On Mon, Mar 05, 2018 at 04:09:31PM +0300, Ilya Smith wrote: > > On 4 Mar 2018, at 23:56, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote: > > Thinking about this more ... > > > > - When you call munmap, if you pass in the same (addr, length) that were > > used for mmap, then it should unmap the guard pages as well (that > > wasn't part of the patch, so it would have to be added) > > - If 'addr' is higher than the mapped address, and length at least > > reaches the end of the mapping, then I would expect the guard pages to > > "move down" and be after the end of the newly-shortened mapping. > > - If 'addr' is higher than the mapped address, and the length doesn't > > reach the end of the old mapping, we split the old mapping into two. > > I would expect the guard pages to apply to both mappings, insofar as > > they'll fit. For an example, suppose we have a five-page mapping with > > two guard pages (MMMMMGG), and then we unmap the fourth page. Now we > > have a three-page mapping with one guard page followed immediately > > by a one-page mapping with two guard pages (MMMGMGG). > > I’m analysing that approach and see much more problems: > - each time you call mmap like this, you still increase count of vmas as my > patch did Umm ... yes, each time you call mmap, you get a VMA. I'm not sure why that's a problem with my patch. I was trying to solve the problem Daniel pointed out, that mapping a guard region after each mmap cost twice as many VMAs, and it solves that problem. > - now feature vma_merge shouldn’t work at all, until MAP_FIXED is set or > PROT_GUARD(0) That's true. > - the entropy you provide is like 16 bit, that is really not so hard to brute It's 16 bits per mapping. I think that'll make enough attacks harder to be worthwhile. > - in your patch you don’t use vm_guard at address searching, I see many roots > of bugs here Don't need to. vm_end includes the guard pages. > - if you unmap/remap one page inside region, field vma_guard will show head > or tail pages for vma, not both; kernel don’t know how to handle it There are no head pages. The guard pages are only placed after the real end. > - user mode now choose entropy with PROT_GUARD macro, where did he gets it? > User mode shouldn’t be responsible for entropy at all I can't agree with that. The user has plenty of opportunities to get randomness; from /dev/random is the easiest, but you could also do timing attacks on your own cachelines, for example. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>