Re: [PATCH v1 8/8] mm: kasan: Initial memory quarantine implementation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2016-02-18 23:06 GMT+09:00 Alexander Potapenko <glider@xxxxxxxxxx>:
> On Mon, Feb 1, 2016 at 3:47 AM, Joonsoo Kim <iamjoonsoo.kim@xxxxxxx> wrote:
>> On Wed, Jan 27, 2016 at 07:25:13PM +0100, Alexander Potapenko wrote:
>>> Quarantine isolates freed objects in a separate queue. The objects are
>>> returned to the allocator later, which helps to detect use-after-free
>>> errors.
>>>
>>> Freed objects are first added to per-cpu quarantine queues.
>>> When a cache is destroyed or memory shrinking is requested, the objects
>>> are moved into the global quarantine queue. Whenever a kmalloc call
>>> allows memory reclaiming, the oldest objects are popped out of the
>>> global queue until the total size of objects in quarantine is less than
>>> 3/4 of the maximum quarantine size (which is a fraction of installed
>>> physical memory).
>>
>> Just wondering why not using time based approach rather than size
>> based one. In heavy load condition, how much time do the object stay in
>> quarantine?
>>
>>>
>>> Right now quarantine support is only enabled in SLAB allocator.
>>> Unification of KASAN features in SLAB and SLUB will be done later.
>>>
>>> This patch is based on the "mm: kasan: quarantine" patch originally
>>> prepared by Dmitry Chernenkov.
>>>
>>> Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>
>>> ---
>>>  include/linux/kasan.h |  30 ++++--
>>>  lib/test_kasan.c      |  29 ++++++
>>>  mm/kasan/Makefile     |   2 +-
>>>  mm/kasan/kasan.c      |  68 +++++++++++-
>>>  mm/kasan/kasan.h      |  11 +-
>>>  mm/kasan/quarantine.c | 284 ++++++++++++++++++++++++++++++++++++++++++++++++++
>>>  mm/kasan/report.c     |   3 +-
>>>  mm/mempool.c          |   7 +-
>>>  mm/page_alloc.c       |   2 +-
>>>  mm/slab.c             |  12 ++-
>>>  mm/slab.h             |   4 +
>>>  mm/slab_common.c      |   2 +
>>>  mm/slub.c             |   4 +-
>>>  13 files changed, 435 insertions(+), 23 deletions(-)
>>>
>>
>> ...
>>
>>> +bool kasan_slab_free(struct kmem_cache *cache, void *object)
>>> +{
>>> +#ifdef CONFIG_SLAB
>>> +     /* RCU slabs could be legally used after free within the RCU period */
>>> +     if (unlikely(cache->flags & SLAB_DESTROY_BY_RCU))
>>> +             return false;
>>> +
>>> +     if (likely(cache->flags & SLAB_KASAN)) {
>>> +             struct kasan_alloc_meta *alloc_info =
>>> +                     get_alloc_info(cache, object);
>>> +             struct kasan_free_meta *free_info =
>>> +                     get_free_info(cache, object);
>>> +
>>> +             switch (alloc_info->state) {
>>> +             case KASAN_STATE_ALLOC:
>>> +                     alloc_info->state = KASAN_STATE_QUARANTINE;
>>> +                     quarantine_put(free_info, cache);
>>
>> quarantine_put() can be called regardless of SLAB_DESTROY_BY_RCU,
>> although it's not much meaningful without poisoning. But, I have an
>> idea to poison object on SLAB_DESTROY_BY_RCU cache.
>>
>> quarantine_put() moves per cpu list to global queue when
>> list size reaches QUARANTINE_PERCPU_SIZE. If we call synchronize_rcu()
>> at that time, after then, we can poison objects. With appropriate size
>> setup, it would not be intrusive.
>>
> Won't this slow the quarantine down unpredictably (e.g. in the case
> there're no RCU slabs in quarantine we'll still be waiting for
> synchronize_rcu())?

It could be handled by introducing one cpu variable.

> Yet this is something worth looking into. Do you want RCU to be
> handled in this patch set?

No. It would be future work.

>>> +                     set_track(&free_info->track, GFP_NOWAIT);
>>
>> set_track() can be called regardless of SLAB_DESTROY_BY_RCU.
> Agreed, I can fix that if we decide to handle RCU in this patch
> (otherwise it will lead to confusion).
>
>>
>>> +                     kasan_poison_slab_free(cache, object);
>>> +                     return true;
>>> +             case KASAN_STATE_QUARANTINE:
>>> +             case KASAN_STATE_FREE:
>>> +                     pr_err("Double free");
>>> +                     dump_stack();
>>> +                     break;
>>> +             default:
>>> +                     break;
>>> +             }
>>> +     }
>>> +     return false;
>>> +#else
>>> +     kasan_poison_slab_free(cache, object);
>>> +     return false;
>>> +#endif
>>> +}
>>> +
>>
>> ...
>>
>>> +void quarantine_reduce(void)
>>> +{
>>> +     size_t new_quarantine_size;
>>> +     unsigned long flags;
>>> +     struct qlist to_free = QLIST_INIT;
>>> +     size_t size_to_free = 0;
>>> +     void **last;
>>> +
>>> +     if (likely(ACCESS_ONCE(global_quarantine.bytes) <=
>>> +                smp_load_acquire(&quarantine_size)))
>>> +             return;
>>> +
>>> +     spin_lock_irqsave(&quarantine_lock, flags);
>>> +
>>> +     /* Update quarantine size in case of hotplug. Allocate a fraction of
>>> +      * the installed memory to quarantine minus per-cpu queue limits.
>>> +      */
>>> +     new_quarantine_size = (ACCESS_ONCE(totalram_pages) << PAGE_SHIFT) /
>>> +             QUARANTINE_FRACTION;
>>> +     new_quarantine_size -= QUARANTINE_PERCPU_SIZE * num_online_cpus();
>>> +     smp_store_release(&quarantine_size, new_quarantine_size);
>>> +
>>> +     last = global_quarantine.head;
>>> +     while (last) {
>>> +             struct kmem_cache *cache = qlink_to_cache(last);
>>> +
>>> +             size_to_free += cache->size;
>>> +             if (!*last || size_to_free >
>>> +                 global_quarantine.bytes - QUARANTINE_LOW_SIZE)
>>> +                     break;
>>> +             last = (void **) *last;
>>> +     }
>>> +     qlist_move(&global_quarantine, last, &to_free, size_to_free);
>>> +
>>> +     spin_unlock_irqrestore(&quarantine_lock, flags);
>>> +
>>> +     qlist_free_all(&to_free, NULL);
>>> +}
>>
>> Isn't it better to call quarantine_reduce() in shrink_slab()?
>> It will help to maximize quarantine time.
> This is true, however if we don't call quarantine_reduce() from
> kmalloc()/kfree() the size of the quarantine will be unpredictable.
> There's a tradeoff between efficiency and space here, and at least in
> some cases we may want to trade efficiency for space.

size of the quarantine doesn't matter unless there is memory pressure.
If memory pressure, shrink_slab() would be called and we can reduce
size of quarantine. However, I don't think this is show stopper. We can
do it when needed.

Thanks.

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]