Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp404348ybi; Thu, 30 May 2019 00:03:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqyLJdWIuiPLeojc/DV17gPKnyJhN/RmeMNExacg32vn/eo3YOg24eKujRn93z9CxEfXkiLY X-Received: by 2002:a62:2643:: with SMTP id m64mr2241715pfm.46.1559199789274; Thu, 30 May 2019 00:03:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559199789; cv=none; d=google.com; s=arc-20160816; b=RpzC09eaXe7ZtMMfEgJVzHyJlWu3pMN/9nAyKcNEOYr7SLuVCxKw35pD1A+tQ/Sdqw wsG8RZ8hWu9zK+YmZ3ALalIkRlwXV6Xb6P+kcnEL0P/B71eXGABdBrOexecnktEdXJNt Dxcx8lDmLMU2QKxQSyiHNNwP6UmQ2ubLhGyCxz0iujtSk2sgGYpllQItpsQalvmePAeE xK0ceEx1oBdFoosu6iP/aIb5AO+kHnySkQK5owTX1wGda/h3a0GpC/5KhJtf2728MetH 8jnaibgMpkqOTi3jQcgvuLab6Ymkq4/BZ00kRVLXSHqkkwWyr1K8XQBOB39BPmtZgfNR ojaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Q1AVZODHTXqoipQTcM+k2pyJLkPC3ogLcgg1avCL8ws=; b=dhS1g0tAIbyFYb61FQm2t+W1B4hFEzbGKZ+a/i7+r2K/Q8TUW92ltvyIh3lOgLgLwE YCOVzciK8o14WAB051bQh44SxWDh9RwRKCRp8XkCpYEf+mqRBkT4MzMPNMgos/n7SPNa 7Jq89TeLAH8/HtAoUxZ656RYt4c0EhCnfYDo1RQgB8CqFJCSc2Fxo3UF8ZcUNGxSxNXp 3KfuYy8/TFNWRJTknYZjGfAGK4OqDIIEQ6Wjg7k7g/ooOappmwAsEjpJhMyHxHQEDMrA xS2FuKyOULmRGJ3DG2Hf37VSqjx4mPMoaSVhQFyy97Cjau31wn9pP0kmtxGUej/7j1sV S0AA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=uBMZGMO+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l70si2649143pjb.33.2019.05.30.00.02.51; Thu, 30 May 2019 00:03:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=uBMZGMO+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727505AbfE3HBk (ORCPT + 99 others); Thu, 30 May 2019 03:01:40 -0400 Received: from mail-vs1-f66.google.com ([209.85.217.66]:40063 "EHLO mail-vs1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725862AbfE3HBj (ORCPT ); Thu, 30 May 2019 03:01:39 -0400 Received: by mail-vs1-f66.google.com with SMTP id c24so3723084vsp.7 for ; Thu, 30 May 2019 00:01:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q1AVZODHTXqoipQTcM+k2pyJLkPC3ogLcgg1avCL8ws=; b=uBMZGMO+qZsoCeRw3kwv3k0YCQqz0heCVI7dQyQhnaQFQ5ZilokWnv7NVtCi1n3603 KCttYxV550rM84xbifejh3+nH1PU5HGaKhHDfo3cCBBpAgZFQ2z9OjbrTQlZ10kBqCVx O3tSin/t98cyBT9WfRD0LS94HiP9OmZtTWp96r2PF7NSi/6sPt7aIH8LifQyHh2w31xY r3BGguEr91cNp35qZY4p3JjNPrz/ikziz3UjVG1t+YOTJvoTb4jE9WuAewN8N3mzn5du ViEJY/Xke/XpBKvX9oFQN+iNAZtiUawVNxC14cY8LzqVWhbOPpV233Liw+XKTdMG8Wvk GHIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q1AVZODHTXqoipQTcM+k2pyJLkPC3ogLcgg1avCL8ws=; b=PfybBJHCFGMfXmRVu8trN/5UZwW3sBlCpFM45PQP755mfYlFwlaT5yjA2yQXf6CGPH BLQockDTHeqIKNlJ+5rsz2Pbs0XPVdZ2n4OyFyVHPaYDyKV4Ju0nBRgrKEquaZxCLOug LVgrG4ATn4ovjHI7pJwCQ6HcjE12yP9ZWFpjPoh3l9Yn15vCXMphPobOvB2vns//w+4x rg1v5KMmz+28jhjMC7cUFljLiSlKKc1a6Ms/iMMZ/PAg03eWs6MPlTz2Y3i/MJXRrOod oObAsFYDrUUCT7TjvvTVCavSefxL9svWFc3g4BVZ1gt1oXvQMCbdClGyk8zoZ+POwXlL 4BxQ== X-Gm-Message-State: APjAAAXCAhL4Xe1xxY7tqXvfvgLzVkT8oe//C5qkzbiTC9Gq3WfKUcNP gsE5/MGtTtffl9x/sz9gr8EahKiqt80lA0WxTo4= X-Received: by 2002:a67:f34d:: with SMTP id p13mr1054255vsm.95.1559199698948; Thu, 30 May 2019 00:01:38 -0700 (PDT) MIME-Version: 1.0 References: <1559133448-31779-1-git-send-email-dianzhangchen0@gmail.com> <20190529162532.GG18589@dhcp22.suse.cz> <20190529174931.GH18589@dhcp22.suse.cz> <20190530062418.GB6703@dhcp22.suse.cz> In-Reply-To: <20190530062418.GB6703@dhcp22.suse.cz> From: Dianzhang Chen Date: Thu, 30 May 2019 15:01:26 +0800 Message-ID: Subject: Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab() To: Michal Hocko Cc: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, linux-mm@kvack.org, LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 30, 2019 at 2:24 PM Michal Hocko wrote: > I understand the general mechanism of spectre v1. What I was asking for > is an example of where userspace directly controls the allocation size > as this is usually bounded to an in kernel object size. I can see how > and N * sizeof(object) where N is controlled by the userspace could be > the target. But calling that out explicitly would be appreciated. In the syscall call poll, the user can control the `nfds`, when call the function `do_sys_poll` it can pass the nfds to function `do_sys_poll`, and pass to variable `len`, although there exit compare instruction llike `len = min_t(unsigned int, nfds, N_STACK_PPS)`, `len = min(todo, POLLFD_PER_PAGE);`, but it can also bypass by speculation, as the speculation windows are large, and in the next `size = sizeof(struct poll_list) + sizeof(struct pollfd) * len`, which can indirect control the size. > Please mention that in the changelog as well. ok, thanks for suggestion.