Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2879310rwb; Wed, 30 Nov 2022 12:09:31 -0800 (PST) X-Google-Smtp-Source: AA0mqf7TLWiMV47Ipu54LIYIugpEenbJk5u4Uve2eXsnh2aDplSpwR3lmYiLTVSeMHYBegeoJ2c9 X-Received: by 2002:a17:902:a989:b0:188:d4bf:dbfe with SMTP id bh9-20020a170902a98900b00188d4bfdbfemr43493785plb.31.1669838971081; Wed, 30 Nov 2022 12:09:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669838971; cv=none; d=google.com; s=arc-20160816; b=YuNBvRIU+mizaFTnQ/jExNGQcvkv9Fx55KAhe6V9pppynBqcMXt0HmfWuilljXZxpf hHuMwSwNfUjWM+MVWhc1RFmajei7jIJWnw+xO/0UjTGVUzf+uk0jiVKU6CUKhjvxku8m InJ80/hOjNUE5E8x7+jh/WLMEloKneC41t3iF9zV2al8iAt6uf7pFuKIoBOUKD0PeH1g 1+gdVVD+k7gPrxZwXtEJYOl3Ih22Aw6wyMsYBpetoEpomGrV1b15iYM8WpVjE/yWNnMa 6ZMD4Le3vtvDFviFIvUlhphtEvySIFpj1LLUy7K5gxqsU318U+7nX++fLdTICNdC5j+o 2eUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=rm61ltPf4IuMIek7hP38S0fd3od46k0u59OV/A4SUFE=; b=S8QVgpOYMKr1MoFMTlewnSTfbKnAREJuT1HSSaByG1dhKriSV/oFHA5vdhkA4vNMCr S0FqLdMZt+l1w2RjUdVZ4QHXhIL1jfymwPRL2wB4oCtDVtvptQ17PDvw+YQ2v3RM9Pdl 4j2dWC94p/QDTDTpoV2ysRlJxeO41f8Z6LYpN1HyiGsUMY8kcUJpke4V/VQWx0Ti2GyD zTHeHURhaVaDGlkdPOuWX4/k4DNNoJbJpwuYm3Ff2sP7yaL++KR943biuHJYOZCrVJv4 hjBmXYoEKcMO5fEEYlOkLF6W3TkNHmHATzmA7dVawVaxHyCxc0M+J2v90QSJ7IzoB8ob CLCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YPf0G8XJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g37-20020a631125000000b0043a93738a14si2140755pgl.167.2022.11.30.12.09.20; Wed, 30 Nov 2022 12:09:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YPf0G8XJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229704AbiK3Tvw (ORCPT + 83 others); Wed, 30 Nov 2022 14:51:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60014 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229731AbiK3Tvs (ORCPT ); Wed, 30 Nov 2022 14:51:48 -0500 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0ED9186588; Wed, 30 Nov 2022 11:51:47 -0800 (PST) Received: by mail-pl1-x62b.google.com with SMTP id d18so6949126pls.4; Wed, 30 Nov 2022 11:51:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rm61ltPf4IuMIek7hP38S0fd3od46k0u59OV/A4SUFE=; b=YPf0G8XJ72iHOC7HvWB7gUt6vwg2o+gvktb7yvputiaCaIey4xljHaDirr04vtz4nk w/kbuvDTJlraxX6CW7xM9IpLSWKiU+jd42zuI2twiV5dt9AmqgLE6nBiYTQC5hd0p3Mj NyYaNrTXkAuB+v42dOmyRgt+w4kMdLN6aoI9F/BTqbP8PT/xmvdRoWXbOc5I++Uv2qiH bQm7t259LLSxycIL8fRvm/FVyC/PbHbVLu9Bo/8LtDp7/hoei2igJRiHDSanP23h4WDG 1eHs83TWLRWjHjRaDb0H9uimCzZvnGIH89l7KHvu+kE0mGYqSbNJ27+VKISbjBQrWg78 rXAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rm61ltPf4IuMIek7hP38S0fd3od46k0u59OV/A4SUFE=; b=jEa168algQajv+s7aFiPxt40RBDgL3RpYWs2RR8B5zwoMmVrlzWkVxq7uSQHENkNsC sC5W5OV2y4oe+9zdIooAWY2EKk0N+LwbsNLSMk+zCe7zXHHHfAJ0LTrbs3F6OwIr6nRv YX+DOQwXLteULAvwrejN1ze2eazzgoskwKztNIPK0u32pl9fMcuKqsX0P/uYCF8kOFGi xSH3N8sYovRPOLTp4RQwJz/z9mdJZQtW29QDQvqMiF+4GsditJ8aBc4KX+e7JLo9kgDl /6NxZSMT/fuc+M06oOR8u07FxRr+rAUCtQYSbXXYVbvW3HyBqTkvUBpVefGtmSdgLmhN O0vw== X-Gm-Message-State: ANoB5pn9HXsMYu9NsOQxZX3ovheH/SbeQHmDUPFL8deoHtxlkgzpg0R6 4JmPq7D2sWMOI0Syah/i2g/odiXCpwgJTOarcuA= X-Received: by 2002:a17:90a:5298:b0:217:e054:9ac8 with SMTP id w24-20020a17090a529800b00217e0549ac8mr73320400pjh.246.1669837906527; Wed, 30 Nov 2022 11:51:46 -0800 (PST) MIME-Version: 1.0 References: <4c341c5609ed09ad6d52f937eeec28d142ff1f46.1669489329.git.andreyknvl@google.com> In-Reply-To: From: Andrey Konovalov Date: Wed, 30 Nov 2022 20:51:35 +0100 Message-ID: Subject: Re: [PATCH v2 1/2] kasan: allow sampling page_alloc allocations for HW_TAGS To: Marco Elver Cc: andrey.konovalov@linux.dev, "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Alexander Potapenko , Dmitry Vyukov , Andrey Ryabinin , kasan-dev@googlegroups.com, Peter Collingbourne , Evgenii Stepanov , Florian Mayer , Jann Horn , Mark Brand , netdev@vger.kernel.org, Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org .On Tue, Nov 29, 2022 at 12:30 PM Marco Elver wrote: > > On Sat, 26 Nov 2022 at 20:12, wrote: > > > > From: Andrey Konovalov > > > > Add a new boot parameter called kasan.page_alloc.sample, which makes > > Hardware Tag-Based KASAN tag only every Nth page_alloc allocation for > > allocations marked with __GFP_KASAN_SAMPLE. > > This is new - why was it decided that this is a better design? Sampling all page_alloc allocations (with the suggested frequency of 1 out of 10) effectively means that KASAN/MTE is no longer mitigation for page_alloc corruptions. The idea here was to only apply sampling to selected allocations, so that all others are still checked deterministically. However, it's hard to say whether this is critical from the security perspective. Most exploits today corrupt slab objects, not page_alloc. > This means we have to go around introducing the GFP_KASAN_SAMPLE flag > everywhere where we think it might cause a performance degradation. > > This depends on accurate benchmarks. Yet, not everyone's usecases will > be the same. I fear we might end up with marking nearly all frequent > and large page-alloc allocations with GFP_KASAN_SAMPLE. > > Is it somehow possible to make the sampling decision more automatic? > > E.g. kasan.page_alloc.sample_order -> only sample page-alloc > allocations with order greater or equal to sample_order. Hm, perhaps this could be a good middle ground between sampling all allocations and sprinkling GFP_KASAN_SAMPLE. Looking at the networking code, most multi-page data allocations are done with the order of 3 (either via PAGE_ALLOC_COSTLY_ORDER or SKB_FRAG_PAGE_ORDER). So this would be the required minimum value for kasan.page_alloc.sample_order to alleviate the performance impact for the networking workloads. I measured the number of allocations for each order from 0 to 8 during boot in my test build: 7299 867 318 206 86 8 7 5 2 So sampling with kasan.page_alloc.sample_order=3 would affect only ~7% of page_alloc allocations that happen normally, which is not bad. (Of course, if an attacker can control the size of the allocation, they can increase the order to enable sampling.) I'll do some more testing and either send a v3 with this approach or get back to this discussion. Thanks for the suggestion!