mm/page_poisoning.c: allow for zero poisoning

By default, page poisoning uses a poison value (0xaa) on free.  If this
is changed to 0, the page is not only sanitized but zeroing on alloc
with __GFP_ZERO can be skipped as well.  The tradeoff is that detecting
corruption from the poisoning is harder to detect.  This feature also
cannot be used with hibernation since pages are not guaranteed to be
zeroed after hibernation.

Credit to Grsecurity/PaX team for inspiring this work

Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Acked-by: Rafael J. Wysocki <rjw@rjwysocki.net>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Jianyu Zhan <nasa4836@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

4 files changed, 37 insertions, 5 deletions

diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
index 1f99f9a0deae..5c50b238b770 100644
--- a/mm/Kconfig.debug
+++ b/mm/Kconfig.debug
@@ -65,3 +65,17 @@ config PAGE_POISONING_NO_SANITY
 
            If you are only interested in sanitization, say Y. Otherwise
            say N.
+
+config PAGE_POISONING_ZERO
+        bool "Use zero for poisoning instead of random data"
+        depends on PAGE_POISONING
+        ---help---
+           Instead of using the existing poison value, fill the pages with
+           zeros. This makes it harder to detect when errors are occurring
+           due to sanitization but the zeroing at free means that it is
+           no longer necessary to write zeros when GFP_ZERO is used on
+           allocation.
+
+           Enabling page poisoning with this option will disable hibernation
+
+           If unsure, say N
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 2a08349fbab2..50897dcaefdb 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1405,15 +1405,24 @@ static inline int check_new_page(struct page *page)
         return 0;
 }
 
+static inline bool free_pages_prezeroed(bool poisoned)
+{
+        return IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) &&
+                page_poisoning_enabled() && poisoned;
+}
+
 static int prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags,
                                                                 int alloc_flags)
 {
         int i;
+        bool poisoned = true;
 
         for (i = 0; i < (1 << order); i++) {
                 struct page *p = page + i;
                 if (unlikely(check_new_page(p)))
                         return 1;
+                if (poisoned)
+                        poisoned &= page_is_poisoned(p);
         }
 
         set_page_private(page, 0);
@@ -1424,7 +1433,7 @@ static int prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags,
         kernel_poison_pages(page, 1 << order, 1);
         kasan_alloc_pages(page, order);
 
-        if (gfp_flags & __GFP_ZERO)
+        if (!free_pages_prezeroed(poisoned) && (gfp_flags & __GFP_ZERO))
                 for (i = 0; i < (1 << order); i++)
                         clear_highpage(page + i);
 
diff --git a/mm/page_ext.c b/mm/page_ext.c
index 292ca7b8debd..2d864e64f7fe 100644
--- a/mm/page_ext.c
+++ b/mm/page_ext.c
@@ -106,12 +106,15 @@ struct page_ext *lookup_page_ext(struct page *page)
         struct page_ext *base;
 
         base = NODE_DATA(page_to_nid(page))->node_page_ext;
-#ifdef CONFIG_DEBUG_VM
+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAGE_POISONING)
         /*
          * The sanity checks the page allocator does upon freeing a
          * page can reach here before the page_ext arrays are
          * allocated when feeding a range of pages to the allocator
          * for the first time during bootup or memory hotplug.
+         *
+         * This check is also necessary for ensuring page poisoning
+         * works as expected when enabled
          */
         if (unlikely(!base))
                 return NULL;
@@ -180,12 +183,15 @@ struct page_ext *lookup_page_ext(struct page *page)
 {
         unsigned long pfn = page_to_pfn(page);
         struct mem_section *section = __pfn_to_section(pfn);
-#ifdef CONFIG_DEBUG_VM
+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAGE_POISONING)
         /*
          * The sanity checks the page allocator does upon freeing a
          * page can reach here before the page_ext arrays are
          * allocated when feeding a range of pages to the allocator
          * for the first time during bootup or memory hotplug.
+         *
+         * This check is also necessary for ensuring page poisoning
+         * works as expected when enabled
          */
         if (!section->page_ext)
                 return NULL;
diff --git a/mm/page_poison.c b/mm/page_poison.c
index 89d3bc773633..479e7ea2bea6 100644
--- a/mm/page_poison.c
+++ b/mm/page_poison.c
@@ -71,11 +71,14 @@ static inline void clear_page_poison(struct page *page)
         __clear_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags);
 }
 
-static inline bool page_poison(struct page *page)
+bool page_is_poisoned(struct page *page)
 {
         struct page_ext *page_ext;
 
         page_ext = lookup_page_ext(page);
+        if (!page_ext)
+                return false;
+
         return test_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags);
 }
 
@@ -137,7 +140,7 @@ static void unpoison_page(struct page *page)
 {
         void *addr;
 
-        if (!page_poison(page))
+        if (!page_is_poisoned(page))
                 return;
 
         addr = kmap_atomic(page);