mm, page_poison: remove CONFIG_PAGE_POISONING_NO_SANITY

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

CONFIG_PAGE_POISONING_NO_SANITY skips the check on page alloc whether the
poison pattern was corrupted, suggesting a use-after-free. The motivation
to introduce it in commit 8823b1dbc05f ("mm/page_poison.c: enable
PAGE_POISONING as a separate option") was to simply sanitize freed pages,
optimally together with CONFIG_PAGE_POISONING_ZERO.

These days we have an init_on_free=1 boot option, which makes this use
case of page poisoning redundant. For sanitizing, writing zeroes is
sufficient, there is pretty much no benefit from writing the 0xAA poison
pattern to freed pages, without checking it back on alloc. Thus, remove
this option and suggest init_on_free instead in the main config's help.

Link: https://lkml.kernel.org/r/20201113104033.22907-5-vbabka@suse.cz
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Laura Abbott <labbott@kernel.org>
Cc: Mateusz Nosek <mateusznosek0@gmail.com>
Cc: Michal Hocko <mhocko@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Vlastimil Babka and committed by

Linus Torvalds 5 years ago 8f424750 03b6c9a3

+5 -17

3 changed files

expand all

drivers

virtio

virtio_balloon.c

Kconfig.debug

page_poison.c

+1 -3

drivers/virtio/virtio_balloon.c

··· 1114 1114 * page reporting as it could potentially change the contents 1115 1115 * of our free pages. 1116 1116 */ 1117 - if (!want_init_on_free() && 1118 - (IS_ENABLED(CONFIG_PAGE_POISONING_NO_SANITY) || 1119 - !page_poisoning_enabled_static())) 1117 + if (!want_init_on_free() && !page_poisoning_enabled_static()) 1120 1118 __virtio_clear_bit(vdev, VIRTIO_BALLOON_F_PAGE_POISON); 1121 1119 else if (!virtio_has_feature(vdev, VIRTIO_BALLOON_F_PAGE_POISON)) 1122 1120 __virtio_clear_bit(vdev, VIRTIO_BALLOON_F_REPORTING);

+4 -11

mm/Kconfig.debug

··· 74 74 Note that "poison" here is not the same thing as the "HWPoison" 75 75 for CONFIG_MEMORY_FAILURE. This is software poisoning only. 76 76 77 + If you are only interested in sanitization of freed pages without 78 + checking the poison pattern on alloc, you can boot the kernel with 79 + "init_on_free=1" instead of enabling this. 80 + 77 81 If unsure, say N 78 - 79 - config PAGE_POISONING_NO_SANITY 80 - depends on PAGE_POISONING 81 - bool "Only poison, don't sanity check" 82 - help 83 - Skip the sanity checking on alloc, only fill the pages with 84 - poison on free. This reduces some of the overhead of the 85 - poisoning feature. 86 - 87 - If you are only interested in sanitization, say Y. Otherwise 88 - say N. 89 82 90 83 config PAGE_POISONING_ZERO 91 84 bool "Use zero for poisoning instead of debugging value"

-3

mm/page_poison.c

··· 51 51 unsigned char *start; 52 52 unsigned char *end; 53 53 54 - if (IS_ENABLED(CONFIG_PAGE_POISONING_NO_SANITY)) 55 - return; 56 - 57 54 start = memchr_inv(mem, PAGE_POISON, bytes); 58 55 if (!start) 59 56 return;