From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5FF4CC433DF for ; Tue, 16 Jun 2020 03:32:28 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0E95420756 for ; Tue, 16 Jun 2020 03:32:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="CI14aWxQ" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0E95420756 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49mDKQ1JVYzDqmh for ; Tue, 16 Jun 2020 13:32:26 +1000 (AEST) Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=kernel.org (client-ip=198.145.29.99; helo=mail.kernel.org; envelope-from=ebiggers@kernel.org; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=default header.b=CI14aWxQ; dkim-atps=neutral Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49mDHN6p0hzDqdp for ; Tue, 16 Jun 2020 13:30:40 +1000 (AEST) Received: from sol.localdomain (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9B3B8206D7; Tue, 16 Jun 2020 03:30:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592278237; bh=cbCBV+GA89Kxk07F75+TVwUbSIVVlsmXitOPPgujt0g=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=CI14aWxQPw24ENjaHXJfOipbxs59iBOy6w+TeEVniGvJYBqy6D1cwSzDbSE5kI4lU lIYg5jNgJLjG7j91Xm1X3e+BxtmR8FfP4CJnhYPkHwCMU6wjZ6YBjNC+nYJMCpp2N5 Vlpy20o3OcJdDug0iUS5K1iWjVtuIX+008M01eB4= Date: Mon, 15 Jun 2020 20:30:35 -0700 From: Eric Biggers To: Waiman Long Subject: Re: [PATCH v4 1/3] mm/slab: Use memzero_explicit() in kzfree() Message-ID: <20200616033035.GB902@sol.localdomain> References: <20200616015718.7812-1-longman@redhat.com> <20200616015718.7812-2-longman@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200616015718.7812-2-longman@redhat.com> X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Jason A . Donenfeld" , Michal Hocko , linux-btrfs@vger.kernel.org, Jarkko Sakkinen , David Sterba , David Howells , linux-mm@kvack.org, linux-sctp@vger.kernel.org, keyrings@vger.kernel.org, kasan-dev@googlegroups.com, linux-stm32@st-md-mailman.stormreply.com, devel@driverdev.osuosl.org, linux-cifs@vger.kernel.org, linux-scsi@vger.kernel.org, James Morris , Matthew Wilcox , linux-wpan@vger.kernel.org, David Rientjes , Dan Carpenter , "Serge E. Hallyn" , linux-pm@vger.kernel.org, ecryptfs@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-amlogic@lists.infradead.org, virtualization@lists.linux-foundation.org, linux-integrity@vger.kernel.org, linux-nfs@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux-bluetooth@vger.kernel.org, linux-security-module@vger.kernel.org, target-devel@vger.kernel.org, tipc-discussion@lists.sourceforge.net, linux-crypto@vger.kernel.org, Johannes Weiner , Joe Perches , Andrew Morton , Linus Torvalds , netdev@vger.kernel.org, wireguard@lists.zx2c4.com, linux-ppp@vger.kernel.org Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Mon, Jun 15, 2020 at 09:57:16PM -0400, Waiman Long wrote: > The kzfree() function is normally used to clear some sensitive > information, like encryption keys, in the buffer before freeing it back > to the pool. Memset() is currently used for the buffer clearing. However, > it is entirely possible that the compiler may choose to optimize away the > memory clearing especially if LTO is being used. To make sure that this > optimization will not happen, memzero_explicit(), which is introduced > in v3.18, is now used in kzfree() to do the clearing. > > Fixes: 3ef0e5ba4673 ("slab: introduce kzfree()") > Cc: stable@vger.kernel.org > Signed-off-by: Waiman Long > --- > mm/slab_common.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/slab_common.c b/mm/slab_common.c > index 9e72ba224175..37d48a56431d 100644 > --- a/mm/slab_common.c > +++ b/mm/slab_common.c > @@ -1726,7 +1726,7 @@ void kzfree(const void *p) > if (unlikely(ZERO_OR_NULL_PTR(mem))) > return; > ks = ksize(mem); > - memset(mem, 0, ks); > + memzero_explicit(mem, ks); > kfree(mem); > } > EXPORT_SYMBOL(kzfree); This is a good change, but the commit message isn't really accurate. AFAIK, no one has found any case where this memset() gets optimized out. And even with LTO, it would be virtually impossible due to all the synchronization and global data structures that kfree() uses. (Remember that this isn't the C standard function "free()", so the compiler can't assign it any special meaning.) Not to mention that LTO support isn't actually upstream yet. I still agree with the change, but it might be helpful if the commit message were honest that this is really a hardening measure and about properly conveying the intent. As-is this sounds like a critical fix, which might confuse people. - Eric