Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1392053imm;
        Tue, 2 Oct 2018 07:31:32 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63ksfqjNjOmfer0ESp0ymNpifB1Q1+HLouN9W8i+z0nVAMhk363lfksKN9j2Kk9QiSNfcNk
X-Received: by 2002:a65:66c9:: with SMTP id c9-v6mr14544691pgw.55.1538490691975;
        Tue, 02 Oct 2018 07:31:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538490691; cv=none;
        d=google.com; s=arc-20160816;
        b=F8tYi1eRBIS6Z5qXAVpTgHXHFZer0qKThkxjeZjSx1kvlDrkDobDEs1/yLTCJVy654
         0HSsvq0J4MiN/bx8PROD8IOvbD+E0kj5yvHdN1bp6OmoGMMweYTfsspSD/tpWUcFH6jy
         SaVRYEkSSLUooldxf0cK8S1D6nk0uDmzglgs5m7VbxUEQ1MsSQw4FKcl+3M1wYw8/oNM
         VpN6m+qYMhHYKLOAmHrJrE4sIxjpaY+/LxSzWY8AstdW85Uf7ZafOhtCl5wDNaPfKEoN
         rArHqAAxXs4xyD7mQA5SqvuyTKDDVecALqy4OgpI5FabCIkSDm6CbyWg6VDU9eh12Vw3
         vHIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=675h5TTfZfW8p9s7ukWTxgK7ZfeS4LbAAzyqnzx3ePY=;
        b=iSw4iOKJ8dKLMyo7Bbnnt8SRszJgk/u7MIMzl5behceqjiVShxGRkAHrQehIFRkZGJ
         rPMPvrNN2Od5K2B3ctRhfZt+ZpxST7qsLyq9xhJc6dDlGbPR5u59HTVi/v0jMc34UkV6
         5TceEAQK6C40yQBqSs/Lh62lcTlsiMI0sVDHBi8BOrkM1H8TMM6OpUkERoBhKnEkNhqN
         VOvdV0LzzAv/yfijlEAQONJOC0JhcXhx7OoqXHQ8cA7ElRVjUnlBf86ain1KnRwzxosh
         4OS5KCRcKa/Fhl1+oyfDGMoSXy9B7ie9r8n91deQc51jOrbImiyOTk9ypvpSzZyMLFca
         e9YA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d18-v6si17807104plj.82.2018.10.02.07.31.17;
        Tue, 02 Oct 2018 07:31:31 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728399AbeJBVOB (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Tue, 2 Oct 2018 17:14:01 -0400
Received: from mx2.suse.de ([195.135.220.15]:58326 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726118AbeJBVOB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 Oct 2018 17:14:01 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (unknown [195.135.220.254])
        by mx1.suse.de (Postfix) with ESMTP id DA2DFAF68;
        Tue,  2 Oct 2018 14:30:19 +0000 (UTC)
Date:   Tue, 2 Oct 2018 16:30:15 +0200
From:   Michal Hocko <mhocko@kernel.org>
To:     Dan Williams <dan.j.williams@intel.com>
Cc:     akpm@linux-foundation.org,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Kees Cook <keescook@chromium.org>, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/3] mm: Randomize free memory
Message-ID: <20181002143015.GX18290@dhcp22.suse.cz>
References: <153702858249.1603922.12913911825267831671.stgit@dwillia2-desk3.amr.corp.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <153702858249.1603922.12913911825267831671.stgit@dwillia2-desk3.amr.corp.intel.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat 15-09-18 09:23:02, Dan Williams wrote:
> Data exfiltration attacks via speculative execution and
> return-oriented-programming attacks rely on the ability to infer the
> location of sensitive data objects. The kernel page allocator, has
> predictable first-in-first-out behavior for physical pages. Pages are
> freed in physical address order when first onlined. There are also
> mechanisms like CMA that can free large contiguous areas at once
> increasing the predictability of allocations in physical memory.
> 
> In addition to the security implications this randomization also
> stabilizes the average performance of direct-mapped memory-side caches.
> This includes memory-side caches like the one on the Knights Landing
> processor and those generally described by the ACPI HMAT (Heterogeneous
> Memory Attributes Table [1]). Cache conflicts are spread over a random
> distribution rather than localized.
> 
> Given the performance sensitivity of the page allocator this
> randomization is only performed for MAX_ORDER (4MB by default) pages. A
> kernel parameter, page_alloc.shuffle_page_order, is included to change
> the page size where randomization occurs.

I have only glanced through the implementation. The boot allocator part
seems unexpectedly too large but I haven't tried to actually think about
simplification.

It is the more general idea that I am not really sure about. First of
all. Does it make _any_ sense to randomize 4MB blocks by default? Why
cannot we simply have it disabled? Then and more concerning question is,
does it even make sense to have this randomization applied to higher
orders than 0? Attacker might fragment the memory and keep recycling the
lowest order and get the predictable behavior that we have right now.
-- 
Michal Hocko
SUSE Labs