Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp7513830pxb; Thu, 18 Feb 2021 12:05:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJzJiO+KctWLsuZmNfTBKlzg4c8MfEhj2/WwUqAGrUUZEg9O1cNDaYnI9l1DdHtL6Hi3IaR1 X-Received: by 2002:a05:6402:31af:: with SMTP id dj15mr5602186edb.59.1613678746246; Thu, 18 Feb 2021 12:05:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613678746; cv=none; d=google.com; s=arc-20160816; b=TjUL4lqHtm4PceHc50VBZZm2iG6NvUUYqxR92aHRANQCBHmr6C2eP46jkN0KIPUumb K4vOqBQc0lXDbHG7Tu6gV9q7vycdrMw/1yqWrKLtwCOYG7cXWL4Ww2/b9S/EdONs3KNy RhPk7OFcVTiHkSdpQvQFqOqOei61eWN7Beoes9GQxGPjWJWKlH72dIuQ5UqOnW7jCEvK 2eicHVUNlOIvhpQ0lDd/57BLnOeEqJlVIqkAZDUeOXA6DnPatfCQmK2ap7lR2ufM8fxV 4WhQKdcdaKlVTaw1WXeA9wCHnRKG5CPe4CQhh5/W2MfDzhET5SpVxdADOK7dm7Cpxff8 bFYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:organization :from:references:cc:to:subject:dkim-signature; bh=+ZmGAzUC+8dwc8omdud3uVAWf0zcvuutIq5VHsAV4q0=; b=lSEMUzDlQ7/p1HMOwjSkPt7OLae9ZZv4JmUCDYINIMn5+gQtgjzvG9xlRUT8YMPgLn 2wHe2H+neswqxzUjJzy/UvO6/OoOpYpOVJv2OVUv+JAgAOuJCXaU1wW4sC/hMZznrYST WZG/lFB176RhFvUvkIDTv9NrZt5t/ro3UpdtGUJ1+7HVIlbZPYLsqGDtYNGvc4SOn6Ta 9rJ74DPz1+0mCqe1Pgd84vK3EcLR+YkKRiYxE9Vy4mWA96gfVFlMLNepavis3YOWVcJb aIP7bQGQwizLSMGdT1qsPqyXAYqMzw4uhFhAAOuifj7kzQfjYUiRgualvnKOWOC95A69 Y8NQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=MK360Jwk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bi3si4307399edb.100.2021.02.18.12.05.22; Thu, 18 Feb 2021 12:05:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=MK360Jwk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231861AbhBRUBn (ORCPT + 99 others); Thu, 18 Feb 2021 15:01:43 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:24891 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233112AbhBRTr4 (ORCPT ); Thu, 18 Feb 2021 14:47:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1613677590; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+ZmGAzUC+8dwc8omdud3uVAWf0zcvuutIq5VHsAV4q0=; b=MK360Jwkvs8EQWcgmw7fj/uTTbYVdrRd28iq6u4x9NyveBgSV1sCp5fvmOo2tIZDHEAqDN nJqmRkyMYFmsdJN9YYLWzXh77SquoDBtJhhuXNEepLSpn4cMZupN0tdpEb08hqUlZbVDOp jAgIOFgPGZBIHsTMu6Lq4bkJQpMCue8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-601-55MMnnLmMF2NSFx3LYxoGg-1; Thu, 18 Feb 2021 14:46:25 -0500 X-MC-Unique: 55MMnnLmMF2NSFx3LYxoGg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B8721C297; Thu, 18 Feb 2021 19:46:22 +0000 (UTC) Received: from [10.36.114.59] (ovpn-114-59.ams2.redhat.com [10.36.114.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id AB0E410016DB; Thu, 18 Feb 2021 19:46:18 +0000 (UTC) Subject: Re: [PATCH] mm, kasan: don't poison boot memory To: Andrey Konovalov Cc: Andrew Morton , Catalin Marinas , Vincenzo Frascino , Dmitry Vyukov , George Kennedy , Konrad Rzeszutek Wilk , Will Deacon , Andrey Ryabinin , Alexander Potapenko , Marco Elver , Peter Collingbourne , Evgenii Stepanov , Branislav Rankov , Kevin Brodsky , Christoph Hellwig , kasan-dev , Linux ARM , Linux Memory Management List , LKML References: <487751e1ccec8fcd32e25a06ce000617e96d7ae1.1613595269.git.andreyknvl@google.com> From: David Hildenbrand Organization: Red Hat GmbH Message-ID: <509c1c80-bb2c-0c5c-ffa3-939ca40d2646@redhat.com> Date: Thu, 18 Feb 2021 20:46:17 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 18.02.21 20:40, Andrey Konovalov wrote: > On Thu, Feb 18, 2021 at 9:55 AM David Hildenbrand wrote: >> >> On 17.02.21 21:56, Andrey Konovalov wrote: >>> During boot, all non-reserved memblock memory is exposed to the buddy >>> allocator. Poisoning all that memory with KASAN lengthens boot time, >>> especially on systems with large amount of RAM. This patch makes >>> page_alloc to not call kasan_free_pages() on all new memory. >>> >>> __free_pages_core() is used when exposing fresh memory during system >>> boot and when onlining memory during hotplug. This patch adds a new >>> FPI_SKIP_KASAN_POISON flag and passes it to __free_pages_ok() through >>> free_pages_prepare() from __free_pages_core(). >>> >>> This has little impact on KASAN memory tracking. >>> >>> Assuming that there are no references to newly exposed pages before they >>> are ever allocated, there won't be any intended (but buggy) accesses to >>> that memory that KASAN would normally detect. >>> >>> However, with this patch, KASAN stops detecting wild and large >>> out-of-bounds accesses that happen to land on a fresh memory page that >>> was never allocated. This is taken as an acceptable trade-off. >>> >>> All memory allocated normally when the boot is over keeps getting >>> poisoned as usual. >>> >>> Signed-off-by: Andrey Konovalov >>> Change-Id: Iae6b1e4bb8216955ffc14af255a7eaaa6f35324d >> >> Not sure this is the right thing to do, see >> >> https://lkml.kernel.org/r/bcf8925d-0949-3fe1-baa8-cc536c529860@oracle.com >> >> Reversing the order in which memory gets allocated + used during boot >> (in a patch by me) might have revealed an invalid memory access during boot. >> >> I suspect that that issue would no longer get detected with your patch, >> as the invalid memory access would simply not get detected. Now, I >> cannot prove that :) > > This looks like a good example. > > Ok, what we can do is: > > 1. For KASAN_GENERIC: leave everything as is to be able to detect > these boot-time bugs. > > 2. For KASAN_SW_TAGS: remove boot-time poisoning via > kasan_free_pages(), but use the "invalid" tag as the default shadow > value. The end result should be the same: bad accesses will be > detected. For unallocated memory as it has the default "invalid" tag, > and for allocated memory as it's poisoned properly when > allocated/freed. > > 3. For KASAN_HW_TAGS: just remove boot-time poisoning via > kasan_free_pages(). As the memory tags have a random unspecified > value, we'll still have a 15/16 chance to detect a memory corruption. > > This also makes sense from the performance perspective: KASAN_GENERIC > isn't meant to be running in production, so having a larger perf > impact is acceptable. The other two modes will be faster. Sounds in principle sane to me. Side note: I am not sure if anybody runs KASAN in production. Memory is expensive. Feel free to prove me wrong, I'd be very interest in actual users. -- Thanks, David / dhildenb