From: Waiman Long <longman@redhat.com>
To: David Howells <dhowells@redhat.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Mimi Zohar <zohar@linux.ibm.com>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org,
Sumit Garg <sumit.garg@linaro.org>,
Jerry Snitselaar <jsnitsel@redhat.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Eric Biggers <ebiggers@google.com>,
Chris von Recklinghausen <crecklin@redhat.com>
Subject: Re: [PATCH v2 2/2] KEYS: Avoid false positive ENOMEM error on key read
Date: Wed, 11 Mar 2020 15:33:54 +0000 [thread overview]
Message-ID: <7d0b0c5f-98e7-0fb6-69cd-76a31a010bcb@redhat.com> (raw)
In-Reply-To: <675400.1583860343@warthog.procyon.org.uk>
[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]
On 3/10/20 1:12 PM, David Howells wrote:
> Waiman Long <longman@redhat.com> wrote:
>
>> That is not as simple as I thought. First of that, there is not an
>> equivalent kzvfree() helper to clear the buffer first before clearing.
>> Of course, I can do that manually.
> Yeah, the actual substance of vfree() may get deferred. It may be worth
> adding a kvzfree() that switches between kzfree() and memset(),vfree().
>
>> With patch 2, the allocated buffer length will be max(1024, keylen). The
>> security code uses kmalloc() for allocation. If we use kvalloc() here,
>> perhaps we should also use that for allocation that can be potentially
>> large like that in big_key. What do you think?
> Not for big_key: if it's larger than BIG_KEY_FILE_THRESHOLD (~1KiB) it gets
> written encrypted into shmem so that it can be swapped out to disk when not in
> use.
>
> However, other cases, sure - just be aware that on a 32-bit system,
> vmalloc/vmap space is a strictly limited resource.
Attached is an additional patch to make the transition from kmalloc() to
kvmalloc(). I put the __kvzfree() helper in internal.h for now. I plan
to send a patch later to add a kvzfree() API once there is a use case in
the kernel.
I am not going to touch other places for now to make thing simpler.
Cheers,
Longman
[-- Attachment #2: v2-0003-KEYS-Use-kvmalloc-to-better-handle-large-buffer-a.patch --]
[-- Type: text/x-patch, Size: 2954 bytes --]
From e2e73e2bc0c5cd168de273b0fe9df1e5c48cd232 Mon Sep 17 00:00:00 2001
From: Waiman Long <longman@redhat.com>
Date: Wed, 11 Mar 2020 11:01:59 -0400
Subject: [PATCH v2 3/3] KEYS: Use kvmalloc() to better handle large buffer
allocation
For large multi-page temporary buffer allocation, the security/keys
subsystem don't need contiguous physical pages. It will work perfectly
fine with virtually mapped pages.
Replace the kmalloc() call by kvmalloc() and provide a __kvzfree()
helper function to clear and free the kvmalloc'ed buffer. This will
reduce the chance of memory allocation failure just because of highly
fragmented pages.
Suggested-by: David Howells <dhowells@redhat.com>
Signed-off-by: Waiman Long <longman@redhat.com>
---
security/keys/internal.h | 14 ++++++++++++++
security/keys/keyctl.c | 12 ++++++------
2 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/security/keys/internal.h b/security/keys/internal.h
index ba3e2da14cef..1b6e2d66e378 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -16,6 +16,8 @@
#include <linux/keyctl.h>
#include <linux/refcount.h>
#include <linux/compat.h>
+#include <linux/mm.h>
+#include <linux/vmalloc.h>
struct iovec;
@@ -349,4 +351,16 @@ static inline void key_check(const struct key *key)
#endif
+/*
+ * Helper function to clear and free a kvmalloc'ed memory object.
+ */
+static inline void __kvzfree(const void *addr, size_t len)
+{
+ if (is_vmalloc_addr(addr)) {
+ memset((char *)addr, 0, len);
+ vfree(addr);
+ } else {
+ kzfree(addr);
+ }
+}
#endif /* _INTERNAL_H */
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 662a638a680d..ca05604bc9c0 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -339,7 +339,7 @@ long keyctl_update_key(key_serial_t id,
payload = NULL;
if (plen) {
ret = -ENOMEM;
- payload = kmalloc(plen, GFP_KERNEL);
+ payload = kvmalloc(plen, GFP_KERNEL);
if (!payload)
goto error;
@@ -360,7 +360,7 @@ long keyctl_update_key(key_serial_t id,
key_ref_put(key_ref);
error2:
- kzfree(payload);
+ __kvzfree(payload, plen);
error:
return ret;
}
@@ -870,7 +870,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
*/
if (buflen && buffer && (buflen <= 0x400)) {
allocbuf:
- tmpbuf = kmalloc(tbuflen, GFP_KERNEL);
+ tmpbuf = kvmalloc(tbuflen, GFP_KERNEL);
if (!tmpbuf) {
ret = -ENOMEM;
goto error2;
@@ -892,9 +892,9 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
* again.
*/
if (!tmpbuf || unlikely(ret > tbuflen)) {
- tbuflen = ret;
if (unlikely(tmpbuf))
- kzfree(tmpbuf);
+ __kvzfree(tmpbuf, tbuflen);
+ tbuflen = ret;
goto allocbuf;
}
@@ -903,7 +903,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
}
if (tmpbuf)
- kzfree(tmpbuf);
+ __kvzfree(tmpbuf, tbuflen);
}
error2:
--
2.18.1
WARNING: multiple messages have this Message-ID (diff)
From: Waiman Long <longman@redhat.com>
To: David Howells <dhowells@redhat.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Mimi Zohar <zohar@linux.ibm.com>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org,
Sumit Garg <sumit.garg@linaro.org>,
Jerry Snitselaar <jsnitsel@redhat.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Eric Biggers <ebiggers@google.com>,
Chris von Recklinghausen <crecklin@redhat.com>
Subject: Re: [PATCH v2 2/2] KEYS: Avoid false positive ENOMEM error on key read
Date: Wed, 11 Mar 2020 11:33:54 -0400 [thread overview]
Message-ID: <7d0b0c5f-98e7-0fb6-69cd-76a31a010bcb@redhat.com> (raw)
In-Reply-To: <675400.1583860343@warthog.procyon.org.uk>
[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]
On 3/10/20 1:12 PM, David Howells wrote:
> Waiman Long <longman@redhat.com> wrote:
>
>> That is not as simple as I thought. First of that, there is not an
>> equivalent kzvfree() helper to clear the buffer first before clearing.
>> Of course, I can do that manually.
> Yeah, the actual substance of vfree() may get deferred. It may be worth
> adding a kvzfree() that switches between kzfree() and memset(),vfree().
>
>> With patch 2, the allocated buffer length will be max(1024, keylen). The
>> security code uses kmalloc() for allocation. If we use kvalloc() here,
>> perhaps we should also use that for allocation that can be potentially
>> large like that in big_key. What do you think?
> Not for big_key: if it's larger than BIG_KEY_FILE_THRESHOLD (~1KiB) it gets
> written encrypted into shmem so that it can be swapped out to disk when not in
> use.
>
> However, other cases, sure - just be aware that on a 32-bit system,
> vmalloc/vmap space is a strictly limited resource.
Attached is an additional patch to make the transition from kmalloc() to
kvmalloc(). I put the __kvzfree() helper in internal.h for now. I plan
to send a patch later to add a kvzfree() API once there is a use case in
the kernel.
I am not going to touch other places for now to make thing simpler.
Cheers,
Longman
[-- Attachment #2: v2-0003-KEYS-Use-kvmalloc-to-better-handle-large-buffer-a.patch --]
[-- Type: text/x-patch, Size: 2954 bytes --]
From e2e73e2bc0c5cd168de273b0fe9df1e5c48cd232 Mon Sep 17 00:00:00 2001
From: Waiman Long <longman@redhat.com>
Date: Wed, 11 Mar 2020 11:01:59 -0400
Subject: [PATCH v2 3/3] KEYS: Use kvmalloc() to better handle large buffer
allocation
For large multi-page temporary buffer allocation, the security/keys
subsystem don't need contiguous physical pages. It will work perfectly
fine with virtually mapped pages.
Replace the kmalloc() call by kvmalloc() and provide a __kvzfree()
helper function to clear and free the kvmalloc'ed buffer. This will
reduce the chance of memory allocation failure just because of highly
fragmented pages.
Suggested-by: David Howells <dhowells@redhat.com>
Signed-off-by: Waiman Long <longman@redhat.com>
---
security/keys/internal.h | 14 ++++++++++++++
security/keys/keyctl.c | 12 ++++++------
2 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/security/keys/internal.h b/security/keys/internal.h
index ba3e2da14cef..1b6e2d66e378 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -16,6 +16,8 @@
#include <linux/keyctl.h>
#include <linux/refcount.h>
#include <linux/compat.h>
+#include <linux/mm.h>
+#include <linux/vmalloc.h>
struct iovec;
@@ -349,4 +351,16 @@ static inline void key_check(const struct key *key)
#endif
+/*
+ * Helper function to clear and free a kvmalloc'ed memory object.
+ */
+static inline void __kvzfree(const void *addr, size_t len)
+{
+ if (is_vmalloc_addr(addr)) {
+ memset((char *)addr, 0, len);
+ vfree(addr);
+ } else {
+ kzfree(addr);
+ }
+}
#endif /* _INTERNAL_H */
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 662a638a680d..ca05604bc9c0 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -339,7 +339,7 @@ long keyctl_update_key(key_serial_t id,
payload = NULL;
if (plen) {
ret = -ENOMEM;
- payload = kmalloc(plen, GFP_KERNEL);
+ payload = kvmalloc(plen, GFP_KERNEL);
if (!payload)
goto error;
@@ -360,7 +360,7 @@ long keyctl_update_key(key_serial_t id,
key_ref_put(key_ref);
error2:
- kzfree(payload);
+ __kvzfree(payload, plen);
error:
return ret;
}
@@ -870,7 +870,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
*/
if (buflen && buffer && (buflen <= 0x400)) {
allocbuf:
- tmpbuf = kmalloc(tbuflen, GFP_KERNEL);
+ tmpbuf = kvmalloc(tbuflen, GFP_KERNEL);
if (!tmpbuf) {
ret = -ENOMEM;
goto error2;
@@ -892,9 +892,9 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
* again.
*/
if (!tmpbuf || unlikely(ret > tbuflen)) {
- tbuflen = ret;
if (unlikely(tmpbuf))
- kzfree(tmpbuf);
+ __kvzfree(tmpbuf, tbuflen);
+ tbuflen = ret;
goto allocbuf;
}
@@ -903,7 +903,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
}
if (tmpbuf)
- kzfree(tmpbuf);
+ __kvzfree(tmpbuf, tbuflen);
}
error2:
--
2.18.1
WARNING: multiple messages have this Message-ID (diff)
From: Waiman Long <longman@redhat.com>
To: David Howells <dhowells@redhat.com>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Mimi Zohar <zohar@linux.ibm.com>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org,
Sumit Garg <sumit.garg@linaro.org>,
Jerry Snitselaar <jsnitsel@redhat.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Eric Biggers <ebiggers@google.com>,
Chris von Recklinghausen <crecklin@redhat.com>
Subject: Re: [PATCH v2 2/2] KEYS: Avoid false positive ENOMEM error on key read
Date: Wed, 11 Mar 2020 11:33:54 -0400 [thread overview]
Message-ID: <7d0b0c5f-98e7-0fb6-69cd-76a31a010bcb@redhat.com> (raw)
In-Reply-To: <675400.1583860343@warthog.procyon.org.uk>
[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]
On 3/10/20 1:12 PM, David Howells wrote:
> Waiman Long <longman@redhat.com> wrote:
>
>> That is not as simple as I thought. First of that, there is not an
>> equivalent kzvfree() helper to clear the buffer first before clearing.
>> Of course, I can do that manually.
> Yeah, the actual substance of vfree() may get deferred. It may be worth
> adding a kvzfree() that switches between kzfree() and memset(),vfree().
>
>> With patch 2, the allocated buffer length will be max(1024, keylen). The
>> security code uses kmalloc() for allocation. If we use kvalloc() here,
>> perhaps we should also use that for allocation that can be potentially
>> large like that in big_key. What do you think?
> Not for big_key: if it's larger than BIG_KEY_FILE_THRESHOLD (~1KiB) it gets
> written encrypted into shmem so that it can be swapped out to disk when not in
> use.
>
> However, other cases, sure - just be aware that on a 32-bit system,
> vmalloc/vmap space is a strictly limited resource.
Attached is an additional patch to make the transition from kmalloc() to
kvmalloc(). I put the __kvzfree() helper in internal.h for now. I plan
to send a patch later to add a kvzfree() API once there is a use case in
the kernel.
I am not going to touch other places for now to make thing simpler.
Cheers,
Longman
[-- Attachment #2: v2-0003-KEYS-Use-kvmalloc-to-better-handle-large-buffer-a.patch --]
[-- Type: text/x-patch, Size: 2955 bytes --]
>From e2e73e2bc0c5cd168de273b0fe9df1e5c48cd232 Mon Sep 17 00:00:00 2001
From: Waiman Long <longman@redhat.com>
Date: Wed, 11 Mar 2020 11:01:59 -0400
Subject: [PATCH v2 3/3] KEYS: Use kvmalloc() to better handle large buffer
allocation
For large multi-page temporary buffer allocation, the security/keys
subsystem don't need contiguous physical pages. It will work perfectly
fine with virtually mapped pages.
Replace the kmalloc() call by kvmalloc() and provide a __kvzfree()
helper function to clear and free the kvmalloc'ed buffer. This will
reduce the chance of memory allocation failure just because of highly
fragmented pages.
Suggested-by: David Howells <dhowells@redhat.com>
Signed-off-by: Waiman Long <longman@redhat.com>
---
security/keys/internal.h | 14 ++++++++++++++
security/keys/keyctl.c | 12 ++++++------
2 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/security/keys/internal.h b/security/keys/internal.h
index ba3e2da14cef..1b6e2d66e378 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -16,6 +16,8 @@
#include <linux/keyctl.h>
#include <linux/refcount.h>
#include <linux/compat.h>
+#include <linux/mm.h>
+#include <linux/vmalloc.h>
struct iovec;
@@ -349,4 +351,16 @@ static inline void key_check(const struct key *key)
#endif
+/*
+ * Helper function to clear and free a kvmalloc'ed memory object.
+ */
+static inline void __kvzfree(const void *addr, size_t len)
+{
+ if (is_vmalloc_addr(addr)) {
+ memset((char *)addr, 0, len);
+ vfree(addr);
+ } else {
+ kzfree(addr);
+ }
+}
#endif /* _INTERNAL_H */
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 662a638a680d..ca05604bc9c0 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -339,7 +339,7 @@ long keyctl_update_key(key_serial_t id,
payload = NULL;
if (plen) {
ret = -ENOMEM;
- payload = kmalloc(plen, GFP_KERNEL);
+ payload = kvmalloc(plen, GFP_KERNEL);
if (!payload)
goto error;
@@ -360,7 +360,7 @@ long keyctl_update_key(key_serial_t id,
key_ref_put(key_ref);
error2:
- kzfree(payload);
+ __kvzfree(payload, plen);
error:
return ret;
}
@@ -870,7 +870,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
*/
if (buflen && buffer && (buflen <= 0x400)) {
allocbuf:
- tmpbuf = kmalloc(tbuflen, GFP_KERNEL);
+ tmpbuf = kvmalloc(tbuflen, GFP_KERNEL);
if (!tmpbuf) {
ret = -ENOMEM;
goto error2;
@@ -892,9 +892,9 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
* again.
*/
if (!tmpbuf || unlikely(ret > tbuflen)) {
- tbuflen = ret;
if (unlikely(tmpbuf))
- kzfree(tmpbuf);
+ __kvzfree(tmpbuf, tbuflen);
+ tbuflen = ret;
goto allocbuf;
}
@@ -903,7 +903,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
}
if (tmpbuf)
- kzfree(tmpbuf);
+ __kvzfree(tmpbuf, tbuflen);
}
error2:
--
2.18.1
next prev parent reply other threads:[~2020-03-11 15:33 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-08 17:04 [PATCH v2 0/2] KEYS: Read keys to internal buffer & then copy to userspace Waiman Long
2020-03-08 17:04 ` Waiman Long
2020-03-08 17:04 ` [PATCH v2 1/2] KEYS: Don't write out to userspace while holding key semaphore Waiman Long
2020-03-08 17:04 ` Waiman Long
2020-03-13 1:04 ` Jarkko Sakkinen
2020-03-13 1:04 ` Jarkko Sakkinen
2020-03-13 13:29 ` Waiman Long
2020-03-13 13:29 ` Waiman Long
2020-03-13 15:28 ` Jarkko Sakkinen
2020-03-13 15:28 ` Jarkko Sakkinen
2020-03-13 16:57 ` Waiman Long
2020-03-13 16:57 ` Waiman Long
2020-03-08 17:04 ` [PATCH v2 2/2] KEYS: Avoid false positive ENOMEM error on key read Waiman Long
2020-03-08 17:04 ` Waiman Long
2020-03-09 16:32 ` David Howells
2020-03-10 15:45 ` Waiman Long
2020-03-10 15:45 ` Waiman Long
2020-03-10 15:58 ` Waiman Long
2020-03-10 15:58 ` Waiman Long
2020-03-10 17:12 ` David Howells
2020-03-11 15:33 ` Waiman Long [this message]
2020-03-11 15:33 ` Waiman Long
2020-03-11 15:33 ` Waiman Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7d0b0c5f-98e7-0fb6-69cd-76a31a010bcb@redhat.com \
--to=longman@redhat.com \
--cc=crecklin@redhat.com \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jmorris@namei.org \
--cc=jsnitsel@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=sumit.garg@linaro.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.