Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1209769ybl; Fri, 16 Aug 2019 10:42:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqwz+5ZpKKUN/0wx5/hCaCB85E6LuDNPj28zHC68XGw2VP9CsFzUj347pp+WrWBDuvjr7lJG X-Received: by 2002:a17:90a:1a1a:: with SMTP id 26mr8449324pjk.118.1565977323655; Fri, 16 Aug 2019 10:42:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565977323; cv=none; d=google.com; s=arc-20160816; b=hEGDOvNMAbTPa0SrXeJitHA4+hYo17ndAeSM8odSQe5bBnLw7dzbgnS3fk8Yeht8lK 1TcFRRSjKS4/QR3daEl3N9bTfRuOdXRKl87CN5+BVE3oLycRmsOXIEuxMEre59JpQcf2 Q3hRSwY4l2DgY9dOXEIW94dW38ymBJTsB/wjfPFZTykQHTLstoLcxqFs55A8Rbi0FBrp /ekLfmvvpToaOqYGid+yglwVGWl7LpInZly00mHBOFg8mQJhsB//VvnsEzb0YpICFn09 jabdHQRovZA58d2r07gQ480lEtrthOjdrQncfxc1T5W87BiP9ejn2//fiBhv90KdW1W3 IbGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=aFI8TAvCX3mGqmCyOrNiViRTHQlXirAglLGjqpHruWA=; b=Zt/aBvro7suGMt7MfAlC+RneRXB/06/ws0JyFdBVTTwquvysO8HLO5nYy3pgjBFmL4 HI/qQ6Iw3DSWHYd2R+Wis3uY0bk/t7cARengFY3R79zIBOqF1UyFA51j06qFtqrO01o1 NEOZANxRdRBrcql32ToxaUB27aaVB75KmN7b3H6Z4DvAusRPW2adGXhmt5GakWtkoowg 9q++CHpIoi0KSVRODJkCOx6hhCrXjjaHsHgipH8yFTlRKLx2FrLYBoMsH1OyvL9bnL/P 3Uc7txkM/95BFiMre/d6Leyp4R2HxN/sxRtjDJWUu8SCdKl0hErwxc/8e6wVCGdj0AH8 FP3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0gBjg2V1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a186si4149416pge.365.2019.08.16.10.41.48; Fri, 16 Aug 2019 10:42:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0gBjg2V1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727473AbfHPRlP (ORCPT + 99 others); Fri, 16 Aug 2019 13:41:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:55804 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726947AbfHPRlP (ORCPT ); Fri, 16 Aug 2019 13:41:15 -0400 Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DB440217F4 for ; Fri, 16 Aug 2019 17:41:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1565977274; bh=aFI8TAvCX3mGqmCyOrNiViRTHQlXirAglLGjqpHruWA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=0gBjg2V14ARcGqo5UtatDyyrKjytpOckH+hDzoQQkMrjJPC6lX1IsBIHdwj0XKPJd DR6ykHOX1+iypJVJZIVLGwRqNlu2w1c9CUmU176K4vmXvTHuCBxBk+loOxximauXem d9z1EaaXzc2PPV5jzw+E1iEQaHjsxsjKtiXhMcKE= Received: by mail-wr1-f47.google.com with SMTP id s18so2306621wrn.1 for ; Fri, 16 Aug 2019 10:41:13 -0700 (PDT) X-Gm-Message-State: APjAAAWr0FoyT0yen0FX3C+jwolerzugYFyhCIYUiqg2l/A+9F8Gcv/t TSN5XdjFBdK/NIaBcClp/y1fJQGHM+JOAHUzap8p2g== X-Received: by 2002:a05:6000:4f:: with SMTP id k15mr11973553wrx.221.1565977272223; Fri, 16 Aug 2019 10:41:12 -0700 (PDT) MIME-Version: 1.0 References: <20190815001636.12235-1-dja@axtens.net> <20190815001636.12235-2-dja@axtens.net> <15c6110a-9e6e-495c-122e-acbde6e698d9@c-s.fr> <20190816170813.GA7417@lakrids.cambridge.arm.com> In-Reply-To: <20190816170813.GA7417@lakrids.cambridge.arm.com> From: Andy Lutomirski Date: Fri, 16 Aug 2019 10:41:00 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v4 1/3] kasan: support backing vmalloc space with real shadow memory To: Mark Rutland Cc: Christophe Leroy , Daniel Axtens , kasan-dev , Linux-MM , X86 ML , Andrey Ryabinin , Alexander Potapenko , Andrew Lutomirski , LKML , Dmitry Vyukov , linuxppc-dev , Vasily Gorbik Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 16, 2019 at 10:08 AM Mark Rutland wrote: > > Hi Christophe, > > On Fri, Aug 16, 2019 at 09:47:00AM +0200, Christophe Leroy wrote: > > Le 15/08/2019 =C3=A0 02:16, Daniel Axtens a =C3=A9crit : > > > Hook into vmalloc and vmap, and dynamically allocate real shadow > > > memory to back the mappings. > > > > > > Most mappings in vmalloc space are small, requiring less than a full > > > page of shadow space. Allocating a full shadow page per mapping would > > > therefore be wasteful. Furthermore, to ensure that different mappings > > > use different shadow pages, mappings would have to be aligned to > > > KASAN_SHADOW_SCALE_SIZE * PAGE_SIZE. > > > > > > Instead, share backing space across multiple mappings. Allocate > > > a backing page the first time a mapping in vmalloc space uses a > > > particular page of the shadow region. Keep this page around > > > regardless of whether the mapping is later freed - in the mean time > > > the page could have become shared by another vmalloc mapping. > > > > > > This can in theory lead to unbounded memory growth, but the vmalloc > > > allocator is pretty good at reusing addresses, so the practical memor= y > > > usage grows at first but then stays fairly stable. > > > > I guess people having gigabytes of memory don't mind, but I'm concerned > > about tiny targets with very little amount of memory. I have boards wit= h as > > little as 32Mbytes of RAM. The shadow region for the linear space alrea= dy > > takes one eighth of the RAM. I'd rather avoid keeping unused shadow pag= es > > busy. > > I think this depends on how much shadow would be in constant use vs what > would get left unused. If the amount in constant use is sufficiently > large (or the residue is sufficiently small), then it may not be > worthwhile to support KASAN_VMALLOC on such small systems. > > > Each page of shadow memory represent 8 pages of real memory. Could we u= se > > page_ref to count how many pieces of a shadow page are used so that we = can > > free it when the ref count decreases to 0. > > > > > This requires architecture support to actually use: arches must stop > > > mapping the read-only zero page over portion of the shadow region tha= t > > > covers the vmalloc space and instead leave it unmapped. > > > > Why 'must' ? Couldn't we switch back and forth from the zero page to re= al > > page on demand ? > > > > If the zero page is not mapped for unused vmalloc space, bad memory acc= esses > > will Oops on the shadow memory access instead of Oopsing on the real ba= d > > access, making it more difficult to locate and identify the issue. > > I agree this isn't nice, though FWIW this can already happen today for > bad addresses that fall outside of the usual kernel address space. We > could make the !KASAN_INLINE checks resilient to this by using > probe_kernel_read() to check the shadow, and treating unmapped shadow as > poison. Could we instead modify the page fault handlers to detect this case and print a useful message?