From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32A7D434E56 for ; Wed, 15 Jul 2026 11:33:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784115199; cv=none; b=Rydqf3h8mFTm4xtKs2LwBTCg1XOwkzmelwII4azO+gE6EO3dDAAPjvEZUF+J847UOOg+Zh/LQln/F7/Nu7nJltQblZWvqnezQ4ut3sfoMPUpMHYTNOKqopt/+3DYndxzVQINeHIjyQMdUGRRFc276dWLNv7htoPcCwYuRYDoZrE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784115199; c=relaxed/simple; bh=1d64bRAdt9DTQiTS8x2855nMSmiQZlXJIrjhK4C/mzQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=FG0fOwFdT/efADpzc3Ff0JAwI9UKOHk8EU8AMDt/zIbMg2zVImf9JFgjiOPt89IDdU9rGMTSvG2WjdweUOzFY5tBJ0k9MIOB1b1+MJO0yY6NeXDIWc8SIebCQCjliWZxFw7LPbvHGlJbmZJzuCkx2l4zMacloRUP7DeewfqXZrQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bscw2GOx; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bscw2GOx" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 141C81F000E9; Wed, 15 Jul 2026 11:33:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1784115193; bh=LCDqEALQukdy48lYCnyqwpZMutqK5Js8PtN9MiPr3Po=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=bscw2GOxvcq7zy/uL4d2iR32U2VH/nFsAt0vLQ1y4PKosX/mVdfhsHAWOXa5z1kjt zsX1ykm4LBRa4oe/Q/S2zOE4Tco09jVjJIwmPZ2S63mDJ/lcoBaAxZJ9JWJ6WLd0j2 P0IgyX2poBYgNq4qNtgg1vE+FPViT3Q9HDY8sWbS+8RuXLLBUTUdlYmeOk+x7HkrqW arGZPkjmYmXvqpTAqJnIhBHusfgWxIVO1kPqGRJu6RB/JIc2qzff07tvSJA4VvxaEH WHNKJkewg75wt1S+QTcPc2DaHURIv2qV60CA1Wlc3TaqxsJZ3KS/rBIwgpy3IbVWYg Z3qmvKg2BYBgw== Date: Wed, 15 Jul 2026 14:33:05 +0300 From: Mike Rapoport To: Brendan Jackman Cc: "David Hildenbrand (Arm)" , Andrew Morton , Brendan Jackman , Lorenzo Stoakes , "Liam R. Howlett" , Vlastimil Babka , Suren Baghdasaryan , Michal Hocko , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] mm/secretmem: disable under HIGHMEM Message-ID: References: <20260703-secretmem-highmem-v1-1-30d5ff944664@google.com> <20260704192603.40aa80cf9242b77aa75e8d8d@linux-foundation.org> <503aee9e-97fc-4889-a379-3c0a5d140554@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Wed, Jul 15, 2026 at 11:22:33AM +0000, Brendan Jackman wrote: > On Mon Jul 6, 2026 at 8:42 AM UTC, David Hildenbrand (Arm) wrote: > > On 7/5/26 13:34, Mike Rapoport wrote: > >> On Sun, Jul 05, 2026 at 10:46:19AM +0000, Brendan Jackman wrote: > >>> On Sun Jul 5, 2026 at 2:26 AM UTC, Andrew Morton wrote: > >>>> > >>>> Well OK, but the secretmem code is still wrong. The patch protects > >>>> people from hitting the bug but leaves the bug in place. Surely it would be > >>>> better to fix the bug? > >>> > >>> I don't think the code is wrong if highmem is disabled. Certainly > >>> there is an implicit coupling between the .c file and the Kconfig file, > >>> but we could always add a BUILD_BUG_ON(IS_ENABLED(CONFIG_SECRETMEM)) to > >>> the relevant bit of code to make it explicit. > >>> > >>>> Is that as simple as adding the folio_test_highmem() test? > >>> > >>> This would fix the WARN+SIGBUS but I don't think it resolves the fact > >>> that this configuration is completely untested - there are likely other > >>> functional bugs? But more importantly, I am not sure if secretmem > >>> actually does its security job if kmap_local_page() isn't a NOP. I > >>> think shipping a "security feature" that doesn't do what it says would > >>> be really terrible. (It might work totally fine, I dunno, but it would > >>> require some research and deep thinking that I don't really want to do > >>> for a configuration with no users). > >>> > >>>> Or switching to GFP_KERNEL? > >>> > >>> ... Oh, that's a nice idea though :) > >> > >> GFP_USER if anything :) > > > > Right. > > > >> > >> But still with kmap() and friends not being an NOP the promise "kernel does > >> not map this memory" does not hold. > >> > >> I think that keeping SECRETMEM and HIGHMEM mutually exclusive is > >> conceptually correct. > > > > We could even limit it to 64BIT ;) > > I fear this in limbo, we have quite a wide range of opinions from "fix > the broken configuration" all the way to "disable secretmem completely on > 32bit". I'm not passionately committed to any one answer but I do think > we need to pick something. > > Mike's position seems to be roughly "in the middle" of the spectrum, and Right :) Supporting 32-bit without HIGHMEM is easy, so I don't think we should limit it to 64BIT at this point. > (conveniently for me) happens to align with what I did in the [PATCH]. > So... could we go ahead with this? -- Sincerely yours, Mike.