Re: RFC: Memory protection in modules (stability)

Floody (
Tue, 1 Apr 1997 21:08:36 -0500 (EST)


On Tue, 1 Apr 1997, Fabio Olive Leite wrote:

> Hi there,


> Linux already has a micro-kernel-like design, considering the module
> support. People say "Hey, Mach is so cool 'cause I can debug a filesystem
> driver without rebooting". We already have an answer for that with all
> that wonderful module stuff.
> And we even don't have the context switching/message passing overhead, as
> modules are dinamically linked to the running kernel. The problem is that,
> AFAIK, modules can access kmem directly, and thus a buggy net card module
> can suddenly overwrite VFS code, or something else. That doesn't happen on
> micro-kernels, 'cause things run on userspace.
> The question is, is it feasible to have memory protection on modules? How
> would that be? That would be kind of a context switch inside the kernel, I
> think. But it would get Linux _much_ more stable, and we would be able to
> say exactly why it is so good.

I have had thoughts along the same line. It would be interesting to have
modules run in ring 1 (if I am correct, kernel runs in ring 0 and user in
ring 3 at the moment on x86). Protection level 1 would offer more
protection than running back to back with kernel, and would allow for
nifty whiz-bang things like module watching/tracing and sophisticated

The tradeoff (isn't there always one) is performance; and it's a BIG
tradeoff. In a theoretical world, if you ran Linux as close to
micro-kernel as possible with all drivers at a different protection level,
the overall system performance would drop like a rock. Those ring context
switchs are *expensive*, and when you have to hit your SCSI driver
thousands of times a second, ... ouch ... I'm not sure what the actual
numbers would be, but I would guess 25% or more performance loss.

Netware 4 had an interesting option with it's NLM (Netware Loadable
Modules), wherein you could choose to run an NLM in a higher protection
level, for safety/development purposes. Once you had fully (or as fully
as possible) verified it's safety, you could load it back into ring 0 to
achieve full performance. There is some interesting hack value, and
possible real-world value too, to implement this under Linux. Big project

+ -- Finger: for my PGP public key -- +

Version: 2.6.2