Re: [PATCH v3 3/3] randomize_kstack: Unify random source across arches

public inbox for linuxppc-dev@ozlabs.org 
 help / color / mirror / Atom feed

From: David Laight <david.laight.linux@gmail•com>
To: Ryan Roberts <ryan.roberts@arm•com>
Cc: Catalin Marinas <catalin.marinas@arm•com>,
	Will Deacon <will@kernel•org>,
	Huacai Chen <chenhuacai@kernel•org>,
	Madhavan Srinivasan <maddy@linux•ibm.com>,
	Michael Ellerman <mpe@ellerman•id.au>,
	Paul Walmsley <pjw@kernel•org>,
	Palmer Dabbelt <palmer@dabbelt•com>,
	Albert Ou <aou@eecs•berkeley.edu>,
	Heiko Carstens <hca@linux•ibm.com>,
	Vasily Gorbik <gor@linux•ibm.com>,
	Alexander Gordeev <agordeev@linux•ibm.com>,
	Thomas Gleixner <tglx@linutronix•de>,
	Ingo Molnar <mingo@redhat•com>, Borislav Petkov <bp@alien8•de>,
	Dave Hansen <dave.hansen@linux•intel.com>,
	Kees Cook <kees@kernel•org>,
	"Gustavo A. R. Silva" <gustavoars@kernel•org>,
	Arnd Bergmann <arnd@arndb•de>,
	Mark Rutland <mark.rutland@arm•com>,
	"Jason A. Donenfeld" <Jason@zx2c4•com>,
	Ard Biesheuvel <ardb@kernel•org>,
	Jeremy Linton <jeremy.linton@arm•com>,
	linux-kernel@vger•kernel.org,
	linux-arm-kernel@lists•infradead.org, loongarch@lists•linux.dev,
	linuxppc-dev@lists•ozlabs.org, linux-riscv@lists•infradead.org,
	linux-s390@vger•kernel.org, linux-hardening@vger•kernel.org
Subject: Re: [PATCH v3 3/3] randomize_kstack: Unify random source across arches
Date: Mon, 12 Jan 2026 13:36:20 +0000	[thread overview]
Message-ID: <20260112133620.2863e1d6@pumpkin> (raw)
In-Reply-To: <09de87bc-d952-41e7-9657-852c2924aaa7@arm.com>

On Mon, 12 Jan 2026 12:26:26 +0000
Ryan Roberts <ryan.roberts@arm•com> wrote:

> On 07/01/2026 14:05, David Laight wrote:
> > On Sun, 4 Jan 2026 23:01:36 +0000
> > David Laight <david.laight.linux@gmail•com> wrote:
...
> > I've trimmed the initialiser - it is very boring.
> > The code to create the initialiser is actually slightly smaller than it is.
> > Doable by hand provided you can do 128bit shift and xor without making
> > any mistakes.
> > 
> > I've just done a quick search through the kernel sources and haven't found
> > many uses of prandom_u32_state() outside of test code.
> > There is sched_rng() which uses a per-cpu rng to throw a 1024 sized die.
> > bpf also has a per-cpu one for 'unprivileged user space'.
> > net/sched/sch_netem.c seems to use one - mostly for packet loss generation.
> > 
> > Since the randomize_kstack code is now using a per-task rng (initialised
> > by clone?) that could be used instead of all the others provided they
> > are run when 'current' is valid.
> > 
> > But the existing prandom_u32_state() needs a big health warning that
> > four outputs leak the entire state.
> > That is fixable by changing the last line to:
> >         return state->s1 + state->s2 + state->s3 + state->s4;
> > That only affects the output value, the period is unchanged.  
> 
> Hi David,
> 
> This all seems interesting, but I'm not clear that it is a blocker for this
> series. As I keep saying, we only use 6 bits for offset randmization so it is
> trival to brute force, regardless of how easy it is to recover the prng state.
> 
> Perhaps we can decouple these 2 things and make them independent:
> 
>  - this series, which is motivated by speeding up syscalls on arm64; given 6
>    bits is not hard to brute force, spending a lot of cycles calculating those
>    bits is unjustified.
> 
>  - Your observation that that the current prng could be improved to make
>    recoving it's state harder.
> 
> What do you think?

They are separate.
I should have a 'mostly written' patch series for prandom_u32_state().

If you unconditionally add a per-task prng there are a few places that could
use it instead of a per-cpu one.
It could be 'perturbed' during task switch - eg by:
	s->s1 = (s->s1 ^ something) | 2;
(The 2 stops the new value being 0 or 1, losing 1 bit wont be significant.)

This one is much nearer 'ready' and has an obvious impact.

	David

> 
> Thanks,
> Ryan
> 
> 
> > 
> > 	David
> > 
> >   
>

next prev parent reply	other threads:[~2026-01-12 13:37 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-02 13:11 [PATCH v3 0/3] Fix bugs and performance of kstack offset randomisation Ryan Roberts
2026-01-02 13:11 ` [PATCH v3 1/3] randomize_kstack: Maintain kstack_offset per task Ryan Roberts
2026-01-02 22:44   ` David Laight
2026-01-05 10:30     ` Ryan Roberts
2026-01-19 10:23   ` Mark Rutland
2026-01-02 13:11 ` [PATCH v3 2/3] prandom: Convert prandom_u32_state() to __always_inline Ryan Roberts
2026-01-02 13:39   ` Jason A. Donenfeld
2026-01-02 14:09     ` Ryan Roberts
2026-01-03  8:00       ` Christophe Leroy (CS GROUP)
2026-01-05 10:36         ` Ryan Roberts
2026-01-03 10:46       ` David Laight
2026-01-05 10:34         ` Ryan Roberts
2026-01-02 22:54     ` David Laight
2026-01-19 10:26   ` Mark Rutland
2026-01-02 13:11 ` [PATCH v3 3/3] randomize_kstack: Unify random source across arches Ryan Roberts
2026-01-04 23:01   ` David Laight
2026-01-05 11:05     ` Ryan Roberts
2026-01-05 14:45       ` David Laight
2026-01-07 14:05     ` David Laight
2026-01-12 12:26       ` Ryan Roberts
2026-01-12 13:36         ` David Laight [this message]
2026-01-19 10:48   ` Mark Rutland
2026-01-19 10:52 ` [PATCH v3 0/3] Fix bugs and performance of kstack offset randomisation Mark Rutland
2026-01-19 12:22   ` David Laight
2026-01-19 12:58     ` Ryan Roberts
2026-01-19 12:59   ` Ryan Roberts

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260112133620.2863e1d6@pumpkin \
    --to=david.laight.linux@gmail$(echo .)com \
    --cc=Jason@zx2c4$(echo .)com \
    --cc=agordeev@linux$(echo .)ibm.com \
    --cc=aou@eecs$(echo .)berkeley.edu \
    --cc=ardb@kernel$(echo .)org \
    --cc=arnd@arndb$(echo .)de \
    --cc=bp@alien8$(echo .)de \
    --cc=catalin.marinas@arm$(echo .)com \
    --cc=chenhuacai@kernel$(echo .)org \
    --cc=dave.hansen@linux$(echo .)intel.com \
    --cc=gor@linux$(echo .)ibm.com \
    --cc=gustavoars@kernel$(echo .)org \
    --cc=hca@linux$(echo .)ibm.com \
    --cc=jeremy.linton@arm$(echo .)com \
    --cc=kees@kernel$(echo .)org \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    --cc=linux-hardening@vger$(echo .)kernel.org \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=linux-riscv@lists$(echo .)infradead.org \
    --cc=linux-s390@vger$(echo .)kernel.org \
    --cc=linuxppc-dev@lists$(echo .)ozlabs.org \
    --cc=loongarch@lists$(echo .)linux.dev \
    --cc=maddy@linux$(echo .)ibm.com \
    --cc=mark.rutland@arm$(echo .)com \
    --cc=mingo@redhat$(echo .)com \
    --cc=mpe@ellerman$(echo .)id.au \
    --cc=palmer@dabbelt$(echo .)com \
    --cc=pjw@kernel$(echo .)org \
    --cc=ryan.roberts@arm$(echo .)com \
    --cc=tglx@linutronix$(echo .)de \
    --cc=will@kernel$(echo .)org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox