From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2F09C25B7A for ; Fri, 24 May 2024 14:55:11 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C87186B0088; Fri, 24 May 2024 10:55:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C36AA6B008A; Fri, 24 May 2024 10:55:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B2E1A6B008C; Fri, 24 May 2024 10:55:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 911366B0088 for ; Fri, 24 May 2024 10:55:10 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 1104AA1586 for ; Fri, 24 May 2024 14:55:10 +0000 (UTC) X-FDA: 82153587180.18.2E14387 Received: from out-186.mta1.migadu.com (out-186.mta1.migadu.com [95.215.58.186]) by imf06.hostedemail.com (Postfix) with ESMTP id 1A770180022 for ; Fri, 24 May 2024 14:55:06 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=VEKBWNRw; spf=pass (imf06.hostedemail.com: domain of kent.overstreet@linux.dev designates 95.215.58.186 as permitted sender) smtp.mailfrom=kent.overstreet@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716562507; a=rsa-sha256; cv=none; b=7kGzd6cSVJ8iya5LgidkGGPQ68CJCPncKGAMNfS6F/ERMexyEiy53YO5O+KH94TMIqdjcs 7a1rNZatzGW2DlX5WllITV9aTxs+owJgNM45FQXGs2LjSEpRfvXR8h3pBNxawOpHqKhBOJ ovzMzgIEkSuiTc4imTeWMrh6GmZ5cUk= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=VEKBWNRw; spf=pass (imf06.hostedemail.com: domain of kent.overstreet@linux.dev designates 95.215.58.186 as permitted sender) smtp.mailfrom=kent.overstreet@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1716562507; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7eBsqdgaEgOyK97Okk1hi9lHrmzeIeL0UB3tqvDlIRw=; b=SAb0mO28XDRV2p0rOvUa1jN0/nCgNRAJrRy/oaERiqC184GHyAVcmDL3bDwQ9mX1bPdg6M TNu1yZTOrDScpzrrtR5ckjA2t0vY4rlAFWbpoQc8e8X/F3JlVX6oVKmXbNI0UbO6ZdBl3V r4z1qLfyksiD6vNTJcWtYwc6dTmcjTU= X-Envelope-To: keescook@chromium.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1716562504; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7eBsqdgaEgOyK97Okk1hi9lHrmzeIeL0UB3tqvDlIRw=; b=VEKBWNRw/vIK1I11UQntL0tbVI40n9fwIDNjWrmS/yO6NcBT7iM8OrrN0fAApJnI8HlcMv NJijsJJ8VQ/28RWLHEEslbN/nHi04xkmLPun8i7kREnkqMh9PlWA3fJ21lHErYrRcko6j2 ImDohF7BAmiSIQ+Ime2Wv+cWQPm/ZAc= X-Envelope-To: vbabka@suse.cz X-Envelope-To: akpm@linux-foundation.org X-Envelope-To: cl@linux.com X-Envelope-To: penberg@kernel.org X-Envelope-To: rientjes@google.com X-Envelope-To: iamjoonsoo.kim@lge.com X-Envelope-To: roman.gushchin@linux.dev X-Envelope-To: 42.hyeyoo@gmail.com X-Envelope-To: gongruiqi@huaweicloud.com X-Envelope-To: xiujianfeng@huawei.com X-Envelope-To: surenb@google.com X-Envelope-To: jannh@google.com X-Envelope-To: matteorizzo@google.com X-Envelope-To: tgraf@suug.ch X-Envelope-To: herbert@gondor.apana.org.au X-Envelope-To: julien.voisin@dustri.org X-Envelope-To: linux-kernel@vger.kernel.org X-Envelope-To: linux-mm@kvack.org X-Envelope-To: linux-hardening@vger.kernel.org Date: Fri, 24 May 2024 10:54:58 -0400 X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: Kees Cook Cc: Vlastimil Babka , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Jann Horn , Matteo Rizzo , Thomas Graf , Herbert Xu , julien.voisin@dustri.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v3 0/6] slab: Introduce dedicated bucket allocator Message-ID: <7nonr2cucww7j55kresncgt23pvgt3pmnfukqpnqblk3fmtfdl@ewhqe3ylioz2> References: <20240424213019.make.366-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240424213019.make.366-kees@kernel.org> X-Migadu-Flow: FLOW_OUT X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 1A770180022 X-Stat-Signature: 3bsbnhwsjqif6dd8rg98zfd8j8bz4kxm X-HE-Tag: 1716562506-827414 X-HE-Meta: U2FsdGVkX18b8VmLfDJJB4WHYq+26kjgB56clNFm71YSCa368r10X5o+zONiQNgT1NuLxXkf8SLG1woVZSM3KbXX+gERGypfgEgMStxZ4gSuaa5nA9teHVhQGkkbg0g+pWDTETQaauqKiMevv7kfwq05TgVX+mOA1jsA49TvZMw5BHOX3igZR5fb9gmPx2ihybgJXfnHi44yZJOG7aP+BgR5YBvonT9CeRFLOMw73uJHgKW+XQ3CtoKb6cA9helMsNUfDtSxEoNG7Ogj3/2bQm8u7h5dg8cWAIVgNC9NGgqFY63Vv7tlvvGwMV8ZpWlC2pYqiPStfD2uG4Zx0kSuUgr2Gfvnh4nqwBEbuaDfJrCR/9cDXL2rnUEnCiDmKByv1Yu4DcSG6Tj3RC4IW8qgQt8v8KQPT22IeffY9aqmbLuATBTOUby1THxDBfrHuhQTw8mt7jWO9F0GlFcx0xSSC5f1Dj7azo0N4bOmW7Dtp2k4nKCBppD+dKXBCh82dD2AMzbNg2x2LqducXORRqCH4LbSeuQoYxyTBxNyqzlHwgUmFrImELKEw5zYF07K7rU45glH54XdjZqZ3BMCThfpoluFtSfaqoc63L3p+0NDc7aZAU4MQQ2J8I6Nx7jhOY51Vwb9+CJ5aTded+KbceBVJZFsy96CuHruHXzZevewtMWJL3eU4ynURuk6odjR20gOcqcN9paRNbA7Ow6xB1jr0654fX7PQwas51QDBXRWz9WhAtTuSa6tnVA8k0R+S6RRNpCl/vyawu8h+4G+ZYpFvmK9UptUG8+Pe5NUU4ZVWt4rpfCEFdxtli9Vb2raL6joKDUQXPXxnFn1VMM89fWDIy/sDie1d0Xk5S1GadZ53xt0xN7T2VwCEgHgVH+sGVI55cZ37HKwJE1GBO49VmqNXWx9GMQ6MmZ8UVgHoFKEwb1ES4CBaHhZkpdq++vEIMFroxImiMtj5r/Si6RCVaN JrtPHFlf +S6aETWIK8JQmh4oAQzxXgwNYsLXgHlP++mi4BsOz9GA7cmjPMH+ACKylfBcthSbs3J0dCKw1NNdggyc0Tq12BIC70PXWPvmAAtoPEKoPp7EQQqVljwKhz2U12MENOjmliLAgnDyIfD33VUOtcnq1PjwqXO4H03JrUEJp+1REKpnP8p7YkngKhOGb4znwarZzk/eLlgRHwjyvTY+q/wARfMwtmg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Apr 24, 2024 at 02:40:57PM -0700, Kees Cook wrote: > Hi, > > Series change history: > > v3: > - clarify rationale and purpose in commit log > - rebase to -next (CONFIG_CODE_TAGGING) > - simplify calling styles and split out bucket plumbing more cleanly > - consolidate kmem_buckets_*() family introduction patches > v2: https://lore.kernel.org/lkml/20240305100933.it.923-kees@kernel.org/ > v1: https://lore.kernel.org/lkml/20240304184252.work.496-kees@kernel.org/ > > For the cover letter, I'm repeating commit log for patch 4 here, which has > additional clarifications and rationale since v2: > > Dedicated caches are available for fixed size allocations via > kmem_cache_alloc(), but for dynamically sized allocations there is only > the global kmalloc API's set of buckets available. This means it isn't > possible to separate specific sets of dynamically sized allocations into > a separate collection of caches. > > This leads to a use-after-free exploitation weakness in the Linux > kernel since many heap memory spraying/grooming attacks depend on using > userspace-controllable dynamically sized allocations to collide with > fixed size allocations that end up in same cache. This is going to increase internal fragmentation in the slab allocator, so we're going to need better, more visible numbers on the amount of memory stranded thusly, so users can easily see the effect this has. Please also document this effect and point users in the documentation where to check, so that we devs can get feedback on this.