From: andrey.konovalov@linux.dev To: Marco Elver <elver@google.com>, Alexander Potapenko <glider@google.com>, Vincenzo Frascino <vincenzo.frascino@arm.com>, Catalin Marinas <catalin.marinas@arm.com>, Peter Collingbourne <pcc@google.com> Cc: Andrey Konovalov <andreyknvl@gmail.com>, Dmitry Vyukov <dvyukov@google.com>, Andrey Ryabinin <ryabinin.a.a@gmail.com>, kasan-dev@googlegroups.com, Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org, Will Deacon <will@kernel.org>, Mark Rutland <mark.rutland@arm.com>, linux-arm-kernel@lists.infradead.org, Evgenii Stepanov <eugenis@google.com>, linux-kernel@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com> Subject: [PATCH v2 23/34] kasan, vmalloc: add vmalloc support to SW_TAGS Date: Mon, 6 Dec 2021 22:44:00 +0100 [thread overview] Message-ID: <666b9e932dde24df6e1b02493a04530b99ace697.1638825394.git.andreyknvl@google.com> (raw) In-Reply-To: <cover.1638825394.git.andreyknvl@google.com> From: Andrey Konovalov <andreyknvl@google.com> This patch adds vmalloc tagging support to SW_TAGS KASAN. The changes include: - __kasan_unpoison_vmalloc() now assigns a random pointer tag, poisons the virtual mapping accordingly, and embeds the tag into the returned pointer. - __get_vm_area_node() (used by vmalloc() and vmap()) and pcpu_get_vm_areas() save the tagged pointer into vm_struct->addr (note: not into vmap_area->addr). This requires putting kasan_unpoison_vmalloc() after setup_vmalloc_vm[_locked](); otherwise the latter will overwrite the tagged pointer. The tagged pointer then is naturally propagateed to vmalloc() and vmap(). - vm_map_ram() returns the tagged pointer directly. - Allow enabling KASAN_VMALLOC with SW_TAGS. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> --- Changes v1->v2: - Allow enabling KASAN_VMALLOC with SW_TAGS in this patch. --- include/linux/kasan.h | 17 +++++++++++------ lib/Kconfig.kasan | 2 +- mm/kasan/shadow.c | 6 ++++-- mm/vmalloc.c | 14 ++++++++------ 4 files changed, 24 insertions(+), 15 deletions(-) diff --git a/include/linux/kasan.h b/include/linux/kasan.h index ad4798e77f60..6a2619759e93 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -423,12 +423,14 @@ void kasan_release_vmalloc(unsigned long start, unsigned long end, unsigned long free_region_start, unsigned long free_region_end); -void __kasan_unpoison_vmalloc(const void *start, unsigned long size); -static __always_inline void kasan_unpoison_vmalloc(const void *start, - unsigned long size) +void * __must_check __kasan_unpoison_vmalloc(const void *start, + unsigned long size); +static __always_inline void * __must_check kasan_unpoison_vmalloc( + const void *start, unsigned long size) { if (kasan_enabled()) - __kasan_unpoison_vmalloc(start, size); + return __kasan_unpoison_vmalloc(start, size); + return (void *)start; } void __kasan_poison_vmalloc(const void *start, unsigned long size); @@ -453,8 +455,11 @@ static inline void kasan_release_vmalloc(unsigned long start, unsigned long free_region_start, unsigned long free_region_end) { } -static inline void kasan_unpoison_vmalloc(const void *start, unsigned long size) -{ } +static inline void *kasan_unpoison_vmalloc(const void *start, + unsigned long size, bool unique) +{ + return (void *)start; +} static inline void kasan_poison_vmalloc(const void *start, unsigned long size) { } diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index cdc842d090db..3f144a87f8a3 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -179,7 +179,7 @@ config KASAN_TAGS_IDENTIFY config KASAN_VMALLOC bool "Back mappings in vmalloc space with real shadow memory" - depends on KASAN_GENERIC && HAVE_ARCH_KASAN_VMALLOC + depends on (KASAN_GENERIC || KASAN_SW_TAGS) && HAVE_ARCH_KASAN_VMALLOC help By default, the shadow region for vmalloc space is the read-only zero page. This means that KASAN cannot detect errors involving diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c index fa0c8a750d09..4ca280a96fbc 100644 --- a/mm/kasan/shadow.c +++ b/mm/kasan/shadow.c @@ -475,12 +475,14 @@ void kasan_release_vmalloc(unsigned long start, unsigned long end, } } -void __kasan_unpoison_vmalloc(const void *start, unsigned long size) +void *__kasan_unpoison_vmalloc(const void *start, unsigned long size) { if (!is_vmalloc_or_module_addr(start)) - return; + return (void *)start; + start = set_tag(start, kasan_random_tag()); kasan_unpoison(start, size, false); + return (void *)start; } /* diff --git a/mm/vmalloc.c b/mm/vmalloc.c index a059b3100c0a..7be18b292679 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -2208,7 +2208,7 @@ void *vm_map_ram(struct page **pages, unsigned int count, int node) mem = (void *)addr; } - kasan_unpoison_vmalloc(mem, size); + mem = kasan_unpoison_vmalloc(mem, size); if (vmap_pages_range(addr, addr + size, PAGE_KERNEL, pages, PAGE_SHIFT) < 0) { @@ -2441,10 +2441,10 @@ static struct vm_struct *__get_vm_area_node(unsigned long size, return NULL; } - kasan_unpoison_vmalloc((void *)va->va_start, requested_size); - setup_vmalloc_vm(area, va, flags, caller); + area->addr = kasan_unpoison_vmalloc(area->addr, requested_size); + return area; } @@ -3752,9 +3752,6 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets, for (area = 0; area < nr_vms; area++) { if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area])) goto err_free_shadow; - - kasan_unpoison_vmalloc((void *)vas[area]->va_start, - sizes[area]); } /* insert all vm's */ @@ -3767,6 +3764,11 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets, } spin_unlock(&vmap_area_lock); + /* mark allocated areas as accessible */ + for (area = 0; area < nr_vms; area++) + vms[area]->addr = kasan_unpoison_vmalloc(vms[area]->addr, + vms[area]->size); + kfree(vas); return vms; -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: andrey.konovalov@linux.dev To: Marco Elver <elver@google.com>, Alexander Potapenko <glider@google.com>, Vincenzo Frascino <vincenzo.frascino@arm.com>, Catalin Marinas <catalin.marinas@arm.com>, Peter Collingbourne <pcc@google.com> Cc: Andrey Konovalov <andreyknvl@gmail.com>, Dmitry Vyukov <dvyukov@google.com>, Andrey Ryabinin <ryabinin.a.a@gmail.com>, kasan-dev@googlegroups.com, Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org, Will Deacon <will@kernel.org>, Mark Rutland <mark.rutland@arm.com>, linux-arm-kernel@lists.infradead.org, Evgenii Stepanov <eugenis@google.com>, linux-kernel@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com> Subject: [PATCH v2 23/34] kasan, vmalloc: add vmalloc support to SW_TAGS Date: Mon, 6 Dec 2021 22:44:00 +0100 [thread overview] Message-ID: <666b9e932dde24df6e1b02493a04530b99ace697.1638825394.git.andreyknvl@google.com> (raw) In-Reply-To: <cover.1638825394.git.andreyknvl@google.com> From: Andrey Konovalov <andreyknvl@google.com> This patch adds vmalloc tagging support to SW_TAGS KASAN. The changes include: - __kasan_unpoison_vmalloc() now assigns a random pointer tag, poisons the virtual mapping accordingly, and embeds the tag into the returned pointer. - __get_vm_area_node() (used by vmalloc() and vmap()) and pcpu_get_vm_areas() save the tagged pointer into vm_struct->addr (note: not into vmap_area->addr). This requires putting kasan_unpoison_vmalloc() after setup_vmalloc_vm[_locked](); otherwise the latter will overwrite the tagged pointer. The tagged pointer then is naturally propagateed to vmalloc() and vmap(). - vm_map_ram() returns the tagged pointer directly. - Allow enabling KASAN_VMALLOC with SW_TAGS. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> --- Changes v1->v2: - Allow enabling KASAN_VMALLOC with SW_TAGS in this patch. --- include/linux/kasan.h | 17 +++++++++++------ lib/Kconfig.kasan | 2 +- mm/kasan/shadow.c | 6 ++++-- mm/vmalloc.c | 14 ++++++++------ 4 files changed, 24 insertions(+), 15 deletions(-) diff --git a/include/linux/kasan.h b/include/linux/kasan.h index ad4798e77f60..6a2619759e93 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -423,12 +423,14 @@ void kasan_release_vmalloc(unsigned long start, unsigned long end, unsigned long free_region_start, unsigned long free_region_end); -void __kasan_unpoison_vmalloc(const void *start, unsigned long size); -static __always_inline void kasan_unpoison_vmalloc(const void *start, - unsigned long size) +void * __must_check __kasan_unpoison_vmalloc(const void *start, + unsigned long size); +static __always_inline void * __must_check kasan_unpoison_vmalloc( + const void *start, unsigned long size) { if (kasan_enabled()) - __kasan_unpoison_vmalloc(start, size); + return __kasan_unpoison_vmalloc(start, size); + return (void *)start; } void __kasan_poison_vmalloc(const void *start, unsigned long size); @@ -453,8 +455,11 @@ static inline void kasan_release_vmalloc(unsigned long start, unsigned long free_region_start, unsigned long free_region_end) { } -static inline void kasan_unpoison_vmalloc(const void *start, unsigned long size) -{ } +static inline void *kasan_unpoison_vmalloc(const void *start, + unsigned long size, bool unique) +{ + return (void *)start; +} static inline void kasan_poison_vmalloc(const void *start, unsigned long size) { } diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index cdc842d090db..3f144a87f8a3 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -179,7 +179,7 @@ config KASAN_TAGS_IDENTIFY config KASAN_VMALLOC bool "Back mappings in vmalloc space with real shadow memory" - depends on KASAN_GENERIC && HAVE_ARCH_KASAN_VMALLOC + depends on (KASAN_GENERIC || KASAN_SW_TAGS) && HAVE_ARCH_KASAN_VMALLOC help By default, the shadow region for vmalloc space is the read-only zero page. This means that KASAN cannot detect errors involving diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c index fa0c8a750d09..4ca280a96fbc 100644 --- a/mm/kasan/shadow.c +++ b/mm/kasan/shadow.c @@ -475,12 +475,14 @@ void kasan_release_vmalloc(unsigned long start, unsigned long end, } } -void __kasan_unpoison_vmalloc(const void *start, unsigned long size) +void *__kasan_unpoison_vmalloc(const void *start, unsigned long size) { if (!is_vmalloc_or_module_addr(start)) - return; + return (void *)start; + start = set_tag(start, kasan_random_tag()); kasan_unpoison(start, size, false); + return (void *)start; } /* diff --git a/mm/vmalloc.c b/mm/vmalloc.c index a059b3100c0a..7be18b292679 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -2208,7 +2208,7 @@ void *vm_map_ram(struct page **pages, unsigned int count, int node) mem = (void *)addr; } - kasan_unpoison_vmalloc(mem, size); + mem = kasan_unpoison_vmalloc(mem, size); if (vmap_pages_range(addr, addr + size, PAGE_KERNEL, pages, PAGE_SHIFT) < 0) { @@ -2441,10 +2441,10 @@ static struct vm_struct *__get_vm_area_node(unsigned long size, return NULL; } - kasan_unpoison_vmalloc((void *)va->va_start, requested_size); - setup_vmalloc_vm(area, va, flags, caller); + area->addr = kasan_unpoison_vmalloc(area->addr, requested_size); + return area; } @@ -3752,9 +3752,6 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets, for (area = 0; area < nr_vms; area++) { if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area])) goto err_free_shadow; - - kasan_unpoison_vmalloc((void *)vas[area]->va_start, - sizes[area]); } /* insert all vm's */ @@ -3767,6 +3764,11 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets, } spin_unlock(&vmap_area_lock); + /* mark allocated areas as accessible */ + for (area = 0; area < nr_vms; area++) + vms[area]->addr = kasan_unpoison_vmalloc(vms[area]->addr, + vms[area]->size); + kfree(vas); return vms; -- 2.25.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-12-06 21:46 UTC|newest] Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-12-06 21:22 [PATCH v2 00/34] kasan, vmalloc, arm64: add vmalloc tagging support for SW/HW_TAGS andrey.konovalov 2021-12-06 21:22 ` andrey.konovalov 2021-12-06 21:22 ` [PATCH v2 01/34] kasan, page_alloc: deduplicate should_skip_kasan_poison andrey.konovalov 2021-12-06 21:22 ` andrey.konovalov 2021-12-06 21:31 ` [PATCH v2 02/34] kasan, page_alloc: move tag_clear_highpage out of kernel_init_free_pages andrey.konovalov 2021-12-06 21:31 ` andrey.konovalov 2021-12-06 21:31 ` [PATCH v2 03/34] kasan, page_alloc: merge kasan_free_pages into free_pages_prepare andrey.konovalov 2021-12-06 21:31 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 04/34] kasan, page_alloc: simplify kasan_poison_pages call site andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 05/34] kasan, page_alloc: init memory of skipped pages on free andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 06/34] kasan: drop skip_kasan_poison variable in free_pages_prepare andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 07/34] mm: clarify __GFP_ZEROTAGS comment andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-07 17:33 ` Andrey Konovalov 2021-12-07 17:33 ` Andrey Konovalov 2021-12-06 21:43 ` [PATCH v2 08/34] kasan: only apply __GFP_ZEROTAGS when memory is zeroed andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-10 17:48 ` Catalin Marinas 2021-12-10 17:48 ` Catalin Marinas 2021-12-13 21:57 ` Andrey Konovalov 2021-12-13 21:57 ` Andrey Konovalov 2021-12-06 21:43 ` [PATCH v2 09/34] kasan, page_alloc: refactor init checks in post_alloc_hook andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 10/34] kasan, page_alloc: merge kasan_alloc_pages into post_alloc_hook andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 11/34] kasan, page_alloc: combine tag_clear_highpage calls in post_alloc_hook andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 12/34] kasan, page_alloc: move SetPageSkipKASanPoison " andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 13/34] kasan, page_alloc: move kernel_init_free_pages " andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 14/34] kasan, page_alloc: simplify kasan_unpoison_pages call site andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 15/34] kasan: clean up metadata byte definitions andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 16/34] kasan: define KASAN_VMALLOC_INVALID for SW_TAGS andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 17/34] kasan, x86, arm64, s390: rename functions for modules shadow andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-10 17:55 ` Catalin Marinas 2021-12-10 17:55 ` Catalin Marinas 2021-12-06 21:43 ` [PATCH v2 18/34] kasan, vmalloc: drop outdated VM_KASAN comment andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 19/34] kasan: reorder vmalloc hooks andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 20/34] kasan: add wrappers for " andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 21/34] kasan, vmalloc: reset tags in vmalloc functions andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:43 ` [PATCH v2 22/34] kasan, fork: don't tag stacks allocated with vmalloc andrey.konovalov 2021-12-06 21:43 ` andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov [this message] 2021-12-06 21:44 ` [PATCH v2 23/34] kasan, vmalloc: add vmalloc support to SW_TAGS andrey.konovalov 2021-12-06 21:44 ` [PATCH v2 24/34] kasan, vmalloc, arm64: mark vmalloc mappings as pgprot_tagged andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-06 21:48 ` Andrey Konovalov 2021-12-06 21:48 ` Andrey Konovalov 2021-12-13 15:17 ` Vincenzo Frascino 2021-12-13 15:17 ` Vincenzo Frascino 2021-12-13 21:57 ` Andrey Konovalov 2021-12-13 21:57 ` Andrey Konovalov 2021-12-06 21:44 ` [PATCH v2 25/34] kasan, vmalloc: don't unpoison VM_ALLOC pages before mapping andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-06 21:44 ` [PATCH v2 26/34] kasan, page_alloc: allow skipping unpoisoning for HW_TAGS andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-06 21:44 ` [PATCH v2 27/34] kasan, page_alloc: allow skipping memory init " andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-06 21:44 ` [PATCH v2 28/34] kasan, vmalloc: add vmalloc support to HW_TAGS andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-06 21:49 ` Andrey Konovalov 2021-12-06 21:49 ` Andrey Konovalov 2021-12-13 15:34 ` Vincenzo Frascino 2021-12-13 15:34 ` Vincenzo Frascino 2021-12-13 21:57 ` Andrey Konovalov 2021-12-13 21:57 ` Andrey Konovalov 2021-12-06 21:44 ` [PATCH v2 29/34] kasan: mark kasan_arg_stacktrace as __initdata andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-06 21:44 ` [PATCH v2 30/34] kasan: simplify kasan_init_hw_tags andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-06 21:44 ` [PATCH v2 31/34] kasan: add kasan.vmalloc command line flag andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-06 21:44 ` [PATCH v2 32/34] arm64: select KASAN_VMALLOC for SW/HW_TAGS modes andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-10 18:04 ` Catalin Marinas 2021-12-10 18:04 ` Catalin Marinas 2021-12-06 21:44 ` [PATCH v2 33/34] kasan: documentation updates andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-06 21:44 ` [PATCH v2 34/34] kasan: improve vmalloc tests andrey.konovalov 2021-12-06 21:44 ` andrey.konovalov 2021-12-07 19:46 ` [PATCH v2 00/34] kasan, vmalloc, arm64: add vmalloc tagging support for SW/HW_TAGS Andrey Konovalov 2021-12-07 19:46 ` Andrey Konovalov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=666b9e932dde24df6e1b02493a04530b99ace697.1638825394.git.andreyknvl@google.com \ --to=andrey.konovalov@linux.dev \ --cc=akpm@linux-foundation.org \ --cc=andreyknvl@gmail.com \ --cc=andreyknvl@google.com \ --cc=catalin.marinas@arm.com \ --cc=dvyukov@google.com \ --cc=elver@google.com \ --cc=eugenis@google.com \ --cc=glider@google.com \ --cc=kasan-dev@googlegroups.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=mark.rutland@arm.com \ --cc=pcc@google.com \ --cc=ryabinin.a.a@gmail.com \ --cc=vincenzo.frascino@arm.com \ --cc=will@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.