. > diff --git a/Documentation/core-api/pmalloc.txt b/Documentation/core-api/pmalloc.txt > new file mode 100644 > index 0000000..934d356 > --- /dev/null > +++ b/Documentation/core-api/pmalloc.txt > @@ -0,0 +1,104 @@ We might as well put the SPDX tag here, it's a new file. > +============================ > +Protectable memory allocator > +============================ > + > +Introduction > +------------ > + > +When trying to perform an attack toward a system, the attacker typically > +wants to alter the execution flow, in a way that allows actions which > +would otherwise be forbidden. > + > +In recent years there has been lots of effort in preventing the execution > +of arbitrary code, so the attacker is progressively pushed to look for > +alternatives. > + > +If code changes are either detected or even prevented, what is left is to > +alter kernel data. > + > +As countermeasure, constant data is collected in a section which is then > +marked as readonly. > +To expand on this, also statically allocated variables which are tagged > +as __ro_after_init will receive a similar treatment. > +The difference from constant data is that such variables can be still > +altered freely during the kernel init phase. > + > +However, such solution does not address those variables which could be > +treated essentially as read-only, but whose size is not known at compile > +time or cannot be fully initialized during the init phase. This is all good information, but I'd suggest it belongs more in the 0/n patch posting than here. The introduction of *this* document should say what it actually covers. > + > +Design > +------ > + > +pmalloc builds on top of genalloc, using the same concept of memory pools > +A pool is a handle to a group of chunks of memory of various sizes. > +When created, a pool is empty. It will be populated by allocating chunks > +of memory, either when the first memory allocation request is received, or > +when a pre-allocation is performed. > + > +Either way, one or more memory pages will be obtained from vmalloc and > +registered in the pool as chunk. Subsequent requests will be satisfied by > +either using any available free space from the current chunks, or by > +allocating more vmalloc pages, should the current free space not suffice. > + > +This is the key point of pmalloc: it groups data that must be protected > +into a set of pages. The protection is performed through the mmu, which > +is a prerequisite and has a minimum granularity of one page. > + > +If the relevant variables were not grouped, there would be a problem of > +allowing writes to other variables that might happen to share the same > +page, but require further alterations over time. > + > +A pool is a group of pages that are write protected at the same time. > +Ideally, they have some high level correlation (ex: they belong to the > +same module), which justifies write protecting them all together. > + > +To keep it to a minimum, locking is left to the user of the API, in > +those cases where it's not strictly needed. This seems like a relevant and important aspect of the API that shouldn't be buried in the middle of a section talking about random things. > +Ideally, no further locking is required, since each module can have own > +pool (or pools), which should, for example, avoid the need for cross > +module or cross thread synchronization about write protecting a pool. > + > +The overhead of creating an additional pool is minimal: a handful of bytes > +from kmalloc space for the metadata and then what is left unused from the > +page(s) registered as chunks. > + > +Compared to plain use of vmalloc, genalloc has the advantage of tightly > +packing the allocations, reducing the number of pages used and therefore > +the pressure on the TLB. The slight overhead in execution time of the > +allocation should be mostly irrelevant, because pmalloc memory is not > +meant to be allocated/freed in tight loops. Rather it ought to be taken > +in use, initialized and write protected. Possibly destroyed. > + > +Considering that not much data is supposed to be dynamically allocated > +and then marked as read-only, it shouldn't be an issue that the address > +range for pmalloc is limited, on 32-bit systems. > + > +Regarding SMP systems, the allocations are expected to happen mostly > +during an initial transient, after which there should be no more need to > +perform cross-processor synchronizations of page tables. > + > + > +Use > +--- > + > +The typical sequence, when using pmalloc, is: > + > +1. create a pool > +2. [optional] pre-allocate some memory in the pool > +3. issue one or more allocation requests to the pool > +4. initialize the memory obtained > + - iterate over points 3 & 4 as needed - > +5. write protect the pool > +6. use in read-only mode the handlers obtained through the allocations > +7. [optional] destroy the pool So one gets this far, but has no actual idea of how to do these things. Which leads me to wonder: what is this document for? Who are you expecting to read it? You could improve things a lot by (once again) going to RST and using directives to bring in the kerneldoc comments from the source (which, I note, do exist). But I'd suggest rethinking this document and its audience. Most of the people reading it are likely wanting to learn how to *use* this API; I think it would be best to not leave them frustrated. Thanks, jon