From: Qian Cai <cai@lca.pw>
To: Alexander Potapenko <glider@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>,
Kees Cook <keescook@chromium.org>,
Masahiro Yamada <yamada.masahiro@socionext.com>,
Michal Hocko <mhocko@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Kostya Serebryany <kcc@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Sandeep Patil <sspatil@android.com>,
Laura Abbott <labbott@redhat.com>,
Randy Dunlap <rdunlap@infradead.org>,
Jann Horn <jannh@google.com>, Mark Rutland <mark.rutland@arm.com>,
Marco Elver <elver@google.com>,
Linux Memory Management List <linux-mm@kvack.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH v7 1/2] mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options
Date: Fri, 21 Jun 2019 09:36:10 -0400 [thread overview]
Message-ID: <1561124170.5154.43.camel@lca.pw> (raw)
In-Reply-To: <CAG_fn=XKK5+nC5LErJ+zo7dt3N-cO7zToz=bN2R891dMG_rncA@mail.gmail.com>
On Fri, 2019-06-21 at 15:31 +0200, Alexander Potapenko wrote:
> On Fri, Jun 21, 2019 at 2:36 PM Qian Cai <cai@lca.pw> wrote:
> >
> > On Mon, 2019-06-17 at 17:10 +0200, Alexander Potapenko wrote:
> > > diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> > > index d66bc8abe0af..50a3b104a491 100644
> > > --- a/mm/page_alloc.c
> > > +++ b/mm/page_alloc.c
> > > @@ -136,6 +136,48 @@ unsigned long totalcma_pages __read_mostly;
> > >
> > > int percpu_pagelist_fraction;
> > > gfp_t gfp_allowed_mask __read_mostly = GFP_BOOT_MASK;
> > > +#ifdef CONFIG_INIT_ON_ALLOC_DEFAULT_ON
> > > +DEFINE_STATIC_KEY_TRUE(init_on_alloc);
> > > +#else
> > > +DEFINE_STATIC_KEY_FALSE(init_on_alloc);
> > > +#endif
> > > +#ifdef CONFIG_INIT_ON_FREE_DEFAULT_ON
> > > +DEFINE_STATIC_KEY_TRUE(init_on_free);
> > > +#else
> > > +DEFINE_STATIC_KEY_FALSE(init_on_free);
> > > +#endif
> > > +
> >
> > There is a problem here running kernels built with clang,
> >
> > [ 0.000000] static_key_disable(): static key 'init_on_free+0x0/0x4' used
> > before call to jump_label_init()
> > [ 0.000000] WARNING: CPU: 0 PID: 0 at ./include/linux/jump_label.h:314
> > early_init_on_free+0x1c0/0x200
> > [ 0.000000] Modules linked in:
> > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 5.2.0-rc5-next-
> > 20190620+
> > #11
> > [ 0.000000] pstate: 60000089 (nZCv daIf -PAN -UAO)
> > [ 0.000000] pc : early_init_on_free+0x1c0/0x200
> > [ 0.000000] lr : early_init_on_free+0x1c0/0x200
> > [ 0.000000] sp : ffff100012c07df0
> > [ 0.000000] x29: ffff100012c07e20 x28: ffff1000110a01ec
> > [ 0.000000] x27: 0000000000000001 x26: ffff100011716f88
> > [ 0.000000] x25: ffff100010d367ae x24: ffff100010d367a5
> > [ 0.000000] x23: ffff100010d36afd x22: ffff100011716758
> > [ 0.000000] x21: 0000000000000000 x20: 0000000000000000
> > [ 0.000000] x19: 0000000000000000 x18: 000000000000002e
> > [ 0.000000] x17: 000000000000000f x16: 0000000000000040
> > [ 0.000000] x15: 0000000000000000 x14: 6d756a206f74206c
> > [ 0.000000] x13: 6c61632065726f66 x12: 6562206465737520
> > [ 0.000000] x11: 0000000000000000 x10: 0000000000000000
> > [ 0.000000] x9 : 0000000000000000 x8 : 0000000000000000
> > [ 0.000000] x7 : 73203a2928656c62 x6 : ffff1000144367ad
> > [ 0.000000] x5 : ffff100012c07b28 x4 : 000000000000000f
> > [ 0.000000] x3 : ffff1000101b36ec x2 : 0000000000000001
> > [ 0.000000] x1 : 0000000000000001 x0 : 000000000000005d
> > [ 0.000000] Call trace:
> > [ 0.000000] early_init_on_free+0x1c0/0x200
> > [ 0.000000] do_early_param+0xd0/0x104
> > [ 0.000000] parse_args+0x204/0x54c
> > [ 0.000000] parse_early_param+0x70/0x8c
> > [ 0.000000] setup_arch+0xa8/0x268
> > [ 0.000000] start_kernel+0x80/0x588
> > [ 0.000000] random: get_random_bytes called from __warn+0x164/0x208 with
> > crng_init=0
> >
> > > diff --git a/mm/slub.c b/mm/slub.c
> > > index cd04dbd2b5d0..9c4a8b9a955c 100644
> > > --- a/mm/slub.c
> > > +++ b/mm/slub.c
> > > @@ -1279,6 +1279,12 @@ static int __init setup_slub_debug(char *str)
> > > if (*str == ',')
> > > slub_debug_slabs = str + 1;
> > > out:
> > > + if ((static_branch_unlikely(&init_on_alloc) ||
> > > + static_branch_unlikely(&init_on_free)) &&
> > > + (slub_debug & SLAB_POISON)) {
> > > + pr_warn("disabling SLAB_POISON: can't be used together with
> > > memory auto-initialization\n");
> > > + slub_debug &= ~SLAB_POISON;
> > > + }
> > > return 1;
> > > }
> >
> > I don't think it is good idea to disable SLAB_POISON here as if people have
> > decided to enable SLUB_DEBUG later already, they probably care more to make
> > sure
> > those additional checks with SLAB_POISON are still running to catch memory
> > corruption.
>
> The problem is that freed buffers can't be both poisoned and zeroed at
> the same time.
> Do you think we need to disable memory initialization in that case instead?
Yes, disable init_on_free|alloc and keep SLAB_POISON sounds good to me.
next prev parent reply other threads:[~2019-06-21 13:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-17 15:10 [PATCH v7 0/3] add init_on_alloc/init_on_free boot options Alexander Potapenko
2019-06-17 15:10 ` [PATCH v7 1/2] mm: security: introduce init_on_alloc=1 and init_on_free=1 " Alexander Potapenko
2019-06-17 22:10 ` Andrew Morton
2019-06-18 5:07 ` Kees Cook
2019-06-18 5:19 ` Andrew Morton
2019-06-18 5:26 ` Kees Cook
2019-06-21 7:09 ` Michal Hocko
2019-06-21 8:57 ` Alexander Potapenko
2019-06-21 9:11 ` Michal Hocko
2019-06-21 9:18 ` Alexander Potapenko
2019-06-21 14:10 ` Alexander Potapenko
2019-06-21 15:12 ` Michal Hocko
2019-06-21 15:24 ` Alexander Potapenko
2019-06-21 15:54 ` Michal Hocko
2019-06-21 12:36 ` Qian Cai
2019-06-21 13:31 ` Alexander Potapenko
2019-06-21 13:36 ` Qian Cai [this message]
2019-06-17 15:10 ` [PATCH v7 2/2] mm: init: report memory auto-initialization features at boot time Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1561124170.5154.43.camel@lca.pw \
--to=cai@lca.pw \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=kcc@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mhocko@kernel.org \
--cc=ndesaulniers@google.com \
--cc=rdunlap@infradead.org \
--cc=serge@hallyn.com \
--cc=sspatil@android.com \
--cc=yamada.masahiro@socionext.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).