From: David Hildenbrand <david@redhat.com>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Dmitry Vyukov <dvyukov@google.com>,
George Kennedy <george.kennedy@oracle.com>,
Konrad Rzeszutek Wilk <konrad@darnok.org>,
Will Deacon <will.deacon@arm.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Marco Elver <elver@google.com>,
Peter Collingbourne <pcc@google.com>,
Evgenii Stepanov <eugenis@google.com>,
Branislav Rankov <Branislav.Rankov@arm.com>,
Kevin Brodsky <kevin.brodsky@arm.com>,
Christoph Hellwig <hch@infradead.org>,
kasan-dev <kasan-dev@googlegroups.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Linux Memory Management List <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm, kasan: don't poison boot memory
Date: Thu, 18 Feb 2021 20:46:17 +0100 [thread overview]
Message-ID: <509c1c80-bb2c-0c5c-ffa3-939ca40d2646@redhat.com> (raw)
In-Reply-To: <CAAeHK+x2OwXXR-ci9Z+g=O6ZivM+LegxwkrpTqJLy2AZ9iW7-g@mail.gmail.com>
On 18.02.21 20:40, Andrey Konovalov wrote:
> On Thu, Feb 18, 2021 at 9:55 AM David Hildenbrand <david@redhat.com> wrote:
>>
>> On 17.02.21 21:56, Andrey Konovalov wrote:
>>> During boot, all non-reserved memblock memory is exposed to the buddy
>>> allocator. Poisoning all that memory with KASAN lengthens boot time,
>>> especially on systems with large amount of RAM. This patch makes
>>> page_alloc to not call kasan_free_pages() on all new memory.
>>>
>>> __free_pages_core() is used when exposing fresh memory during system
>>> boot and when onlining memory during hotplug. This patch adds a new
>>> FPI_SKIP_KASAN_POISON flag and passes it to __free_pages_ok() through
>>> free_pages_prepare() from __free_pages_core().
>>>
>>> This has little impact on KASAN memory tracking.
>>>
>>> Assuming that there are no references to newly exposed pages before they
>>> are ever allocated, there won't be any intended (but buggy) accesses to
>>> that memory that KASAN would normally detect.
>>>
>>> However, with this patch, KASAN stops detecting wild and large
>>> out-of-bounds accesses that happen to land on a fresh memory page that
>>> was never allocated. This is taken as an acceptable trade-off.
>>>
>>> All memory allocated normally when the boot is over keeps getting
>>> poisoned as usual.
>>>
>>> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
>>> Change-Id: Iae6b1e4bb8216955ffc14af255a7eaaa6f35324d
>>
>> Not sure this is the right thing to do, see
>>
>> https://lkml.kernel.org/r/bcf8925d-0949-3fe1-baa8-cc536c529860@oracle.com
>>
>> Reversing the order in which memory gets allocated + used during boot
>> (in a patch by me) might have revealed an invalid memory access during boot.
>>
>> I suspect that that issue would no longer get detected with your patch,
>> as the invalid memory access would simply not get detected. Now, I
>> cannot prove that :)
>
> This looks like a good example.
>
> Ok, what we can do is:
>
> 1. For KASAN_GENERIC: leave everything as is to be able to detect
> these boot-time bugs.
>
> 2. For KASAN_SW_TAGS: remove boot-time poisoning via
> kasan_free_pages(), but use the "invalid" tag as the default shadow
> value. The end result should be the same: bad accesses will be
> detected. For unallocated memory as it has the default "invalid" tag,
> and for allocated memory as it's poisoned properly when
> allocated/freed.
>
> 3. For KASAN_HW_TAGS: just remove boot-time poisoning via
> kasan_free_pages(). As the memory tags have a random unspecified
> value, we'll still have a 15/16 chance to detect a memory corruption.
>
> This also makes sense from the performance perspective: KASAN_GENERIC
> isn't meant to be running in production, so having a larger perf
> impact is acceptable. The other two modes will be faster.
Sounds in principle sane to me.
Side note: I am not sure if anybody runs KASAN in production. Memory is
expensive. Feel free to prove me wrong, I'd be very interest in actual
users.
--
Thanks,
David / dhildenb
next prev parent reply other threads:[~2021-02-18 19:46 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-17 20:56 [PATCH] mm, kasan: don't poison boot memory Andrey Konovalov
2021-02-18 8:55 ` David Hildenbrand
2021-02-18 19:40 ` Andrey Konovalov
2021-02-18 19:46 ` David Hildenbrand [this message]
2021-02-18 20:26 ` Andrey Konovalov
2021-02-19 0:06 ` George Kennedy
2021-02-19 0:09 ` Andrey Konovalov
2021-02-19 16:45 ` George Kennedy
2021-02-19 23:04 ` George Kennedy
2021-02-22 9:52 ` David Hildenbrand
2021-02-22 15:13 ` George Kennedy
2021-02-22 16:13 ` David Hildenbrand
2021-02-22 16:39 ` David Hildenbrand
2021-02-22 17:40 ` Konrad Rzeszutek Wilk
2021-02-22 18:45 ` Mike Rapoport
2021-02-22 18:42 ` George Kennedy
2021-02-22 21:55 ` Mike Rapoport
[not found] ` <9773282a-2854-25a4-9faa-9da5dd34e371@oracle.com>
2021-02-23 10:33 ` Mike Rapoport
[not found] ` <3ef9892f-d657-207f-d4cf-111f98dcb55c@oracle.com>
2021-02-23 15:47 ` Mike Rapoport
2021-02-23 18:05 ` George Kennedy
2021-02-23 20:09 ` Mike Rapoport
2021-02-23 21:16 ` George Kennedy
2021-02-23 21:32 ` Mike Rapoport
2021-02-23 21:46 ` George Kennedy
2021-02-24 10:37 ` Mike Rapoport
2021-02-24 14:22 ` George Kennedy
2021-02-25 8:53 ` Mike Rapoport
2021-02-25 12:38 ` George Kennedy
2021-02-25 14:57 ` Mike Rapoport
2021-02-25 15:22 ` George Kennedy
2021-02-25 16:06 ` George Kennedy
2021-02-25 16:07 ` Mike Rapoport
2021-02-25 16:31 ` George Kennedy
2021-02-25 17:23 ` David Hildenbrand
2021-02-25 17:41 ` Mike Rapoport
2021-02-25 17:50 ` Mike Rapoport
2021-02-25 17:33 ` George Kennedy
2021-02-26 1:19 ` George Kennedy
2021-02-26 11:17 ` Mike Rapoport
2021-02-26 16:16 ` George Kennedy
2021-02-28 18:08 ` Mike Rapoport
2021-03-01 14:29 ` George Kennedy
2021-03-02 1:20 ` George Kennedy
2021-03-02 9:57 ` Mike Rapoport
2021-02-23 21:26 ` George Kennedy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=509c1c80-bb2c-0c5c-ffa3-939ca40d2646@redhat.com \
--to=david@redhat.com \
--cc=Branislav.Rankov@arm.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=aryabinin@virtuozzo.com \
--cc=catalin.marinas@arm.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=eugenis@google.com \
--cc=george.kennedy@oracle.com \
--cc=glider@google.com \
--cc=hch@infradead.org \
--cc=kasan-dev@googlegroups.com \
--cc=kevin.brodsky@arm.com \
--cc=konrad@darnok.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pcc@google.com \
--cc=vincenzo.frascino@arm.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).