From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA78BC4727C for ; Tue, 29 Sep 2020 14:26:03 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0FCE720739 for ; Tue, 29 Sep 2020 14:26:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="v82YY1Jm"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="BTYS/qki" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0FCE720739 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=upeq2AjyIC0aUDSjjOaJ+ZmdDLkXvtFDEEAvZ88k26o=; b=v82YY1JmfPYbDay7NKtamnIsO csQSnBDyPojPgdiif3yblEud7X8g/daeTghgET4rdOv61Fqx4xKQFSlhfm9X5he76Wozi/SsSruLt snbwHEDgjc6EyThTQXKKNOSwBkzi0PsUeOZbA5shAq4G7RsDOzU7qAVhhpVEF4DWdQCkx8+pRmb60 pl9goS5PVIuRQ7ekXLn5b3gid1zYOhwG3Tn9Lm49RLFZdfJR8C9diqQCZh1MLOWfyZYJFLH0ilG73 OQlw2dTvM/X8yTXUlVEJvnVmT9DaITVCO8nrRp5iKa6ZORue2Ba+ZRc7bjzzJDQbMp4CZd2FIBg7B 6GFlJgimw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kNGYO-0002ir-3t; Tue, 29 Sep 2020 14:24:28 +0000 Received: from casper.infradead.org ([2001:8b0:10b:1236::1]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kNGYL-0002hj-Fu for linux-arm-kernel@merlin.infradead.org; Tue, 29 Sep 2020 14:24:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=ZW+4NwmacTrZa2z5dSmMLmft55ZJ3zPWHeEX67t+K9U=; b=BTYS/qkiUgmYhcqa0HB1MieMYx tT5kuRST1/I6VXpdJkYd5jkJIikybVONK/3fkjf3G1zJEgVMBzmtLmZTKqa+5E+k/pNm0DKT4FJwP eXYGsNhJsxTDUAYYCzlhiDEep5cjPtRXdw2wX3YPJn52DaRQNmXyGtu3sscA4S38pLG/z1Go+THwV GPNuw1pgfkdIe9yLqbzQRb6UAb69Ez4sOuD8hjTbpRiARjoxjpZO1KszzzU8WidDRi1ZhKE0RV4Rl yJnMocBfGDhrr5Ju8pz8m/V3HbJFff/+ST5NlhPv+QPnetdtlYmN4IVPwzEd8G74MUU539MNF4MiP OvOEhnpg==; Received: from foss.arm.com ([217.140.110.172]) by casper.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kNGYH-0005Ol-Dz for linux-arm-kernel@lists.infradead.org; Tue, 29 Sep 2020 14:24:24 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C3E5331B; Tue, 29 Sep 2020 07:24:18 -0700 (PDT) Received: from C02TD0UTHF1T.local (unknown [10.57.51.69]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D59CA3F6CF; Tue, 29 Sep 2020 07:24:13 -0700 (PDT) Date: Tue, 29 Sep 2020 15:24:11 +0100 From: Mark Rutland To: Marco Elver Subject: Re: [PATCH v3 01/10] mm: add Kernel Electric-Fence infrastructure Message-ID: <20200929142411.GC53442@C02TD0UTHF1T.local> References: <20200921132611.1700350-1-elver@google.com> <20200921132611.1700350-2-elver@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200921132611.1700350-2-elver@google.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200929_152421_961245_66FDA35B X-CRM114-Status: GOOD ( 22.21 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: hdanton@sina.com, linux-doc@vger.kernel.org, peterz@infradead.org, catalin.marinas@arm.com, dave.hansen@linux.intel.com, linux-mm@kvack.org, edumazet@google.com, glider@google.com, hpa@zytor.com, cl@linux.com, will@kernel.org, sjpark@amazon.com, corbet@lwn.net, x86@kernel.org, kasan-dev@googlegroups.com, mingo@redhat.com, vbabka@suse.cz, rientjes@google.com, aryabinin@virtuozzo.com, keescook@chromium.org, paulmck@kernel.org, jannh@google.com, andreyknvl@google.com, bp@alien8.de, luto@kernel.org, Jonathan.Cameron@huawei.com, tglx@linutronix.de, akpm@linux-foundation.org, dvyukov@google.com, linux-arm-kernel@lists.infradead.org, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, penberg@kernel.org, iamjoonsoo.kim@lge.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Mon, Sep 21, 2020 at 03:26:02PM +0200, Marco Elver wrote: > From: Alexander Potapenko > > This adds the Kernel Electric-Fence (KFENCE) infrastructure. KFENCE is a > low-overhead sampling-based memory safety error detector of heap > use-after-free, invalid-free, and out-of-bounds access errors. > > KFENCE is designed to be enabled in production kernels, and has near > zero performance overhead. Compared to KASAN, KFENCE trades performance > for precision. The main motivation behind KFENCE's design, is that with > enough total uptime KFENCE will detect bugs in code paths not typically > exercised by non-production test workloads. One way to quickly achieve a > large enough total uptime is when the tool is deployed across a large > fleet of machines. > > KFENCE objects each reside on a dedicated page, at either the left or > right page boundaries. The pages to the left and right of the object > page are "guard pages", whose attributes are changed to a protected > state, and cause page faults on any attempted access to them. Such page > faults are then intercepted by KFENCE, which handles the fault > gracefully by reporting a memory access error. To detect out-of-bounds > writes to memory within the object's page itself, KFENCE also uses > pattern-based redzones. The following figure illustrates the page > layout: > > ---+-----------+-----------+-----------+-----------+-----------+--- > | xxxxxxxxx | O : | xxxxxxxxx | : O | xxxxxxxxx | > | xxxxxxxxx | B : | xxxxxxxxx | : B | xxxxxxxxx | > | x GUARD x | J : RED- | x GUARD x | RED- : J | x GUARD x | > | xxxxxxxxx | E : ZONE | xxxxxxxxx | ZONE : E | xxxxxxxxx | > | xxxxxxxxx | C : | xxxxxxxxx | : C | xxxxxxxxx | > | xxxxxxxxx | T : | xxxxxxxxx | : T | xxxxxxxxx | > ---+-----------+-----------+-----------+-----------+-----------+--- > > Guarded allocations are set up based on a sample interval (can be set > via kfence.sample_interval). After expiration of the sample interval, a > guarded allocation from the KFENCE object pool is returned to the main > allocator (SLAB or SLUB). At this point, the timer is reset, and the > next allocation is set up after the expiration of the interval. >From other sub-threads it sounds like these addresses are not part of the linear/direct map. Having kmalloc return addresses outside of the linear map is going to break anything that relies on virt<->phys conversions, and is liable to make DMA corrupt memory. There were problems of that sort with VMAP_STACK, and this is why kvmalloc() is separate from kmalloc(). Have you tested with CONFIG_DEBUG_VIRTUAL? I'd expect that to scream. I strongly suspect this isn't going to be safe unless you always use an in-place carevout from the linear map (which could be the linear alias of a static carevout). [...] > +static __always_inline void *kfence_alloc(struct kmem_cache *s, size_t size, gfp_t flags) > +{ > + return static_branch_unlikely(&kfence_allocation_key) ? __kfence_alloc(s, size, flags) : > + NULL; > +} Minor (unrelated) nit, but this would be easier to read as: static __always_inline void *kfence_alloc(struct kmem_cache *s, size_t size, gfp_t flags) { if (static_branch_unlikely(&kfence_allocation_key)) return __kfence_alloc(s, size, flags); return NULL; } Thanks, Mark. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel