From: David Hildenbrand <david@redhat.com>
To: Jeff Xu <jeffxu@chromium.org>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@suse.cz>, Jann Horn <jannh@google.com>,
Pedro Falcato <pfalcato@suse.de>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Kees Cook <kees@kernel.org>,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v3 2/5] mm/mseal: update madvise() logic
Date: Fri, 25 Jul 2025 00:18:31 +0200 [thread overview]
Message-ID: <1bc456a4-30ac-4e6b-8830-e7c86f113f9f@redhat.com> (raw)
In-Reply-To: <ab45d2f2-a34e-4ec7-8a49-03d166e6215a@redhat.com>
On 24.07.25 20:56, David Hildenbrand wrote:
>>
>> To summarize all the discussion points so far:
>> 1. It's questionable behavior for madvise to allow destructive
>> behavior for read-only anonymous mappings, regardless of mseal state.
> > 2. We could potentially fix point 1 within madvise itself, without>
> involving mseal, as Linus desires.
>
> IIUC: disallow madvise(MADV_DONTNEED) without PROT_WRITE.
>
> I am 99.99999% sure that that would break user case, unfortunately.
>
>> 3. Android userspace uses destructive madvise to free up RAM, but I
>> need to take a closer look at the patterns and usage to understand why
>> they do that.
>
> I am shocked that you question why they would use MADV_DONTNEED instead
> of ...
>
> > 4. We could ask applications to switch to non-destructive madvise,>
> like MADV_COLD or MADV_PAGEOUT. Or, another option is that we could
>> switch the kernel to use non-destructive madvise implicitly for
>> destructive madvise in suitable situations.
>
> ... MADV_COLD / MADV_PAGEOUT.
>
> I am also shocked that you think asking apps to switch would not make us
> break user space.
> >> 5. We could investigate more based on vma->anon_vma
>
> Or we do what sealing is supposed to do.
Sorry for the rather hard replies, I was not understanding at all what
you were getting at really.
>
> With the hope that this sealing fix here would not break user space.
Is your concern that something (in Chrome?) would be relying on
MADV_DONTNEED working in case we had a MAP_PRIVATE R/O file mapping?
Again, disallowing that completely (even without mseal()) would break
user space, I am very sure.
Whether we should allow zapping *anonymous folios* in MAP_PRIVATE R/O
file mapping is a good question, hard to tell if that would break anything.
For zapping *anonymous folios* in MAP_PRIVATE R/O anon mappings, I am
sure there are use cases around userfaultfd, I'm afraid ...
--
Cheers,
David / dhildenb
next prev parent reply other threads:[~2025-07-24 22:18 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-16 17:38 [PATCH v3 0/5] mseal cleanups, fixup MAP_PRIVATE file-backed case Lorenzo Stoakes
2025-07-16 17:38 ` [PATCH v3 1/5] mm/mseal: always define VM_SEALED Lorenzo Stoakes
2025-07-24 18:34 ` Jeff Xu
2025-07-24 18:44 ` Lorenzo Stoakes
2025-07-16 17:38 ` [PATCH v3 2/5] mm/mseal: update madvise() logic Lorenzo Stoakes
2025-07-24 18:39 ` Jeff Xu
2025-07-24 18:56 ` David Hildenbrand
2025-07-24 22:18 ` David Hildenbrand [this message]
2025-07-24 19:07 ` Lorenzo Stoakes
2025-07-24 21:53 ` David Hildenbrand
2025-07-25 6:17 ` Lorenzo Stoakes
2025-07-25 16:22 ` Jeff Xu
2025-07-24 21:15 ` Kees Cook
2025-07-24 21:32 ` David Hildenbrand
2025-07-24 21:41 ` David Hildenbrand
2025-07-24 22:29 ` Kees Cook
2025-07-24 22:47 ` David Hildenbrand
2025-07-25 7:41 ` David Hildenbrand
2025-07-25 5:49 ` Lorenzo Stoakes
2025-07-25 16:21 ` Jeff Xu
2025-07-24 22:12 ` David Hildenbrand
2025-07-25 7:01 ` Lorenzo Stoakes
2025-07-25 7:38 ` David Hildenbrand
2025-07-25 8:53 ` Lorenzo Stoakes
2025-07-25 9:46 ` David Hildenbrand
2025-07-25 10:05 ` Lorenzo Stoakes
2025-07-25 10:10 ` David Hildenbrand
2025-07-25 10:17 ` Lorenzo Stoakes
2025-07-16 17:38 ` [PATCH v3 3/5] mm/mseal: small cleanups Lorenzo Stoakes
2025-07-24 18:40 ` Jeff Xu
2025-07-16 17:38 ` [PATCH v3 4/5] mm/mseal: Simplify and rename VMA gap check Lorenzo Stoakes
2025-07-24 18:40 ` Jeff Xu
2025-07-25 5:33 ` Lorenzo Stoakes
2025-07-16 17:38 ` [PATCH v3 5/5] mm/mseal: rework mseal apply logic Lorenzo Stoakes
2025-07-24 18:41 ` Jeff Xu
2025-07-24 18:32 ` [PATCH v3 0/5] mseal cleanups, fixup MAP_PRIVATE file-backed case Jeff Xu
2025-07-24 19:10 ` Lorenzo Stoakes
2025-07-25 6:40 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1bc456a4-30ac-4e6b-8830-e7c86f113f9f@redhat.com \
--to=david@redhat.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=pfalcato@suse.de \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).