Linux Security Modules development
 help / color / mirror / Atom feed
* [PATCH 0/3] security: replace __get_free_pages() call with kmalloc()
@ 2026-05-20  8:18 Mike Rapoport (Microsoft)
  2026-05-20  8:18 ` [PATCH 1/3] selinux: use k[mz]alloc() to allocate temporary buffers Mike Rapoport (Microsoft)
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Mike Rapoport (Microsoft) @ 2026-05-20  8:18 UTC (permalink / raw)
  To: James Morris, John Johansen, Ondrej Mosnacek, Paul Moore,
	Serge E. Hallyn, Stephen Smalley
  Cc: Mike Rapoport, apparmor, selinux, linux-kernel, linux-mm,
	linux-security-module

This is a (tiny) part of larger work of replacing page allocator calls
with kmalloc:

Also in git:
https://git.kernel.org/pub/scm/linux/kernel/git/rppt/linux.git gfp-to-kmalloc/security

Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
---
Mike Rapoport (Microsoft) (3):
      selinux: use k[mz]alloc() to allocate temporary buffers
      selinux: hooks: use __getname() to allocate path buffer
      apparmor: replace get_zeroed_page() with kzalloc()

 security/apparmor/apparmorfs.c |  5 +++--
 security/selinux/hooks.c       |  4 ++--
 security/selinux/selinuxfs.c   | 12 ++++++------
 3 files changed, 11 insertions(+), 10 deletions(-)
---
base-commit: 5d6919055dec134de3c40167a490f33c74c12581
change-id: 20260520-security-6cdd60da7129

Best regards,
--  
Sincerely yours,
Mike.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH 1/3] selinux: use k[mz]alloc() to allocate temporary buffers
  2026-05-20  8:18 [PATCH 0/3] security: replace __get_free_pages() call with kmalloc() Mike Rapoport (Microsoft)
@ 2026-05-20  8:18 ` Mike Rapoport (Microsoft)
  2026-05-20  8:18 ` [PATCH 2/3] selinux: hooks: use __getname() to allocate path buffer Mike Rapoport (Microsoft)
  2026-05-20  8:18 ` [PATCH 3/3] apparmor: replace get_zeroed_page() with kzalloc() Mike Rapoport (Microsoft)
  2 siblings, 0 replies; 4+ messages in thread
From: Mike Rapoport (Microsoft) @ 2026-05-20  8:18 UTC (permalink / raw)
  To: James Morris, John Johansen, Ondrej Mosnacek, Paul Moore,
	Serge E. Hallyn, Stephen Smalley
  Cc: Mike Rapoport, apparmor, selinux, linux-kernel, linux-mm,
	linux-security-module

Several functions in selinuxfs.c allocate temporary buffers using
__get_free_page() or get_zeroed_page().

These buffers are used either to store a string generated by snprintf() (in
sel_make_bools()) or to copy data from user (sel_read_avc_hash_stats() and
sel_read_sidtab_hash_stats()).

Such usage does not require struct page access and it is better to allocate
these buffers with kzalloc()/kmalloc() that provide better scalability and
more debugging possibilities.

Replace use of get_zeroed_page() with kzalloc() and usage of
__get_free_page() with kmalloc().

Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
---
 security/selinux/selinuxfs.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 25ca7d714014..e7b884eedf80 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1244,7 +1244,7 @@ static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_
 	char **names, *page;
 	u32 i, num;
 
-	page = (char *)get_zeroed_page(GFP_KERNEL);
+	page = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!page)
 		return -ENOMEM;
 
@@ -1290,7 +1290,7 @@ static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_
 		ret = sel_attach_file(bool_dir, names[i], inode);
 	}
 out:
-	free_page((unsigned long)page);
+	kfree(page);
 	return ret;
 }
 
@@ -1349,14 +1349,14 @@ static ssize_t sel_read_avc_hash_stats(struct file *filp, char __user *buf,
 	char *page;
 	ssize_t length;
 
-	page = (char *)__get_free_page(GFP_KERNEL);
+	page = kmalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!page)
 		return -ENOMEM;
 
 	length = avc_get_hash_stats(page);
 	if (length >= 0)
 		length = simple_read_from_buffer(buf, count, ppos, page, length);
-	free_page((unsigned long)page);
+	kfree(page);
 
 	return length;
 }
@@ -1367,7 +1367,7 @@ static ssize_t sel_read_sidtab_hash_stats(struct file *filp, char __user *buf,
 	char *page;
 	ssize_t length;
 
-	page = (char *)__get_free_page(GFP_KERNEL);
+	page = kmalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!page)
 		return -ENOMEM;
 
@@ -1375,7 +1375,7 @@ static ssize_t sel_read_sidtab_hash_stats(struct file *filp, char __user *buf,
 	if (length >= 0)
 		length = simple_read_from_buffer(buf, count, ppos, page,
 						length);
-	free_page((unsigned long)page);
+	kfree(page);
 
 	return length;
 }

-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/3] selinux: hooks: use __getname() to allocate path buffer
  2026-05-20  8:18 [PATCH 0/3] security: replace __get_free_pages() call with kmalloc() Mike Rapoport (Microsoft)
  2026-05-20  8:18 ` [PATCH 1/3] selinux: use k[mz]alloc() to allocate temporary buffers Mike Rapoport (Microsoft)
@ 2026-05-20  8:18 ` Mike Rapoport (Microsoft)
  2026-05-20  8:18 ` [PATCH 3/3] apparmor: replace get_zeroed_page() with kzalloc() Mike Rapoport (Microsoft)
  2 siblings, 0 replies; 4+ messages in thread
From: Mike Rapoport (Microsoft) @ 2026-05-20  8:18 UTC (permalink / raw)
  To: James Morris, John Johansen, Ondrej Mosnacek, Paul Moore,
	Serge E. Hallyn, Stephen Smalley
  Cc: Mike Rapoport, apparmor, selinux, linux-kernel, linux-mm,
	linux-security-module

selinux_genfs_get_sid() allocates memory for a path with __get_free_page()
although there is a dedicated helper for allocation of file paths:
__getname().

Replace __get_free_page() for allocation of a path buffer with __getname().

Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
---
 security/selinux/hooks.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0f704380a8c8..05b84b3781e0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1336,7 +1336,7 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
 	struct super_block *sb = dentry->d_sb;
 	char *buffer, *path;
 
-	buffer = (char *)__get_free_page(GFP_KERNEL);
+	buffer = __getname();
 	if (!buffer)
 		return -ENOMEM;
 
@@ -1361,7 +1361,7 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
 			rc = 0;
 		}
 	}
-	free_page((unsigned long)buffer);
+	__putname(buffer);
 	return rc;
 }
 

-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 3/3] apparmor: replace get_zeroed_page() with kzalloc()
  2026-05-20  8:18 [PATCH 0/3] security: replace __get_free_pages() call with kmalloc() Mike Rapoport (Microsoft)
  2026-05-20  8:18 ` [PATCH 1/3] selinux: use k[mz]alloc() to allocate temporary buffers Mike Rapoport (Microsoft)
  2026-05-20  8:18 ` [PATCH 2/3] selinux: hooks: use __getname() to allocate path buffer Mike Rapoport (Microsoft)
@ 2026-05-20  8:18 ` Mike Rapoport (Microsoft)
  2 siblings, 0 replies; 4+ messages in thread
From: Mike Rapoport (Microsoft) @ 2026-05-20  8:18 UTC (permalink / raw)
  To: James Morris, John Johansen, Ondrej Mosnacek, Paul Moore,
	Serge E. Hallyn, Stephen Smalley
  Cc: Mike Rapoport, apparmor, selinux, linux-kernel, linux-mm,
	linux-security-module

multi_transaction_new() allocates memory with get_zeroed_page() and uses
it as struct multi_transaction.

The usage of that structure does not require struct page access and it is
better to allocate multi_transaction objects with kzalloc() that provides
better scalability and more debugging possibilities.

Replace use of get_zeroed_page() with kzalloc().

Link: https://lore.kernel.org/all/635405e4-9423-4a25-a6e7-e03c8ea0bcbe@redhat.com
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
---
 security/apparmor/apparmorfs.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index ededaf46f3ca..e5c99c71e7ca 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -9,6 +9,7 @@
  */
 
 #include <linux/ctype.h>
+#include <linux/slab.h>
 #include <linux/security.h>
 #include <linux/vmalloc.h>
 #include <linux/init.h>
@@ -904,7 +905,7 @@ static void multi_transaction_kref(struct kref *kref)
 	struct multi_transaction *t;
 
 	t = container_of(kref, struct multi_transaction, count);
-	free_page((unsigned long) t);
+	kfree(t);
 }
 
 static struct multi_transaction *
@@ -947,7 +948,7 @@ static struct multi_transaction *multi_transaction_new(struct file *file,
 	if (size > MULTI_TRANSACTION_LIMIT - 1)
 		return ERR_PTR(-EFBIG);
 
-	t = (struct multi_transaction *)get_zeroed_page(GFP_KERNEL);
+	t = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!t)
 		return ERR_PTR(-ENOMEM);
 	kref_init(&t->count);

-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-20  8:19 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20  8:18 [PATCH 0/3] security: replace __get_free_pages() call with kmalloc() Mike Rapoport (Microsoft)
2026-05-20  8:18 ` [PATCH 1/3] selinux: use k[mz]alloc() to allocate temporary buffers Mike Rapoport (Microsoft)
2026-05-20  8:18 ` [PATCH 2/3] selinux: hooks: use __getname() to allocate path buffer Mike Rapoport (Microsoft)
2026-05-20  8:18 ` [PATCH 3/3] apparmor: replace get_zeroed_page() with kzalloc() Mike Rapoport (Microsoft)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox