On Thu, Feb 7, 2019 at 9:56 AM Nitesh Narayan Lal <nitesh@xxxxxxxxxx> wrote: > > > On 2/7/19 12:23 PM, Alexander Duyck wrote: > > On Mon, Feb 4, 2019 at 2:11 PM Nitesh Narayan Lal <nitesh@xxxxxxxxxx> wrote: > >> This patch disables page poisoning if guest page hinting is enabled. > >> It is required to avoid possible guest memory corruption errors. > >> Page Poisoning is a feature in which the page is filled with a specific > >> pattern of (0x00 or 0xaa) after arch_free_page and the same is verified > >> before arch_alloc_page to prevent following issues: > >> *information leak from the freed data > >> *use after free bugs > >> *memory corruption > >> Selection of the pattern depends on the CONFIG_PAGE_POISONING_ZERO > >> Once the guest pages which are supposed to be freed are sent to the > >> hypervisor it frees them. After freeing the pages in the global list > >> following things may happen: > >> *Hypervisor reallocates the freed memory back to the guest > >> *Hypervisor frees the memory and maps a different physical memory > >> In order to prevent any information leak hypervisor before allocating > >> memory to the guest fills it with zeroes. > >> The issue arises when the pattern used for Page Poisoning is 0xaa while > >> the newly allocated page received from the hypervisor by the guest is > >> filled with the pattern 0x00. This will result in memory corruption errors. > >> > >> Signed-off-by: Nitesh Narayan Lal <nitesh@xxxxxxxxxx> > > This seems kind of backwards to me. Why disable page poisoning instead > > of just not hinting about the free pages? There shouldn't be that many > > instances when page poisoning is enabled, and when it is it would make > > more sense to leave it enabled rather than silently disable it. > As I have mentioned in the cover email, I intend to reuse Wei's already > merged work. > > This will enable the guest to communicate the poison value which is in > use to the host. That is far from being reliable given that you are having to buffer the pages for some period of time. I really think it would be better to just allow page poisoning to function and when you can support applying poison to a newly allocated page then you could look at re-enabling it. What I am getting at is that those that care about poisoning won't likely care about performance and I would lump the memory hinting in with other performance features.
