The security about KSM and "adds all memory pages from all processes to KSM"

From: Mark
Date: Wed Jun 28 2017 - 10:41:34 EST


Hi Hugh and experts,

We are trying to enable KSM in a multi-container projects to save some memory.
And as the celld project suggests:
"To maximize the benefit of KSM, CellD uses a custom system call which adds all
memory pages from all processes to the set of pages KSM attempts to merge. " [1]

Our test shows that with the patch[2], applications works stable and more memory
are saved, but we are not sure if this patch brings in any more secure risks compared
with ksm only. The "uksm"[3] probably works in a similar way, but somehow in our
tests seems it save less memory.

Do you have any comments? Thank you so much.

[1] http://systems.cs.columbia.edu/archive/pub/2012/08/the-design-implementation-and-evaluation-of-cells-a-virtual-smartphone-architecture/
[2] https://cells-source.cs.columbia.edu/#/c/114/1/mm/madvise.c
[3] http://kerneldedup.org/en/