Received: by 2002:ab2:7903:0:b0:1fb:b500:807b with SMTP id a3csp1256951lqj; Mon, 3 Jun 2024 15:45:44 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVTlf9EEZ2XyVXx4kMQjQFXMN4Ut30n9hrYB6rIzlZxvd5EAlyHNr/nVSpCH14+R/JX9Mgx9ZmFZvAD5q9G4ml6NAifYYOwPQeE95s3Gw== X-Google-Smtp-Source: AGHT+IHavdP/R+YvRu88ueuzsI+fUjEH0m3rhaqblVD0AcU1kmF8NaisYpOjhH63e8qIL13SCHkw X-Received: by 2002:a05:6a20:a11d:b0:1a9:7afc:591c with SMTP id adf61e73a8af0-1b26f0ec401mr13420037637.10.1717454744076; Mon, 03 Jun 2024 15:45:44 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717454744; cv=pass; d=google.com; s=arc-20160816; b=vUzefNYF6zhq0NxLFMNzNCe7w/1KcBAy6heIG1az3qzmPMQMFkYuR8BagfNETt2Xcm bzyox3Cy6XO+Shaxbt4S3HUhZVCeK895Nrr8Kma7wMw26AIcjfANwQVMOYIOSOD05EJ0 4+Z9+VpMH3C5ofpsCWqy6npFYdcuA+MO94yY9FmuhUay+kVox+9jqDvINUqRZOL0W7JH QMie/Y9UynROEKoklgYu+msZUnEYClByRFG+486/P1FYmMQkmKwZRivumcP+DcdKhYL8 6c5wW2mGME//cpzxnxA5wvxHMl/15juI17mKpaubCjwKIhi1ErDosEKPcN24C2AhoPoU 5PnA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=uOXMQm/UktL0k9I+3N/OMLbkAgdsnbLga+CYwzgS0qE=; fh=SX/hq+46JmzPmpJjCi8S10enTN6wuKgPTBFqEznjVzU=; b=R8bIJdWpuY6+rbceDH336Lw7lDO4A3H2KtDIjcnaC58ljplBUvZQXYfOKhPYFNKMjq +9jTd9c61KbzLU6tXIGRXOkSFQu7YYJzUhBdJrRPZYC3GP8joeq4X7VfURKHaeCgzMev 2sifPxEvoxF76M0JTVjckEGUJPjxCLZgLkvbS7pD4Y/yFfe3ngoOrVIPFbmGm0xjkmNK 7yIDrhXc45BaxUgpkZwEmjyTFGPHi5tSysrlTfiStU/YUBuYbe5UXYHm6J0kyZU0oFZl QufqJIfi4F+5cL6meLV3kH1xq0TV9VA590tqQYCzleGb9/pwKwojYR2E7EkgDrngFF/o 1rTQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=LgLq+8y8; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-199793-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199793-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-6c35b40c58csi1085625a12.497.2024.06.03.15.45.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jun 2024 15:45:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-199793-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=LgLq+8y8; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-199793-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199793-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id ABCAA288A44 for ; Mon, 3 Jun 2024 22:45:43 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 99C5C13D285; Mon, 3 Jun 2024 22:45:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="LgLq+8y8" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A1A6D13D25F; Mon, 3 Jun 2024 22:45:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717454700; cv=none; b=p3rF0cyEh0aUUywLYrnCNr8pSrMXnCtBoMZdEhHcVeuh37vISFZ9MVPuFkEee+c7s52l9y2c8928tkDhGHqjuZR+jXrF1C4kkfrQk8esB/3dKrrQs0gwfX/FjzxguMwpFpSFejqgiUMOoG9ROd6+NZ6mj6Yvl04MP8E2fisCbd4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717454700; c=relaxed/simple; bh=SS7haSNVEINimgm5/W3mtfCykszqT69zvNdWxSykOjQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=CLss/wV/rLJgZU1rrFS6/mRQ9lf9yQv4MANyl8d3+mR5GBmNSY2NVT4ulQAtzpZHUvpLO8m6ymaAWjh/fmYBXZ3R8aLLU1bj9vbwd/qOBMkMympOWuIjFB0PkhzXMA8+b+Xe6ypvv9VrK1b+/XIz6JkcyP5QKyySAoVaNR/Xsl4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=LgLq+8y8; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3A9B4C2BD10; Mon, 3 Jun 2024 22:45:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1717454700; bh=SS7haSNVEINimgm5/W3mtfCykszqT69zvNdWxSykOjQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=LgLq+8y8Z9DNbcbleJK889AVVnanG0dEtt5fKMT90XrX8yhVQXh+DJYOmUBI7RoRr 92hDsbxfH0jlFkbi+R9Sqkv2vkYfpeQWyhYTNoZnLI89Skr/P+hbBMh1M0Z0Zig+Oq gVcGlkOzJB4aP/MlGkVI9O0VFhlfk/cWGKCGNUqeYLcPQloFR9ps99dXIeZChYlhpO Al6nt2qihiHJVIwBqarO7DDgq1Zhsrl5ep4Mn0fXRPp/rivGBk43FftWgOBsrQmBUF 9bTKITNMbFRd5u+qk9Rw3US4QpdF+jLNIwZPzDCD6xEzESRlNqQpgQrpQKxGeffyUT aWai68IuOUsyQ== Date: Mon, 3 Jun 2024 15:44:59 -0700 From: Kees Cook To: Vlastimil Babka Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , jvoisin , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-mm@kvack.org, linux-hardening@vger.kernel.org, "GONG, Ruiqi" , Xiu Jianfeng , Suren Baghdasaryan , Kent Overstreet , Jann Horn , Matteo Rizzo , Thomas Graf , Herbert Xu , linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH v4 2/6] mm/slab: Plumb kmem_buckets into __do_kmalloc_node() Message-ID: <202406031539.3A465006@keescook> References: <20240531191304.it.853-kees@kernel.org> <20240531191458.987345-2-kees@kernel.org> <8c0c4af3-4782-4dbc-b413-e2f3b79c0246@suse.cz> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8c0c4af3-4782-4dbc-b413-e2f3b79c0246@suse.cz> On Mon, Jun 03, 2024 at 07:06:15PM +0200, Vlastimil Babka wrote: > On 5/31/24 9:14 PM, Kees Cook wrote: > > Introduce CONFIG_SLAB_BUCKETS which provides the infrastructure to > > support separated kmalloc buckets (in the follow kmem_buckets_create() > > patches and future codetag-based separation). Since this will provide > > a mitigation for a very common case of exploits, enable it by default. > > Are you sure? I thought there was a policy that nobody is special enough > to have stuff enabled by default. Is it worth risking Linus shouting? :) I think it's important to have this enabled given how common the exploitation methodology is and how cheap this solution is. Regardless, if you want it "default n", I can change it. > I found this too verbose and tried a different approach, in the end rewrote > everything to verify the idea works. So I'll just link to the result in git: > > https://git.kernel.org/pub/scm/linux/kernel/git/vbabka/linux.git/log/?h=slab-buckets-v4-rewrite > > It's also rebased on slab.git:slab/for-6.11/cleanups with some alloc_hooks() > cleanups that would cause conflicts otherwkse. > > But the crux of that approach is: > > /* > * These macros allow declaring a kmem_buckets * parameter alongside size, which > * can be compiled out with CONFIG_SLAB_BUCKETS=n so that a large number of call > * sites don't have to pass NULL. > */ > #ifdef CONFIG_SLAB_BUCKETS > #define DECL_BUCKET_PARAMS(_size, _b) size_t (_size), kmem_buckets *(_b) > #define PASS_BUCKET_PARAMS(_size, _b) (_size), (_b) > #define PASS_BUCKET_PARAM(_b) (_b) > #else > #define DECL_BUCKET_PARAMS(_size, _b) size_t (_size) > #define PASS_BUCKET_PARAMS(_size, _b) (_size) > #define PASS_BUCKET_PARAM(_b) NULL > #endif > > Then we have declaration e.g. > > void *__kmalloc_node_noprof(DECL_BUCKET_PARAMS(size, b), gfp_t flags, int node) > __assume_kmalloc_alignment __alloc_size(1); > > and the function is called like (from code not using buckets) > return __kmalloc_node_noprof(PASS_BUCKET_PARAMS(size, NULL), flags, node); > > or (from code using buckets) > #define kmem_buckets_alloc(_b, _size, _flags) \ > alloc_hooks(__kmalloc_node_noprof(PASS_BUCKET_PARAMS(_size, _b), _flags, NUMA_NO_NODE)) > > And implementation looks like: > > void *__kmalloc_node_noprof(DECL_BUCKET_PARAMS(size, b), gfp_t flags, int node) > { > return __do_kmalloc_node(size, PASS_BUCKET_PARAM(b), flags, node, _RET_IP_); > } > > The size param is always the first, so the __alloc_size(1) doesn't need tweaking. > size is also used in the macros even if it's never mangled, because it's easy > to pass one param instead of two, but not zero params instead of one, if we want > the ending comma not be part of the macro (which would look awkward). > > Does it look ok to you? Of course names of the macros could be tweaked. Anyway feel > free to use the branch for the followup. Hopefully this way is also compatible with > the planned codetag based followup. This looks really nice, thank you! This is well aligned with the codetag followup, which also needs to have "size" be very easy to find (to the macros can check for compile-time-constant or not). I will go work from your branch... Thanks! -Kees -- Kees Cook