From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 971A5C77B75 for ; Tue, 16 May 2023 22:36:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 03399280001; Tue, 16 May 2023 18:36:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F2603900002; Tue, 16 May 2023 18:36:11 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DC68F280001; Tue, 16 May 2023 18:36:11 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id CB78D900002 for ; Tue, 16 May 2023 18:36:11 -0400 (EDT) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 906491A0417 for ; Tue, 16 May 2023 22:36:11 +0000 (UTC) X-FDA: 80797577742.06.3FCED6F Received: from mail-vs1-f51.google.com (mail-vs1-f51.google.com [209.85.217.51]) by imf30.hostedemail.com (Postfix) with ESMTP id B78D980011 for ; Tue, 16 May 2023 22:36:09 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=hHu4z1Gz; spf=pass (imf30.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.217.51 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684276569; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=MO6goYlwL4iToGOjsZHzqUARbwpLkTb6qhA2YqxeeVE=; b=lcYxkLc6MvqrgbNLOVVqQxsBsUd5SPbp8n/xaVvQIZJ1e+U+HGjPJ/6fa7y8eFUiLRQI6V UX8nZm8955flLN19wDJlUdNcPC2tumvydmuO38N5G/GnDb3KWzIpreeAx+Tbll5yjqNS3d 2y3JqiujPa/pBCQ1pV/5rDBCX5F9IoQ= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=hHu4z1Gz; spf=pass (imf30.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.217.51 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684276569; a=rsa-sha256; cv=none; b=Qb1yE6mokgsjpy9wa6fPIs63nah1FT/wCJ8VmSohswaS92zQ+9UVSPLwM5gHaXtre6xdIT +FK/pM5j+crN1+yOncS39HOG0Gms4V4E3nDBTMlCwBaSoltwQDZGI+TF36uVscUlUxUmk5 Z5XF0yc/TYY0mh59OasY9dn/KY/Y9cs= Received: by mail-vs1-f51.google.com with SMTP id ada2fe7eead31-4361113bdd1so1809137.0 for ; Tue, 16 May 2023 15:36:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684276569; x=1686868569; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=MO6goYlwL4iToGOjsZHzqUARbwpLkTb6qhA2YqxeeVE=; b=hHu4z1Gzj57Y9XSFHW/ju30BU2KLMb+YSpi8TuZHrkg1bqrNjM+STsh81jCq26DBrX 3BQ+vYSJzyQh3G16m5/QRa+KcRgF2aXnu+npeWsJzJda+vECoDNreDI4q0V8KTnKK4bX OrM9LKR5zrxY6TzZixoNRGdddtHCXf3CAKsXZ5cSUXlkbn1FlgyavZ+L7xFkIjAlUeG3 KSTbrT06+jf0pwl0qOG3axtRG8F7eEkx1y6Ik4idJUO5DhB2Drm8j8m0Cwg1LTBxrMu4 fkJdWxN1xnznd49FPjjGZEe9ovB/HzRTTtsimzJ/Vl3Go8dQKiabSbAQI3nKFZpKFdVH 8rfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684276569; x=1686868569; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MO6goYlwL4iToGOjsZHzqUARbwpLkTb6qhA2YqxeeVE=; b=G/LStrJf2GN57Xnf6UHCO92ODCmkrlqDD8l233VQru8tKP1CX0a/QqKXGgZXB6Gz8T 6W3rf4uMZEh6y+i4jdn/9oaRK1qyBKlSsw3lmTXim5BIMg8eNLck6RaYgxPhJUU1X/cF 4UtF+kkcQFkgmbmFynLVa76kvgcjito/BnP/bmCesPDIijm5/xS/1IxJKCIMS4rWZj+a z5GAeBQg4vfdzaFWDo5CvS/MjX2KucBBBTq81nUWY5uQ+Msi3xkNwREfHTCU/VGypFOh TGfxRZjZ7dXFE1+2WVPSk/I6Ng+WvslMhEc/qe9p3uXIBSFFtnL5R8YpHIYhmBpPtjDF eewA== X-Gm-Message-State: AC+VfDxRm9AksPrKS2M3yvA1gq+gLyT9zIIKQ3NiafpIPGeXvXCEq+lh VbNy5G+4u6lQmFYCq3dH3Td+8rq9m4gpj8YOOls= X-Google-Smtp-Source: ACHHUZ73RHEjDMwdKY0r76kxqXj9fZ3K2nw7Oc6gTCkuau/VaSGKaDGTs2MjpBab2/r5uvF6Zc3sahF0FENGRwGUKhE= X-Received: by 2002:a67:f30d:0:b0:436:3238:bd1 with SMTP id p13-20020a67f30d000000b0043632380bd1mr7960550vsf.34.1684276568666; Tue, 16 May 2023 15:36:08 -0700 (PDT) MIME-Version: 1.0 References: <20230508075507.1720950-1-gongruiqi1@huawei.com> <5f5a858a-7017-5424-0fa0-db3b79e5d95e@huawei.com> In-Reply-To: <5f5a858a-7017-5424-0fa0-db3b79e5d95e@huawei.com> From: Hyeonggon Yoo <42.hyeyoo@gmail.com> Date: Wed, 17 May 2023 07:35:57 +0900 Message-ID: Subject: Re: [PATCH RFC v2] Randomized slab caches for kmalloc() To: Gong Ruiqi Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Alexander Lobakin , kasan-dev@googlegroups.com, Wang Weiyang , Xiu Jianfeng , Vlastimil Babka , Christoph Lameter , David Rientjes , Roman Gushchin , Joonsoo Kim , Andrew Morton , Pekka Enberg , Kees Cook , Paul Moore , James Morris , "Serge E. Hallyn" , "Gustavo A. R. Silva" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: jmiac7maf15pkhwgnpghmby3srk5okma X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: B78D980011 X-Rspam-User: X-HE-Tag: 1684276569-700210 X-HE-Meta: U2FsdGVkX1+D9VYuXmwJZqzT1MN2y/vz+LFkyk/KyRnzVi/yzoToV3373xRFRqbCxaE8FiTe30np5QcC/gauhREZTGOhMWHDDKl6J0i03FlDuoHkqYaRmxkwXNQqQRiffTgbayA52k5iChjnLVTVIrb0T4iGSifch7sWIgIJW1FYZqml8tXTMdvMSw7ClF/NNFwpc/2vLOjc42DUUZFghPjaZw8V5Bw3tRcBF1739aHoouhYrZgDnBEqys7GZ5YVtvjzRK4HFDST27fYDO3gpZ3iKWCPe8YuJBooQkTuHHGtaSm3eKRA1RtxeeN2qM3xDB9Z5Mm7T7mVSUlasCbVxR8hoHUsgj/4cwI6OzJoHIotkCBm+lk4eq75FPEPJwqSHj3GPDwVnFbVRoBrM8rkbM/oPMjVC6W34FkTDJ4lTq1uYZB6CFUJbC5eDmg1xryL4SgRoA3wwRVBTuito3BQawW8Ux2Ra/cc/hKR+mAYTPHlhX7PLUixhV7Ekdg//TBioeWmOdZab0mlGzDnDvE0ROc2B++dVC8b71+bUt76B+fyNQZQjJmLrXH73EglngaDZQx0sYlEJHFTIFy1SJaazfx41+W2yF7Ibml4Xo5GwG2PjGIO3jjV3NjLXbCMcurEIRoRMISd4X/nX8USMgQrzyAJlsqh3WJAFPQHpqtbnr0MfwYfnluNwlfuJkTKOxVmMZ4cH+zeL7H8M+KWvpq2dxEjsO4dQtE90fKW5XaLhyRxgzao/bXMqnniGTCREubEbjfZLhIRfAogESs98fJTrk5dHqm+sKU6Xvt4zSrMwD/yqevPWwghPtuuOo95H5FxO/A/sNhUJyN2a0tZaPXlj+wJJqeK2p9kuAlmBFty7zp9EFawvMnYAihs3LWtnc9Fe9w2BOdqr/b59swgJX/bfCqcc+oNBkAMjCME8yVIiy46FE8FN8htKFdrAH/BFTckrsSudvg/weuCKepeBst cAHRGRKk y6Lc/ug77SXPRqQyz1RKKVWN1LggiVZSSkcOlyRlBujqzxvdu8IccjzYDW3hjIl86U5ONlNJYMAA+EfZdf98gKqeQRBSsovS2f/BiS08hBxQGMl4qfQYfwC/EZahkV7l1PfZadwv5wPBAgsd7PuMYxhyvKwRG3sG3ba+kSOHwhR1URDubFNEPy1HfW2VZH5q5eZIR6KwcFNZW+2lIg0AaNz8NSI3o4wYR7wJD0wdaaUMNWV945JNP1Z375Q7rYo7yDI3Tg17mKFumLRSCRl23DjrtFo/6mTgtZQTty8+ziQ/fUfOZKX8L2l6zgRNsz7lKQBQ/JbKv618KKFMvU5GnnyOYZ8e34bm+zM3DfZ4YxZuxD5yok9sYr8m27YEDZ2umxXmWvszCJ3SQwspMmg5mHIy4bQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: [Resending this email after noticing I did not reply-to-all] On Fri, May 12, 2023 at 7:11=E2=80=AFPM Gong Ruiqi = wrote: > > > > On 2023/05/11 2:43, Hyeonggon Yoo wrote: > > I dont think adding a hardening feature by sacrificing one digit > > percent performance > > (and additional complexity) is worth. Heap spraying can only occur > > when the kernel contains > > security vulnerabilities, and if there is no known ways of performing > > such an attack, > > then we would simply be paying a consistent cost. > > > > Any opinions from hardening folks? > > I did a more throughout performance test on the same machine in the same > way, and here are the results: > > sched/ sched/ syscall/ mem/ mem/ > messaging pipe basic memcpy memset > control1 0.019 5.459 0.733 15.258789 51.398026 > control2 0.019 5.439 0.730 16.009221 48.828125 > control3 0.019 5.282 0.735 16.009221 48.828125 > control_avg 0.019 5.393 0.733 15.759077 49.684759 > > exp1 0.019 5.374 0.741 15.500992 46.502976 > exp2 0.019 5.440 0.746 16.276042 51.398026 > exp3 0.019 5.242 0.752 15.258789 51.398026 > exp_avg 0.019 5.352 0.746 15.678608 49.766343 > > I believe the results show only minor differences and normal > fluctuation, and no substantial performance degradation. > > As Pedro points out in his reply, unfortunately there are always > security vulnerabilities in the kernel, which is a fact that we have to > admit. Having a useful mitigation mechanism at the expense of a little > performance loss would be, in my opinion, quite a good deal in many > circumstances. And people can still choose not to have it by setting the > config to n. Okay, now I don't think I need to tackle it from a performance perspective anymore, at least it looks like a good tradeoff. I had few design level concerns (i.e. in ARM64 instructions are 4-byte aligned) before switching to hash_64(^ random sequence), but looks good to me now. > >> +#ifdef CONFIG_RANDOM_KMALLOC_CACHES > >> +# define SLAB_RANDOMSLAB ((slab_flags_t __force)0x01000000U) > >> +#else > >> +# define SLAB_RANDOMSLAB 0 > >> +#endif There is already the SLAB_KMALLOC flag that indicates if a cache is a kmalloc cache. I think that would be enough for preventing merging kmalloc caches?