Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7425884rwb; Wed, 23 Nov 2022 06:26:40 -0800 (PST) X-Google-Smtp-Source: AA0mqf4a2/UgxeDtKgmKQOCrw3GzaE2/GiQ2gz6CFd1NhaOao+kh7vNRWkLNAssGM4gMSsj9Ey7T X-Received: by 2002:a17:902:d0d3:b0:186:f1b6:c3dd with SMTP id n19-20020a170902d0d300b00186f1b6c3ddmr21068197pln.20.1669213600511; Wed, 23 Nov 2022 06:26:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669213600; cv=none; d=google.com; s=arc-20160816; b=JlLfXs7+mpK7Ftc7ndSK5+L1Z//7qMARfWGrRakSgj6gQpz6l1FUH9VAaHtERtMOB5 ExJG5NJ/VoCPykJrsOBIojWsUW/MdmK8Y5n4GxCrVh0NYsVROJ9d1LntfFwkjw0EPhpc g9xz6L5fADYLAeOY3v8Y0kFBYaNUKbMMKWSiuWzX/zKy7mGc03zuMsTZLXf+MP7K/PEV /lLSUdFgj8XkMoCAZ0cbs8wE18aVpHfEi+FzKAnJVWnQ3iJKETGYHToxJ8lA/gZyz4/+ SGkUKg3x0uIPL7chZtFxTb6IBFY7B53jyKkdr4vVqS8Wqaycm45o5tJQ9pjvQx/li78L 8ZZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-signature; bh=xkYuuxe82E2nL0DoU4uOiZuona551nVAHZBpMme8S88=; b=BOlcIpca2be86XyoFEeDkf/G4DsHe3KzZz4QVq4gMeguMJglvOZv2rc4kO6rdBocti wshId8gAU9TgiyPlNS8spDUMFaB6Oord/ftURzH5JWRfyz05QCovb6brLaOgD3s6B0zX qrkZIdyayOkcQAHyYnJHvCWVNML6/47K0FXviXsrP7oeRtu4ioo8z4F0ylyAFmLlrsuW cXmjgopQm4YYEZtyBvvagC5CM+ejV0hrDWcQLXzRrEfSKuO4iW8uQpBCTseIvVFYpBzc GQ+XkPlJOAecKA1ul541wT+6VUcDNPmRrRTm91YOnucIrUQGncv2/j9oE1b8ktA/1OjA rAtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=JH1NjfeA; dkim=neutral (no key) header.i=@suse.cz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nb12-20020a17090b35cc00b00213b6c822acsi1691183pjb.167.2022.11.23.06.26.17; Wed, 23 Nov 2022 06:26:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=JH1NjfeA; dkim=neutral (no key) header.i=@suse.cz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238506AbiKWOXs (ORCPT + 89 others); Wed, 23 Nov 2022 09:23:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236362AbiKWOXU (ORCPT ); Wed, 23 Nov 2022 09:23:20 -0500 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5D3522715 for ; Wed, 23 Nov 2022 06:23:17 -0800 (PST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 0B9FA1F8B4; Wed, 23 Nov 2022 14:23:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1669213396; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xkYuuxe82E2nL0DoU4uOiZuona551nVAHZBpMme8S88=; b=JH1NjfeAKELxkNE50nWUQMpw//bOTdBco2EuPYXN9XjqQw01ZlpNEfsaC028lWgrsW89km CE+BaxDJm9JVD7U+V2YYAUd/8iOBH7nA792+WxfuW37kycavHyj0Ezoo7Fn0RtWXECg5jE AuPMEC/BMN28z3jfn/8NXVs3NQ95+dY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1669213396; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xkYuuxe82E2nL0DoU4uOiZuona551nVAHZBpMme8S88=; b=dpMBHBX3ivPjCMXkVacbOS3ougIrXzDPfGhuBPgOdmRH0TyIO4a7Q4rjycfMwz0RMWjHlJ 7i5qFq5AZL0Q6ICA== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id CA34A13AE7; Wed, 23 Nov 2022 14:23:15 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id ko6fMNMsfmNIIAAAMHmgww (envelope-from ); Wed, 23 Nov 2022 14:23:15 +0000 Message-ID: <0058169a-1659-7ab1-edff-de9ebadcf236@suse.cz> Date: Wed, 23 Nov 2022 15:23:15 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: [PATCH 01/12] mm, slab: ignore hardened usercopy parameters when disabled Content-Language: en-US To: Kees Cook , Christoph Lameter , David Rientjes , Joonsoo Kim , Pekka Enberg Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>, Roman Gushchin , Andrew Morton , Linus Torvalds , Matthew Wilcox , patches@lists.linux.dev, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Kees Cook References: <20221121171202.22080-1-vbabka@suse.cz> <20221121171202.22080-2-vbabka@suse.cz> <206E0154-63A6-45CF-8E19-BD01B35AEF0B@kernel.org> From: Vlastimil Babka In-Reply-To: <206E0154-63A6-45CF-8E19-BD01B35AEF0B@kernel.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/21/22 22:35, Kees Cook wrote: > On November 21, 2022 9:11:51 AM PST, Vlastimil Babka wrote: >>With CONFIG_HARDENED_USERCOPY not enabled, there are no >>__check_heap_object() checks happening that would use the kmem_cache >>useroffset and usersize fields. Yet the fields are still initialized, >>preventing merging of otherwise compatible caches. Thus ignore the >>values passed to cache creation and leave them zero when >>CONFIG_HARDENED_USERCOPY is disabled. >> >>In a quick virtme boot test, this has reduced the number of caches in >>/proc/slabinfo from 131 to 111. >> >>Cc: Kees Cook >>Signed-off-by: Vlastimil Babka >>--- >> mm/slab_common.c | 6 +++++- >> 1 file changed, 5 insertions(+), 1 deletion(-) >> >>diff --git a/mm/slab_common.c b/mm/slab_common.c >>index 0042fb2730d1..a8cb5de255fc 100644 >>--- a/mm/slab_common.c >>+++ b/mm/slab_common.c >>@@ -317,7 +317,8 @@ kmem_cache_create_usercopy(const char *name, >> flags &= CACHE_CREATE_MASK; >> >> /* Fail closed on bad usersize of useroffset values. */ >>- if (WARN_ON(!usersize && useroffset) || >>+ if (!IS_ENABLED(CONFIG_HARDENED_USERCOPY) || >>+ WARN_ON(!usersize && useroffset) || >> WARN_ON(size < usersize || size - usersize < useroffset)) >> usersize = useroffset = 0; >> >>@@ -640,6 +641,9 @@ void __init create_boot_cache(struct kmem_cache *s, const char *name, >> align = max(align, size); >> s->align = calculate_alignment(flags, align, size); >> >>+ if (!IS_ENABLED(CONFIG_HARDENED_USERCOPY)) >>+ useroffset = usersize = 0; >>+ >> s->useroffset = useroffset; >> s->usersize = usersize; >> > > "Always non-mergeable" is intentional here, but I do see the argument > for not doing it under hardened-usercopy. > > That said, if you keep this part, maybe go the full step and ifdef away > useroffset/usersize's struct member definition and other logic, especially > for SLUB_TINY benefits, so 2 ulongs are dropped from the cache struct? Okay, probably won't make much difference in practice, but for consistency... ----8<---- From 3cdb7b6ad16a9d95603b482969fa870f996ac9dc Mon Sep 17 00:00:00 2001 From: Vlastimil Babka Date: Wed, 16 Nov 2022 15:56:32 +0100 Subject: [PATCH] mm, slab: ignore hardened usercopy parameters when disabled With CONFIG_HARDENED_USERCOPY not enabled, there are no __check_heap_object() checks happening that would use the struct kmem_cache useroffset and usersize fields. Yet the fields are still initialized, preventing merging of otherwise compatible caches. Also the fields contribute to struct kmem_cache size unnecessarily when unused. Thus #ifdef them out completely when CONFIG_HARDENED_USERCOPY is disabled. In a quick virtme boot test, this has reduced the number of caches in /proc/slabinfo from 131 to 111. Cc: Kees Cook Signed-off-by: Vlastimil Babka --- include/linux/slab_def.h | 2 ++ include/linux/slub_def.h | 2 ++ mm/slab.h | 2 -- mm/slab_common.c | 9 ++++++++- mm/slub.c | 4 ++++ 5 files changed, 16 insertions(+), 3 deletions(-) diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h index f0ffad6a3365..5834bad8ad78 100644 --- a/include/linux/slab_def.h +++ b/include/linux/slab_def.h @@ -80,8 +80,10 @@ struct kmem_cache { unsigned int *random_seq; #endif +#ifdef CONFIG_HARDENED_USERCOPY unsigned int useroffset; /* Usercopy region offset */ unsigned int usersize; /* Usercopy region size */ +#endif struct kmem_cache_node *node[MAX_NUMNODES]; }; diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h index f9c68a9dac04..7ed5e455cbf4 100644 --- a/include/linux/slub_def.h +++ b/include/linux/slub_def.h @@ -136,8 +136,10 @@ struct kmem_cache { struct kasan_cache kasan_info; #endif +#ifdef CONFIG_HARDENED_USERCOPY unsigned int useroffset; /* Usercopy region offset */ unsigned int usersize; /* Usercopy region size */ +#endif struct kmem_cache_node *node[MAX_NUMNODES]; }; diff --git a/mm/slab.h b/mm/slab.h index 0202a8c2f0d2..db9a7984e22e 100644 --- a/mm/slab.h +++ b/mm/slab.h @@ -207,8 +207,6 @@ struct kmem_cache { unsigned int size; /* The aligned/padded/added on size */ unsigned int align; /* Alignment as calculated */ slab_flags_t flags; /* Active flags on the slab */ - unsigned int useroffset;/* Usercopy region offset */ - unsigned int usersize; /* Usercopy region size */ const char *name; /* Slab name for sysfs */ int refcount; /* Use counter */ void (*ctor)(void *); /* Called on object slot creation */ diff --git a/mm/slab_common.c b/mm/slab_common.c index 0042fb2730d1..4339c839a452 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -143,8 +143,10 @@ int slab_unmergeable(struct kmem_cache *s) if (s->ctor) return 1; +#ifdef CONFIG_HARDENED_USERCOPY if (s->usersize) return 1; +#endif /* * We may have set a slab to be unmergeable during bootstrap. @@ -223,8 +225,10 @@ static struct kmem_cache *create_cache(const char *name, s->size = s->object_size = object_size; s->align = align; s->ctor = ctor; +#ifdef CONFIG_HARDENED_USERCOPY s->useroffset = useroffset; s->usersize = usersize; +#endif err = __kmem_cache_create(s, flags); if (err) @@ -317,7 +321,8 @@ kmem_cache_create_usercopy(const char *name, flags &= CACHE_CREATE_MASK; /* Fail closed on bad usersize of useroffset values. */ - if (WARN_ON(!usersize && useroffset) || + if (!IS_ENABLED(CONFIG_HARDENED_USERCOPY) || + WARN_ON(!usersize && useroffset) || WARN_ON(size < usersize || size - usersize < useroffset)) usersize = useroffset = 0; @@ -640,8 +645,10 @@ void __init create_boot_cache(struct kmem_cache *s, const char *name, align = max(align, size); s->align = calculate_alignment(flags, align, size); +#ifdef CONFIG_HARDENED_USERCOPY s->useroffset = useroffset; s->usersize = usersize; +#endif err = __kmem_cache_create(s, flags); diff --git a/mm/slub.c b/mm/slub.c index 157527d7101b..e32db8540767 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -5502,11 +5502,13 @@ static ssize_t cache_dma_show(struct kmem_cache *s, char *buf) SLAB_ATTR_RO(cache_dma); #endif +#ifdef CONFIG_HARDENED_USERCOPY static ssize_t usersize_show(struct kmem_cache *s, char *buf) { return sysfs_emit(buf, "%u\n", s->usersize); } SLAB_ATTR_RO(usersize); +#endif static ssize_t destroy_by_rcu_show(struct kmem_cache *s, char *buf) { @@ -5803,7 +5805,9 @@ static struct attribute *slab_attrs[] = { #ifdef CONFIG_FAILSLAB &failslab_attr.attr, #endif +#ifdef CONFIG_HARDENED_USERCOPY &usersize_attr.attr, +#endif #ifdef CONFIG_KFENCE &skip_kfence_attr.attr, #endif -- 2.38.1