On Tue, Feb 4, 2025 at 6:37 PM Maciej Wieczor-Retman <maciej.wieczor-retman@xxxxxxxxx> wrote: > > With smaller memory footprint KASAN could be used in production systems. > One problem is that saving stacktraces slowes memory allocation > substantially - with KASAN enabled up to 90% of time spent on kmalloc() > is spent on saving the stacktrace. > > Add mitigation mode to allow the option for running KASAN focused on > performance and security. In mitigation mode disable saving stacktraces > and set fault mode to always panic on KASAN error as a security > mechanism. > > Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@xxxxxxxxx> > --- > lib/Kconfig.kasan | 28 ++++++++++++++++++++++++++++ > mm/kasan/report.c | 4 ++++ > mm/kasan/tags.c | 5 +++++ > 3 files changed, 37 insertions(+) > > diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan > index d08b4e9bf477..6daa62b40dea 100644 > --- a/lib/Kconfig.kasan > +++ b/lib/Kconfig.kasan > @@ -244,4 +244,32 @@ config KASAN_SW_TAGS_DENSE > ARCH_HAS_KASAN_SW_TAGS_DENSE is needed for this option since the > special tag macros need to be properly set for 4-bit wide tags. > > +choice > + prompt "KASAN operation mode" > + default KASAN_OPERATION_DEBUG > + help > + Choose between the mitigation or debug operation modes. > + > + The first one disables stacktrace saving and enables panic on error. > + Faster memory allocation but less information. The second one is the > + default where KASAN operates with full functionality. This is something that I thought about before and I think we should _not_ add configuration options like these. The distinction between debug and mitigation modes is something that's specific to a particular user of the feature. Some might prefer to take the impact of having stack traces enabled in a production environment to allow debugging in-the-wild exploitation attempts. Also at some point in the future, we will hopefully have production-grade stack traces [1], and this would thus change the desired behavior of KASAN_OPERATION_MITIGATION. We already have the kasan.stacktrace command-line parameter for disabling stack trace collection. On top of that, if you prefer, we could add a configuration option that changes the default value of kasan_flag_stacktrace (but can still be overridden via the kasan.stacktrace command-line parameter). Note though that by default, stack traces should be turned on. [1] https://bugzilla.kernel.org/show_bug.cgi?id=211785 > + > +config KASAN_OPERATION_DEBUG > + bool "Debug operation mode" > + depends on KASAN > + help > + The default mode. Full functionality and all boot parameters > + available. > + > +config KASAN_OPERATION_MITIGATION > + bool "Mitigation operation mode" > + depends on KASAN > + help > + Operation mode dedicated at faster operation at the cost of less > + information collection. Disables stacktrace saving for faster > + allocations and forces panic on KASAN error to mitigate malicious > + attacks. > + > +endchoice > + > endif # KASAN > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > index ee9e406b0cdb..ae989d3bd919 100644 > --- a/mm/kasan/report.c > +++ b/mm/kasan/report.c > @@ -47,7 +47,11 @@ enum kasan_arg_fault { > KASAN_ARG_FAULT_PANIC_ON_WRITE, > }; > > +#ifdef CONFIG_KASAN_OPERATION_MITIGATION > +static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_PANIC; > +#else > static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_DEFAULT; > +#endif > > /* kasan.fault=report/panic */ > static int __init early_kasan_fault(char *arg) > diff --git a/mm/kasan/tags.c b/mm/kasan/tags.c > index c111d98961ed..2414cddeaaf3 100644 > --- a/mm/kasan/tags.c > +++ b/mm/kasan/tags.c > @@ -78,6 +78,11 @@ early_param("kasan.stack_ring_size", early_kasan_flag_stack_ring_size); > > void __init kasan_init_tags(void) > { > + if (IS_ENABLED(CONFIG_KASAN_OPERATION_MITIGATION)) { > + static_branch_disable(&kasan_flag_stacktrace); > + return; > + } > + > switch (kasan_arg_stacktrace) { > case KASAN_ARG_STACKTRACE_DEFAULT: > /* Default is specified by kasan_flag_stacktrace definition. */ > -- > 2.47.1 >
