Re: [patch 0/5] Support for sanitization flag in low-level pageallocator
From: Andrew Morton
Date: Fri May 29 2009 - 18:59:48 EST
On Wed, 20 May 2009 14:24:13 -0700
"Larry H." <research@xxxxxxxxxxxxxx> wrote:
> approach means forcing all developers to remember where they have to
> place this explicit clearing, and introducing unnecessary code
> duplication and an ever growing list of places adding these calls.
And your proposed approach requires that developers remember to use
GFP_SENSITIVE at allocation time. In well-implemented code, there is a
single memory-freeing site, so there's really no difference here.
Other problems I see with the patch are:
- Adds a test-n-branch to all page-freeing operations. Ouch. The
current approach avoids that cost.
- Fails to handle kmalloc()'ed memory. Fixing this will probably
require adding a test-n-branch to kmem_cache_alloc(). Ouch * N.
- Once kmalloc() is fixed, the page-allocator changes and
GFP_SENSITIVE itself can perhaps go away - I expect that little
security-sensitive memory is allocated direct from the page
allocator. Most callsites are probably using
kmalloc()/kmem_cache_alloc() (might be wrong).
If not wrong then we end up with a single requirement: zap the
memory in kmem_cache_free().
But how to do that? Particular callsites don't get to alter
kfree()'s behaviour. So they'd need to use a new kfree_sensitive().
Which is just syntactic sugar around the code whihc we presently
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/