Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1461731yba; Wed, 24 Apr 2019 23:32:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqyu5RxOzFwVNHOONxE39OOwUsXrBPt4GPcVDr7qTkqTPlFSz+fGYjQwrHAHMgdIYUY7RWPE X-Received: by 2002:a63:ef4c:: with SMTP id c12mr35893163pgk.43.1556173936814; Wed, 24 Apr 2019 23:32:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556173936; cv=none; d=google.com; s=arc-20160816; b=ciX/xpfaeMk5T7MEP6N82nbd54c1UiwEaN3EaLS59d+iKwxcne6eViEe/Z0nhN5rpM VQu9JO9llAAQBGip4towO0kYAZoD3qeGmIQo8iZUxn3CFcDpoRnMLbjXY8wDpFME/V/q Z7ewmxooaXjcu74upAPrAWxrMAL/DvaUdOrDdQll3TU60if2arOv4jFJp3kyJj9vilJ4 3S/4/VIzz/IPeKTdXAPrrMdCg4wXVjKbEAR967WQop9ezkiVnoCMAYMsh7dqhMibOZG7 Z9MR0E6h4+fQvr9kWcDFMlenpBdEJNRnw2gW2UB6goHRycDREKznkrv9S1a47YDPt35b 0SVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=wflHOq/5T+ZXCjWUuQ+Otw4+acC/CT36CLZGEdvvwaE=; b=TMx0BLqOY/ITsx5ZfbjwnVjKckydSgS0fkqRWdK6+RettFSxH3WwaYfCls3sz5QGfS 66a2ZmTlf2AHfe4Pep7lSh0nRQ+q8yb2jFwQlC/Xfr67IsMNZBP6DifzsSGRgr5pG0im jLFnzXqEGjX6icHwuYGBMIK8tgdtd/4t/UhbTmSh8OPFoKBAQUcvuQJ1fydh6pKMvpJk MrXAORilR1nSNQ+zqsac5WY+jvLHgt9zFLOw4FMuebzB2EEfUnZUfoOUzURcuWHNPWn+ AbEGMmbDe4Z76hY5Dk6rUBcNXD93BeHB8G7jc9Pzf3MOHBf7tMQWplS+kX4fhOpSkRmS O7rw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MkCahJzn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e36si5027679pgb.286.2019.04.24.23.32.01; Wed, 24 Apr 2019 23:32:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MkCahJzn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732803AbfDXTdZ (ORCPT + 99 others); Wed, 24 Apr 2019 15:33:25 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:38626 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727373AbfDXTdY (ORCPT ); Wed, 24 Apr 2019 15:33:24 -0400 Received: by mail-io1-f67.google.com with SMTP id y6so9212299ior.5 for ; Wed, 24 Apr 2019 12:33:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wflHOq/5T+ZXCjWUuQ+Otw4+acC/CT36CLZGEdvvwaE=; b=MkCahJznroJgkW0oElWPSJZfpPCaob0MRXbne3p3BT20DPsC6WzDWFDMguURI7KEUc eANX+vUFF7XOTjHjzkp4FeIoH0JkOadAa4TE/mga9BWwa5PLIMpcbSpg/bJZFOSwVKCV 4Q7yDEfqH7zZT5ycivz/8LjKPa/uL3SuZxwEwYaUJLUsO5HviFOpxD7/3PxprCQCp6QS 0Z/oojm96tqPir32wttihXjEo7Ts9fdxtgme0APOa5EClsFWIwjfz8ARQdsqd7l8fN8h JlnEj4rUMmtRngVS+A9XBCncRgF9xq4HnyQYmm8OF5ZHrqmmgl7tApaprI1Y8fuIB/Md T67A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wflHOq/5T+ZXCjWUuQ+Otw4+acC/CT36CLZGEdvvwaE=; b=q4UnXScI5ENOYCUq2hXkrC0mfhcSnDW1nyDrWdvbSYP9x0ZDOPbagd1hIzth59iDUC VLudfr5yjX6fqsaqy1k3TPF60SaHGEWLY5kaWlgjcvkQqZ2tf5NC7ADTLEkLQDVn5C8e YifajaCSheLr+OvJx6sNB8bpHqkulF4BULHoUB8sD/ZWx07EnEtkyTDUF2jbveAdr4Q3 qaE10ercKTFpaNSiXinGzoK5YvOGff4094p6MG7bQpWfnj47QNDk6Gv37zEIcLnCJUgb 1q9rcsXKMZoRESaMkaKTPi4GJDG7OiF5tU+LKOgQ0jSwdhHH6eYaM1AU1A7YH2gI1hMb 9j9g== X-Gm-Message-State: APjAAAU4XXWGEuGQWbqu1qnny2Z8CJwHyggpXLFcs2y2Bz8cuVxBncBH y/P5vpH68DRq6jfcqT65z3wNzeiQ+nnZz/uhIlfFINeofCs= X-Received: by 2002:a5e:8348:: with SMTP id y8mr21067935iom.88.1556134403324; Wed, 24 Apr 2019 12:33:23 -0700 (PDT) MIME-Version: 1.0 References: <20190424191440.170422-1-matthewgarrett@google.com> <20190424192812.GG19031@bombadil.infradead.org> In-Reply-To: <20190424192812.GG19031@bombadil.infradead.org> From: Matthew Garrett Date: Wed, 24 Apr 2019 12:33:11 -0700 Message-ID: Subject: Re: [PATCH] mm: Allow userland to request that the kernel clear memory on release To: Matthew Wilcox Cc: linux-mm@kvack.org, Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 24, 2019 at 12:28 PM Matthew Wilcox wrote: > > On Wed, Apr 24, 2019 at 12:14:40PM -0700, Matthew Garrett wrote: > > Unfortunately, if an application exits uncleanly, its secrets may still be > > present in RAM. This can't be easily fixed in userland (eg, if the OOM > > killer decides to kill a process holding secrets, we're not going to be able > > to avoid that), so this patch adds a new flag to madvise() to allow userland > > to request that the kernel clear the covered pages whenever the page > > reference count hits zero. Since vm_flags is already full on 32-bit, it > > will only work on 64-bit systems. > > Your request seems reasonable to me. > > > +++ b/include/linux/page-flags.h > > @@ -118,6 +118,7 @@ enum pageflags { > > PG_reclaim, /* To be reclaimed asap */ > > PG_swapbacked, /* Page is backed by RAM/swap */ > > PG_unevictable, /* Page is "unevictable" */ > > + PG_wipeonrelease, > > But you can't have a new PageFlag. Can you instead zero the memory in > unmap_single_vma() where we call uprobe_munmap() and untrack_pfn() today? Is there any way the page could be referenced by something other than a VMA at this point? If so we probably don't want to zero it here, but we do want to zero it when the page is finally released (which is why I went with a page flag)