On 9/3/20 11:00 AM, Kees Cook wrote: > Why is a kernel-copied string insufficient for this? I don't think VMA > merging is a fast-path operation, so doing a strcmp isn't going to wreck > anything... > > Let me try to find the earlier thread with Dave Hansen... okay, found it: > https://lore.kernel.org/linux-mm/51DDF071.5000309@xxxxxxxxx/ > > Right, so, this idea predates userfaultfd. :) > > More notes below, but I *really* think this should not be a userspace > pointer. And since a separate union has been found, let's just do a > strndup_user() for the name, validate it as containing only printable > characters without \n \r \v \f and move the merging logic into a > separate patch. FWIW, I don't have any objections to this. Refcounting strings was what I think I had the strongest reaction to back in the good old days of 2013. strdup() on split plus strcmp() on merge doesn't sound afwul to me, and it is darn straightforward. The biggest downside is probably kernel memory consumption. We should probably just think through whether having so many duplicates changes things materially. For instance, should/could we penalize a task's vm.max_map_count when it's using this mechanism?
