mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-11 12:28:41 +08:00
97500a4a54
When freeing a page with an order >= shuffle_page_order randomly select the front or back of the list for insertion. While the mm tries to defragment physical pages into huge pages this can tend to make the page allocator more predictable over time. Inject the front-back randomness to preserve the initial randomness established by shuffle_free_memory() when the kernel was booted. The overhead of this manipulation is constrained by only being applied for MAX_ORDER sized pages by default. [akpm@linux-foundation.org: coding-style fixes] Link: http://lkml.kernel.org/r/154899812788.3165233.9066631950746578517.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: Keith Busch <keith.busch@intel.com> Cc: Robert Elliott <elliott@hpe.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
208 lines
5.7 KiB
C
208 lines
5.7 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
// Copyright(c) 2018 Intel Corporation. All rights reserved.
|
|
|
|
#include <linux/mm.h>
|
|
#include <linux/init.h>
|
|
#include <linux/mmzone.h>
|
|
#include <linux/random.h>
|
|
#include <linux/moduleparam.h>
|
|
#include "internal.h"
|
|
#include "shuffle.h"
|
|
|
|
DEFINE_STATIC_KEY_FALSE(page_alloc_shuffle_key);
|
|
static unsigned long shuffle_state __ro_after_init;
|
|
|
|
/*
|
|
* Depending on the architecture, module parameter parsing may run
|
|
* before, or after the cache detection. SHUFFLE_FORCE_DISABLE prevents,
|
|
* or reverts the enabling of the shuffle implementation. SHUFFLE_ENABLE
|
|
* attempts to turn on the implementation, but aborts if it finds
|
|
* SHUFFLE_FORCE_DISABLE already set.
|
|
*/
|
|
__meminit void page_alloc_shuffle(enum mm_shuffle_ctl ctl)
|
|
{
|
|
if (ctl == SHUFFLE_FORCE_DISABLE)
|
|
set_bit(SHUFFLE_FORCE_DISABLE, &shuffle_state);
|
|
|
|
if (test_bit(SHUFFLE_FORCE_DISABLE, &shuffle_state)) {
|
|
if (test_and_clear_bit(SHUFFLE_ENABLE, &shuffle_state))
|
|
static_branch_disable(&page_alloc_shuffle_key);
|
|
} else if (ctl == SHUFFLE_ENABLE
|
|
&& !test_and_set_bit(SHUFFLE_ENABLE, &shuffle_state))
|
|
static_branch_enable(&page_alloc_shuffle_key);
|
|
}
|
|
|
|
static bool shuffle_param;
|
|
extern int shuffle_show(char *buffer, const struct kernel_param *kp)
|
|
{
|
|
return sprintf(buffer, "%c\n", test_bit(SHUFFLE_ENABLE, &shuffle_state)
|
|
? 'Y' : 'N');
|
|
}
|
|
|
|
static __meminit int shuffle_store(const char *val,
|
|
const struct kernel_param *kp)
|
|
{
|
|
int rc = param_set_bool(val, kp);
|
|
|
|
if (rc < 0)
|
|
return rc;
|
|
if (shuffle_param)
|
|
page_alloc_shuffle(SHUFFLE_ENABLE);
|
|
else
|
|
page_alloc_shuffle(SHUFFLE_FORCE_DISABLE);
|
|
return 0;
|
|
}
|
|
module_param_call(shuffle, shuffle_store, shuffle_show, &shuffle_param, 0400);
|
|
|
|
/*
|
|
* For two pages to be swapped in the shuffle, they must be free (on a
|
|
* 'free_area' lru), have the same order, and have the same migratetype.
|
|
*/
|
|
static struct page * __meminit shuffle_valid_page(unsigned long pfn, int order)
|
|
{
|
|
struct page *page;
|
|
|
|
/*
|
|
* Given we're dealing with randomly selected pfns in a zone we
|
|
* need to ask questions like...
|
|
*/
|
|
|
|
/* ...is the pfn even in the memmap? */
|
|
if (!pfn_valid_within(pfn))
|
|
return NULL;
|
|
|
|
/* ...is the pfn in a present section or a hole? */
|
|
if (!pfn_present(pfn))
|
|
return NULL;
|
|
|
|
/* ...is the page free and currently on a free_area list? */
|
|
page = pfn_to_page(pfn);
|
|
if (!PageBuddy(page))
|
|
return NULL;
|
|
|
|
/*
|
|
* ...is the page on the same list as the page we will
|
|
* shuffle it with?
|
|
*/
|
|
if (page_order(page) != order)
|
|
return NULL;
|
|
|
|
return page;
|
|
}
|
|
|
|
/*
|
|
* Fisher-Yates shuffle the freelist which prescribes iterating through an
|
|
* array, pfns in this case, and randomly swapping each entry with another in
|
|
* the span, end_pfn - start_pfn.
|
|
*
|
|
* To keep the implementation simple it does not attempt to correct for sources
|
|
* of bias in the distribution, like modulo bias or pseudo-random number
|
|
* generator bias. I.e. the expectation is that this shuffling raises the bar
|
|
* for attacks that exploit the predictability of page allocations, but need not
|
|
* be a perfect shuffle.
|
|
*/
|
|
#define SHUFFLE_RETRY 10
|
|
void __meminit __shuffle_zone(struct zone *z)
|
|
{
|
|
unsigned long i, flags;
|
|
unsigned long start_pfn = z->zone_start_pfn;
|
|
unsigned long end_pfn = zone_end_pfn(z);
|
|
const int order = SHUFFLE_ORDER;
|
|
const int order_pages = 1 << order;
|
|
|
|
spin_lock_irqsave(&z->lock, flags);
|
|
start_pfn = ALIGN(start_pfn, order_pages);
|
|
for (i = start_pfn; i < end_pfn; i += order_pages) {
|
|
unsigned long j;
|
|
int migratetype, retry;
|
|
struct page *page_i, *page_j;
|
|
|
|
/*
|
|
* We expect page_i, in the sub-range of a zone being added
|
|
* (@start_pfn to @end_pfn), to more likely be valid compared to
|
|
* page_j randomly selected in the span @zone_start_pfn to
|
|
* @spanned_pages.
|
|
*/
|
|
page_i = shuffle_valid_page(i, order);
|
|
if (!page_i)
|
|
continue;
|
|
|
|
for (retry = 0; retry < SHUFFLE_RETRY; retry++) {
|
|
/*
|
|
* Pick a random order aligned page in the zone span as
|
|
* a swap target. If the selected pfn is a hole, retry
|
|
* up to SHUFFLE_RETRY attempts find a random valid pfn
|
|
* in the zone.
|
|
*/
|
|
j = z->zone_start_pfn +
|
|
ALIGN_DOWN(get_random_long() % z->spanned_pages,
|
|
order_pages);
|
|
page_j = shuffle_valid_page(j, order);
|
|
if (page_j && page_j != page_i)
|
|
break;
|
|
}
|
|
if (retry >= SHUFFLE_RETRY) {
|
|
pr_debug("%s: failed to swap %#lx\n", __func__, i);
|
|
continue;
|
|
}
|
|
|
|
/*
|
|
* Each migratetype corresponds to its own list, make sure the
|
|
* types match otherwise we're moving pages to lists where they
|
|
* do not belong.
|
|
*/
|
|
migratetype = get_pageblock_migratetype(page_i);
|
|
if (get_pageblock_migratetype(page_j) != migratetype) {
|
|
pr_debug("%s: migratetype mismatch %#lx\n", __func__, i);
|
|
continue;
|
|
}
|
|
|
|
list_swap(&page_i->lru, &page_j->lru);
|
|
|
|
pr_debug("%s: swap: %#lx -> %#lx\n", __func__, i, j);
|
|
|
|
/* take it easy on the zone lock */
|
|
if ((i % (100 * order_pages)) == 0) {
|
|
spin_unlock_irqrestore(&z->lock, flags);
|
|
cond_resched();
|
|
spin_lock_irqsave(&z->lock, flags);
|
|
}
|
|
}
|
|
spin_unlock_irqrestore(&z->lock, flags);
|
|
}
|
|
|
|
/**
|
|
* shuffle_free_memory - reduce the predictability of the page allocator
|
|
* @pgdat: node page data
|
|
*/
|
|
void __meminit __shuffle_free_memory(pg_data_t *pgdat)
|
|
{
|
|
struct zone *z;
|
|
|
|
for (z = pgdat->node_zones; z < pgdat->node_zones + MAX_NR_ZONES; z++)
|
|
shuffle_zone(z);
|
|
}
|
|
|
|
void add_to_free_area_random(struct page *page, struct free_area *area,
|
|
int migratetype)
|
|
{
|
|
static u64 rand;
|
|
static u8 rand_bits;
|
|
|
|
/*
|
|
* The lack of locking is deliberate. If 2 threads race to
|
|
* update the rand state it just adds to the entropy.
|
|
*/
|
|
if (rand_bits == 0) {
|
|
rand_bits = 64;
|
|
rand = get_random_u64();
|
|
}
|
|
|
|
if (rand & 1)
|
|
add_to_free_area(page, area, migratetype);
|
|
else
|
|
add_to_free_area_tail(page, area, migratetype);
|
|
rand_bits--;
|
|
rand >>= 1;
|
|
}
|