From: Alexander Potapenko <glider@google.com>
To: akpm@linux-foundation.org, cl@linux.com, dvyukov@google.com,
keescook@chromium.org, labbott@redhat.com
Cc: linux-mm@kvack.org, linux-security-module@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: [PATCH 2/3] gfp: mm: introduce __GFP_NOINIT
Date: Thu, 18 Apr 2019 17:42:07 +0200 [thread overview]
Message-ID: <20190418154208.131118-3-glider@google.com> (raw)
In-Reply-To: <20190418154208.131118-1-glider@google.com>
When passed to an allocator (either pagealloc or SL[AOU]B), __GFP_NOINIT
tells it to not initialize the requested memory if the init_allocations
boot option is enabled. This can be useful in the cases the newly
allocated memory is going to be initialized by the caller right away.
__GFP_NOINIT basically defeats the hardening against information leaks
provided by the init_allocations feature, so one should use it with
caution.
This patch also adds __GFP_NOINIT to alloc_pages() calls in SL[AOU]B.
Signed-off-by: Alexander Potapenko <glider@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Sandeep Patil <sspatil@android.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Jann Horn <jannh@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Qian Cai <cai@lca.pw>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: linux-mm@kvack.org
Cc: linux-security-module@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com
---
include/linux/gfp.h | 6 +++++-
include/linux/mm.h | 2 +-
kernel/kexec_core.c | 2 +-
mm/slab.c | 2 +-
mm/slob.c | 1 +
mm/slub.c | 1 +
6 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/include/linux/gfp.h b/include/linux/gfp.h
index fdab7de7490d..66d7f5604fe2 100644
--- a/include/linux/gfp.h
+++ b/include/linux/gfp.h
@@ -44,6 +44,7 @@ struct vm_area_struct;
#else
#define ___GFP_NOLOCKDEP 0
#endif
+#define ___GFP_NOINIT 0x1000000u
/* If the above are modified, __GFP_BITS_SHIFT may need updating */
/*
@@ -208,16 +209,19 @@ struct vm_area_struct;
* %__GFP_COMP address compound page metadata.
*
* %__GFP_ZERO returns a zeroed page on success.
+ *
+ * %__GFP_NOINIT requests non-initialized memory from the underlying allocator.
*/
#define __GFP_NOWARN ((__force gfp_t)___GFP_NOWARN)
#define __GFP_COMP ((__force gfp_t)___GFP_COMP)
#define __GFP_ZERO ((__force gfp_t)___GFP_ZERO)
+#define __GFP_NOINIT ((__force gfp_t)___GFP_NOINIT)
/* Disable lockdep for GFP context tracking */
#define __GFP_NOLOCKDEP ((__force gfp_t)___GFP_NOLOCKDEP)
/* Room for N __GFP_FOO bits */
-#define __GFP_BITS_SHIFT (23 + IS_ENABLED(CONFIG_LOCKDEP))
+#define __GFP_BITS_SHIFT (25)
#define __GFP_BITS_MASK ((__force gfp_t)((1 << __GFP_BITS_SHIFT) - 1))
/**
diff --git a/include/linux/mm.h b/include/linux/mm.h
index b38b71a5efaa..8f03334a9033 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2601,7 +2601,7 @@ DECLARE_STATIC_KEY_FALSE(init_allocations);
static inline bool want_init_memory(gfp_t flags)
{
if (static_branch_unlikely(&init_allocations))
- return true;
+ return !(flags & __GFP_NOINIT);
return flags & __GFP_ZERO;
}
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index be84f5f95c97..f9d1f1236cd0 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -302,7 +302,7 @@ static struct page *kimage_alloc_pages(gfp_t gfp_mask, unsigned int order)
{
struct page *pages;
- pages = alloc_pages(gfp_mask & ~__GFP_ZERO, order);
+ pages = alloc_pages((gfp_mask & ~__GFP_ZERO) | __GFP_NOINIT, order);
if (pages) {
unsigned int count, i;
diff --git a/mm/slab.c b/mm/slab.c
index dcc5b73cf767..762cb0e7bcc1 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -1393,7 +1393,7 @@ static struct page *kmem_getpages(struct kmem_cache *cachep, gfp_t flags,
struct page *page;
int nr_pages;
- flags |= cachep->allocflags;
+ flags |= (cachep->allocflags | __GFP_NOINIT);
page = __alloc_pages_node(nodeid, flags, cachep->gfporder);
if (!page) {
diff --git a/mm/slob.c b/mm/slob.c
index 18981a71e962..867d2d68a693 100644
--- a/mm/slob.c
+++ b/mm/slob.c
@@ -192,6 +192,7 @@ static void *slob_new_pages(gfp_t gfp, int order, int node)
{
void *page;
+ gfp |= __GFP_NOINIT;
#ifdef CONFIG_NUMA
if (node != NUMA_NO_NODE)
page = __alloc_pages_node(node, gfp, order);
diff --git a/mm/slub.c b/mm/slub.c
index e4efb6575510..a79b4cb768a2 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1493,6 +1493,7 @@ static inline struct page *alloc_slab_page(struct kmem_cache *s,
struct page *page;
unsigned int order = oo_order(oo);
+ flags |= __GFP_NOINIT;
if (node == NUMA_NO_NODE)
page = alloc_pages(flags, order);
else
--
2.21.0.392.gf8f6787159e-goog
next prev parent reply other threads:[~2019-04-18 15:42 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-18 15:42 [PATCH 0/3] RFC: add init_allocations=1 boot option Alexander Potapenko
2019-04-18 15:42 ` Alexander Potapenko
2019-04-18 15:42 ` [PATCH 1/3] mm: security: introduce the " Alexander Potapenko
2019-04-18 15:42 ` Alexander Potapenko
2019-04-18 16:35 ` Dave Hansen
2019-04-18 16:43 ` Alexander Potapenko
2019-04-18 16:43 ` Alexander Potapenko
2019-04-18 16:50 ` Alexander Potapenko
2019-04-18 16:50 ` Alexander Potapenko
2019-04-23 8:31 ` Michal Hocko
2019-04-18 22:08 ` Randy Dunlap
2019-04-23 19:00 ` Kees Cook
2019-04-23 19:00 ` Kees Cook
2019-04-26 12:12 ` Alexander Potapenko
2019-04-26 12:12 ` Alexander Potapenko
2019-04-23 20:36 ` Dave Hansen
2019-04-26 14:14 ` Christopher Lameter
2019-04-26 14:14 ` Christopher Lameter
[not found] ` <alpine.DEB.2.21.1904260911570.8340@nuc-kabylake>
2019-04-26 15:24 ` Christopher Lameter
2019-04-26 15:24 ` Christopher Lameter
2019-04-26 15:48 ` Alexander Potapenko
2019-04-26 15:48 ` Alexander Potapenko
2019-04-18 15:42 ` Alexander Potapenko [this message]
2019-04-18 15:42 ` [PATCH 2/3] gfp: mm: introduce __GFP_NOINIT Alexander Potapenko
2019-04-18 16:52 ` Dave Hansen
2019-04-23 19:14 ` Kees Cook
2019-04-23 19:14 ` Kees Cook
2019-04-23 20:40 ` Dave Hansen
2019-04-23 19:11 ` Kees Cook
2019-04-23 19:11 ` Kees Cook
2019-04-18 15:42 ` [PATCH 3/3] RFC: net: apply __GFP_NOINIT to AF_UNIX sk_buff allocations Alexander Potapenko
2019-04-18 15:42 ` Alexander Potapenko
2019-04-23 19:17 ` Kees Cook
2019-04-23 19:17 ` Kees Cook
2019-04-18 15:44 ` [PATCH 0/3] RFC: add init_allocations=1 boot option Alexander Potapenko
2019-04-18 15:44 ` Alexander Potapenko
2019-04-18 22:07 ` Randy Dunlap
2019-04-23 18:49 ` Kees Cook
2019-04-23 18:49 ` Kees Cook
2019-04-26 12:39 ` Alexander Potapenko
2019-04-26 12:39 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190418154208.131118-3-glider@google.com \
--to=glider@google.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=dvyukov@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.