mm, page_poison: remove CONFIG_PAGE_POISONING_NO_SANITY

CONFIG_PAGE_POISONING_NO_SANITY skips the check on page alloc whether the
poison pattern was corrupted, suggesting a use-after-free.  The motivation
to introduce it in commit a2a02188f208 ("mm/page_poison.c: enable
PAGE_POISONING as a separate option") was to simply sanitize freed pages,
optimally together with CONFIG_PAGE_POISONING_ZERO.

These days we have an init_on_free=1 boot option, which makes this use
case of page poisoning redundant.  For sanitizing, writing zeroes is
sufficient, there is pretty much no benefit from writing the 0xAA poison
pattern to freed pages, without checking it back on alloc.  Thus, remove
this option and suggest init_on_free instead in the main config's help.

Link: https://lkml.kernel.org/r/20201113104033.22907-5-vbabka@suse.cz
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Laura Abbott <labbott@kernel.org>
Cc: Mateusz Nosek <mateusznosek0@gmail.com>
Cc: Michal Hocko <mhocko@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
index e53faed6ba93f696454a8ac9e88ccbfbb9a38bd1..8985fc2cea8615fca33c8451bac06c80ee111aeb 100644 (file)
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -1114,9 +1114,7 @@ static int virtballoon_validate(struct virtio_device *vdev)
         * page reporting as it could potentially change the contents
         * of our free pages.
         */
-       if (!want_init_on_free() &&
-           (IS_ENABLED(CONFIG_PAGE_POISONING_NO_SANITY) ||
-            !page_poisoning_enabled_static()))
+       if (!want_init_on_free() && !page_poisoning_enabled_static())
                __virtio_clear_bit(vdev, VIRTIO_BALLOON_F_PAGE_POISON);
        else if (!virtio_has_feature(vdev, VIRTIO_BALLOON_F_PAGE_POISON))
                __virtio_clear_bit(vdev, VIRTIO_BALLOON_F_REPORTING);

diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
index c57786ad5be9222b68f093c729fe33d172e1c5a4..14e29fe5bfa605959eb4905e776289821aefc812 100644 (file)
--- a/mm/Kconfig.debug
+++ b/mm/Kconfig.debug
@@ -74,18 +74,11 @@ config PAGE_POISONING
          Note that "poison" here is not the same thing as the "HWPoison"
          for CONFIG_MEMORY_FAILURE. This is software poisoning only.
 
-         If unsure, say N
+         If you are only interested in sanitization of freed pages without
+         checking the poison pattern on alloc, you can boot the kernel with
+         "init_on_free=1" instead of enabling this.
 
-config PAGE_POISONING_NO_SANITY
-       depends on PAGE_POISONING
-       bool "Only poison, don't sanity check"
-       help
-          Skip the sanity checking on alloc, only fill the pages with
-          poison on free. This reduces some of the overhead of the
-          poisoning feature.
-
-          If you are only interested in sanitization, say Y. Otherwise
-          say N.
+         If unsure, say N
 
 config PAGE_POISONING_ZERO
        bool "Use zero for poisoning instead of debugging value"

diff --git a/mm/page_poison.c b/mm/page_poison.c
index 4d75fc9ccc7ac33c4b963328684c1da1a6300e37..06ec518b2089445f535fb6befbcb13c3a6103290 100644 (file)
--- a/mm/page_poison.c
+++ b/mm/page_poison.c
@@ -51,9 +51,6 @@ static void check_poison_mem(unsigned char *mem, size_t bytes)
        unsigned char *start;
        unsigned char *end;
 
-       if (IS_ENABLED(CONFIG_PAGE_POISONING_NO_SANITY))
-               return;
-
        start = memchr_inv(mem, PAGE_POISON, bytes);
        if (!start)
                return;