lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANpmjNPZxvWXTnJvkuwUifM5EjPetKxTJ7ectbw_7JFoBLB4EA@mail.gmail.com>
Date:   Mon, 5 Oct 2020 20:59:49 +0200
From:   Marco Elver <elver@...gle.com>
To:     Jann Horn <jannh@...gle.com>
Cc:     Dmitry Vyukov <dvyukov@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Alexander Potapenko <glider@...gle.com>,
        "H . Peter Anvin" <hpa@...or.com>,
        "Paul E . McKenney" <paulmck@...nel.org>,
        Andrey Konovalov <andreyknvl@...gle.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Andy Lutomirski <luto@...nel.org>,
        Borislav Petkov <bp@...en8.de>,
        Catalin Marinas <catalin.marinas@....com>,
        Christoph Lameter <cl@...ux.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        David Rientjes <rientjes@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Hillf Danton <hdanton@...a.com>,
        Ingo Molnar <mingo@...hat.com>,
        Jonathan Cameron <Jonathan.Cameron@...wei.com>,
        Jonathan Corbet <corbet@....net>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Kees Cook <keescook@...omium.org>,
        Mark Rutland <mark.rutland@....com>,
        Pekka Enberg <penberg@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        SeongJae Park <sjpark@...zon.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Vlastimil Babka <vbabka@...e.cz>,
        Will Deacon <will@...nel.org>,
        "the arch/x86 maintainers" <x86@...nel.org>,
        "open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
        kernel list <linux-kernel@...r.kernel.org>,
        kasan-dev <kasan-dev@...glegroups.com>,
        Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        Linux-MM <linux-mm@...ck.org>, SeongJae Park <sjpark@...zon.de>
Subject: Re: [PATCH v4 01/11] mm: add Kernel Electric-Fence infrastructure

On Fri, 2 Oct 2020 at 20:28, Jann Horn <jannh@...gle.com> wrote:
[...]
> > >
> > > Do you have performance numbers or a description of why you believe
> > > that this part of kfence is exceptionally performance-sensitive? If
> > > not, it might be a good idea to remove this optimization, at least for
> > > the initial version of this code. (And even if the optimization is
> > > worthwhile, it might be a better idea to go for the generic version
> > > immediately.)
> >
> > This check is very hot, it happens on every free. For every freed
> > object we need to understand if it belongs to KFENCE or not.
>
> Ah, so the path you care about does not dereference __kfence_pool, it
> just compares it to the supplied pointer?
>
>
> First off: The way you've written is_kfence_address(), GCC 10.2 at -O3
> seems to generate *utterly* *terrible* code (and the newest clang
> release isn't any better); something like this:
>
> kfree_inefficient:
>   mov rax, QWORD PTR __kfence_pool[rip]
>   cmp rax, rdi
>   jbe .L4
> .L2:
>   jmp kfree_not_kfence
> .L4:
>   add rax, 0x200000
>   cmp rax, rdi
>   jbe .L2
>   jmp kfree_kfence
>
> So pointers to the left of the region and pointers to the right of the
> region will take different branches, and so if you have a mix of
> objects on both sides of the kfence region, you'll get tons of branch
> mispredictions for no good reason. You'll want to rewrite that check
> as "unlikely(ptr - base <= SIZE)" instead of "unlikely(ptr >= base &&
> ptr < base + SIZE" unless you know that all the objects will be on one
> side. This would also reduce the performance impact of loading
> __kfence_pool from the data section, because the branch prediction can
> then speculate the branch that depends on the load properly and
> doesn't have to go roll back everything that happened when the object
> turns out to be on the opposite side of the kfence memory region - the
> latency of the load will hopefully become almost irrelevant.

Good point, implemented that. (It's "ptr - base < SIZE" I take it.)

> So in x86 intel assembly (assuming that we want to ensure that we only
> do a single branch on the object type), the straightforward and
> non-terrible version would be:
>
>
> kfree_unoptimized:
>   mov rax, rdi
>   sub rax, QWORD PTR __kfence_pool[rip]
>   cmp rax, 0x200000
>   jbe 1f
>   /* non-kfence case goes here */
> 1:
>   /* kfence case goes here */
>
>
> while the version you want is:
>
>
> kfree_static:
>   mov rax, rdi
>   sub rax, OFFSET FLAT:__kfence_pool
>   cmp rax, 0x200000
>   jbe 1f
>   jmp kfree_not_kfence
> 1:
>   jmp kfree_kfence
>
>
> If we instead use something like
>
> #define STATIC_VARIABLE_LOAD(variable) \
> ({ \
>   typeof(variable) value; \
>   BUILD_BUG_ON(sizeof(variable) != sizeof(unsigned long)); \
>   asm( \
>     ".pushsection .static_variable_users\n\t" \
>     ".long "  #variable " - .\n\t" \
>     ".long 123f - .\n\t" /* offset to end of constant */ \
>     ".popsection\n\t" \
>     "movabs $0x0123456789abcdef, %0" \
>     "123:\n\t" \
>     :"=r"(value) \
>   ); \
>   value; \
> })
> static __always_inline bool is_kfence_address(const void *addr)
> {
>   return unlikely((char*)addr - STATIC_VARIABLE_LOAD(__kfence_pool) <
> KFENCE_POOL_SIZE);
> }
>
> to locate the pool (which could again be normally allocated with
> alloc_pages()), we'd get code like this, which is like the previous
> except that we need an extra "movabs" because x86's "sub" can only use
> immediates up to 32 bits:
>
> kfree_hotpatchable_bigreloc:
>   mov rax, rdi
>   movabs rdx, 0x0123456789abcdef
>   sub rax, rdx
>   cmp rax, 0x200000
>   jbe .1f
>   jmp kfree_not_kfence
> 1:
>   jmp kfree_kfence
>
> The arch-specific part of this could probably be packaged up pretty
> nicely into a generic interface. If it actually turns out to have a
> performance benefit, that is.

Something like this would certainly be nice, but we'll do the due
diligence and see if it's even worth it.

> If that one extra "movabs" is actually a problem, it would
> *theoretically* be possible to get rid of that by using module_alloc()
> to allocate virtual memory to which offsets from kernel text are 32
> bits, and using special-cased inline asm, but we probably shouldn't do
> that, because as Mark pointed out, we'd then risk getting extremely
> infrequent extra bugs when drivers use phys_to_virt() on allocations
> that were done through kfence. Adding new, extremely infrequent and
> sporadically occurring bugs to the kernel seems like the exact
> opposite of the goal of KFENCE. :P
>
> Overall my expectation would be that the MOVABS version should
> probably at worst be something like one cycle slower - it adds 5
> instruction bytes (and we pay 1 cycle in the frontend per 16 bytes of
> instructions, I think?) and 1 backend cycle (for the MOVABS - Agner
> Fog's tables seem to say that at least on Skylake, MOVABS is 1 cycle).
> But that backend cycle shouldn't even be on the critical path (and it
> has a wider choice of ports than e.g. a load, and I think typical
> kernel code isn't exactly highly parallelizable, so we can probably
> schedule on a port that would've been free otherwise?), and I think
> typical kernel code should be fairly light on the backend, so with the
> MOVABS version, compared to the version with __kfence_pool in the data
> section, we probably overall just pay a fraction of a cycle in
> execution cost? I'm not a professional performance engineer, but this
> sounds to me like the MOVABS version should probably perform roughly
> as well as your version.
>
> Anyway, I guess this is all pretty vague without actually having
> concrete benchmark results. :P
>
> See <https://godbolt.org/z/Kev9dc> for examples of actual code
> generation for different options of writing this check.

Thanks for the analysis!  There is also some (11 year old) prior art,
that seems to never have made it into the kernel:
https://lore.kernel.org/lkml/20090924132626.485545323@polymtl.ca/

Maybe we need to understand why that never made it.

But I think, even if we drop the static pool, a first version of
KFENCE should not depend on it.

Thanks,
-- Marco

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ