On Fri, Oct 24, 2025 at 09:57:24AM -0400, Pasha Tatashin wrote: > You're right the new kernel will eventually zero memory, but KHO > preserves at page granularity. If we preserve a single slab object, > the entire page is handed off. When the new kernel maps that page > (e.g., to userspace) to access the preserved object, it also exposes > the unpreserved portions of that same page. Those portions contain > stale data from the old kernel and won't have been zeroed yet, > creating an easy-to-miss data leak vector.
Do we zero any of the memory on KHO? Honestly, I wouldn't worry about the point it zeros, slab guarentees it will be zero when it should be zero. > There's also the inefficiency. The unpreserved parts of that page are > unusable by the new kernel until the preserved object is freed. Thats not how I see slab preservation working. When the slab page is unpreserved all the free space in that page should be immediately available to the sucessor kernel. > As I see it, the only robust solution is to use a special GFP flag. > This would force these allocations to come from a dedicated pool of > pages that are fully preserved, with no partial/mixed-use pages and > also retrieved as slabs. It is certainly more efficient to preserve fewer slab pages in total and pooling would help get there. > That said, I'm not sure preserving individual slab objects is a high > priority right now. It might be simpler to avoid it altogether. I think we will need something, a lot of the structs I'm seeing in other patches are small and allocating a whole page is pretty wasteful too. Jason
