Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp5314529ybi; Tue, 30 Jul 2019 18:26:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqxbc4Hwcpl33N7cuzxmuTYGjRd8cnwCryb9/SFYVDW7a3rjtoTOevCq2qvW/ivQjSSQO9FS X-Received: by 2002:aa7:8817:: with SMTP id c23mr45225189pfo.146.1564536413369; Tue, 30 Jul 2019 18:26:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564536413; cv=none; d=google.com; s=arc-20160816; b=FL/4GUJN9O0EvwBONJT8jxb168L8SSE1whx2BUG6AePgdUd/ku5UXyFS8GJocOavv3 IV+FX+7mbHrXluw8Y/Yv6JQoweP3CB8iV+n8GaSb+FzdNnY2QMVeuThZ4LIZFHEM/q26 j79AjhfpGCtl37Il7BRbTGJjuq7AfZG3dBzzOvU47N69mZzauLDPTW8/9zI+JLphGn+0 20m9Z92Ve8j+4UCAjIKrQaxJtVM14QEHZJ9KgykyAAXR2BGlsqvXieTGUCK9dC1Lv4oh VRdURkC2VxL1u3/KjL3Y/2McYKon4JHmOts1cK/aHqPVvBDZXmGLLN8nGW8VIhtBpL53 ooAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=DYwRL+eADA+1dm6nanHrVrPUx1TH3By+TzxwtKS/MUA=; b=kTrz81JNNSLv1Em3xeeQxhttZNEkmqi3e+ovS40azmyg/3FrEaAjz+HVWB28aZNGTV xbHsqD6r/DJDUR+mTQKsu8Hs6IgCJSgkAl2UPwFuXqPteulF1RsdJY9N+5FXhsOWXpfi 9XffxFCmzv5cCK0swFI61qbOcJW/lC/tC+HrFjlZjab9HI1cWypPzYJ1QgYKLHSo9kPP QX2ns5KoiY8ikxwHa/Q3Vm5kG6mgUaf8ZnEK/RdCDy4GFsdzZfJVQeBpMlqhnyWD7BRJ raZ66uBmS0VyU9LZ/j3VX8Hlq/SVvSYFR0WLo3nuocH3n21730EnuQjaxIF9WQLqo8Rp C+mw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=HZfi31Fg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y187si34062255pgb.480.2019.07.30.18.25.55; Tue, 30 Jul 2019 18:26:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=HZfi31Fg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726581AbfG3TyS (ORCPT + 99 others); Tue, 30 Jul 2019 15:54:18 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:43784 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726343AbfG3TyR (ORCPT ); Tue, 30 Jul 2019 15:54:17 -0400 Received: by mail-lf1-f66.google.com with SMTP id c19so45618595lfm.10 for ; Tue, 30 Jul 2019 12:54:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DYwRL+eADA+1dm6nanHrVrPUx1TH3By+TzxwtKS/MUA=; b=HZfi31FgKPsyasTOb6vCxjP1sz7LClL3ngurJ8kvFZDA8/FUuK7rTNeFLHAi9xar1e KdFF+m6+ZryEaiM5B/0RTgTyuF6P37hFSKrrTZWJeO5TJN17R9x5xHUGj13OwwuETnpb Zt2dsRfhsFX4p8QCIFo4VxubYwsVHIHX6kMGs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DYwRL+eADA+1dm6nanHrVrPUx1TH3By+TzxwtKS/MUA=; b=puVXKc0qMljLuK3oHbhNj+pABLlofuTvi+Btt43x2wdCj/oxKlLFmj6NogTqpeJI7v zOm1jC4ilGX9H6+pjWZ26SfLtK9c1gmUJc4kwjcsALweRoCMpbLAkG1hxpJ4RalOHe3a 1wVWdtTfXAMzO8KnpRXZlWC1js18mYg4iLaVeTes/8OQx2ButWJrXZmQh0jHYVOU0NH+ Upn1W7pQ2WguEVfSH7cqcFYy00xJcNmeqNcbnXlCRggZpaWA6luWY4rMTpYHp9IY7hAs sEo5qIJs98YcSQFDbQaQCXzctnzFm9Uquq0qJImCkBoyWYZdOJ58raVlg6JFuVvWsCR6 6efg== X-Gm-Message-State: APjAAAXn6cK99jJ/bJwwC7Oz+dsJJ0854AjhR1eMm5Y/0hK67NSEhIPS vLuUzD0qLIFZ/qPCVB4CNmc0tTgT9Ts= X-Received: by 2002:ac2:48a5:: with SMTP id u5mr57404285lfg.62.1564516454825; Tue, 30 Jul 2019 12:54:14 -0700 (PDT) Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com. [209.85.208.182]) by smtp.gmail.com with ESMTPSA id t21sm11356184lfl.17.2019.07.30.12.54.13 for (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jul 2019 12:54:13 -0700 (PDT) Received: by mail-lj1-f182.google.com with SMTP id v24so63380201ljg.13 for ; Tue, 30 Jul 2019 12:54:13 -0700 (PDT) X-Received: by 2002:a2e:9b83:: with SMTP id z3mr33651123lji.84.1564516453281; Tue, 30 Jul 2019 12:54:13 -0700 (PDT) MIME-Version: 1.0 References: <201907281218.F6D2C2DD@keescook> <201907281507.B3F11DD54@keescook> In-Reply-To: From: Linus Torvalds Date: Tue, 30 Jul 2019 12:53:57 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] meminit fix for v5.3-rc2 To: Alexander Potapenko Cc: Kees Cook , Linux List Kernel Mailing , Arnd Bergmann Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 30, 2019 at 6:53 AM Alexander Potapenko wrote: > > I wonder how hard it should be to make a zero-filling GCC plugin? > I'm not a big fan of hacking GCC, but it shouldn't differ much from > the existing GCC plugins that initialize locals. The thing is, as long as it's a plugin, I don't think we can rely on it. The gcc people will rightly just laugh at us if we were to report a bug with some kernel plugin. So I'd like the zeroing of local variables to be a native compiler option, so that we can (_eventually_ - these things take a long time) just start saying "ok, we simply consider stack variables to be always initialized". > I've some stale data collected on an x86 QEMU instance. > For 0x00 stack initialization: > - hackbench, netperf and parallel Linux build were virtually free > (slowdown within stdev) > - for af_inet_loopback the slowdown was ~4% > For 0xAA stack initialization: > - netperf and parallel Linux build were free > - for hackbench the slowdown was ~1.5% > - for af_inet_loopback the slowdown was ~7% So I would expect that we have some special cases where we end up having arrays (or big structures) on the stack that end up being critical, and where initializing them is clearly abad idea. Then we can verify manually are very much initialized, and that we could then mark and say "this is uninitialized". So when a compiler has an option to initialize stack variables, it would probably _also_ be a very good idea for that compiler to then support a variable attribute that says "don't initialize _this_ variable, I will do that manually". But if we in ten years had a kernel model where only allocations and variables that were _explicitly_ uninitialized, that would be lovely. Then you can grep for those and verify that "yes, this is safe". We've historically had the reverse model - things are uninitialized by default, and you have to explicitly initialize them. Turning that on its head is what I would like to do long-term. (For normal allocations that wouldn't be too bad: get rid of __GFP_ZERO and friends, and instead do __GFP_UNINITIALIZED). Again - I don't think we want a world where everything is force-initialized. There _are_ going to be situations where that just hurts too much. But if we get to a place where we are zero-initialized by default, and have to explicitly mark the unsafe things (and we'll have comments not just about how they get initialized, but also about why that particular thing is so performance-critical), that would be a good place to be. This, btw, is why I also think that the "initialize with poison" is pointless and wrong. Yes, it can find bugs, but it doesn't really help improve the general situation, and people see it as a debugging tool, not a "improve code quality and improve the life of kernel developers" tool. Linus