From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9BB5FC00140 for ; Tue, 2 Aug 2022 07:59:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236217AbiHBH7T (ORCPT ); Tue, 2 Aug 2022 03:59:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37550 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236123AbiHBH7Q (ORCPT ); Tue, 2 Aug 2022 03:59:16 -0400 Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CCB330F5E for ; Tue, 2 Aug 2022 00:59:14 -0700 (PDT) Received: by mail-lf1-x12b.google.com with SMTP id x39so11235433lfu.7 for ; Tue, 02 Aug 2022 00:59:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=8MAHi8SKNFAO7ew3d8bZkDJYG24nzfwsdp/alQmmw3o=; b=TLafKFi1j6ZG5abx+POI4UU6hvMztSn/a+xozHm8riAtwenoS3L3B8TyEVomx2OnRV V60soV+nP4oSzV8Pndt7ujTkQgC9lpM/kBnq12lPXVBvMdSA5rXphd72pWYpf7XlQuNQ SW0N2c/sS9mxIeCpJP17Z8Yl9ZMJrUpzk0L+hOc8W+cgXQY3UFqdZDwX7nqTFWk9u4Fl lRd1p0S1iNtCMsY8sx9MLevRvCBhSbJdMdPSekygk1BqSkXQoT8+fpNeotnQ4qoMl0LY f3P3tvugIE2HDDthiFDRQYOO3HUjJu3JwUS/4WZfUfSen3nWrJAyOSwfYtDykBtuTCax JVQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=8MAHi8SKNFAO7ew3d8bZkDJYG24nzfwsdp/alQmmw3o=; b=QEVcJwwZQ3l43OjwijRt4nAPpo/LRZ9fIW3KZdnXhlr2dQNENxuaMqU0IKWQ8j2Ptx To9RVT+xUuDpS0CSG9KGscNLrJoEdde/l+BYzRc6FFAFiU1TrkUXfXGr5QfrGu9eOkFP lLZxRt1zqlXNg21wfh2SoGyscicJXhtu4t47K4P2qxDIGBrB7QT6n/7p9h2S8Z5gBJP4 h9Acj8EcXFpU998Gg6mNKOlJlbKzUnx0YS/azNlv/y6Xx+MpQS0LIxuXQA4W1/zEX6kR K1XDmz3Puy11RUYTzd45JwM9qNcP5YBLXVmmMwo94YI9r+nrp/fdBiopOWjkpvTojdne BNWw== X-Gm-Message-State: AJIora+5htRw7VARlmC7XLyQWfASnIW1ZqGI/+nqn0ENrkCC9mDy25R3 Knm+Zw7HO5LpomBystobpa2J/LqTZ/hI2prj9f9i1w== X-Google-Smtp-Source: AGRyM1u+VI9qRU/DeBhoYuEDm2nN5f2HcRBCLO8lLc3v8j2+ER+Y/OKxkiJIqSFzydlTBN3Tk5nYnlh5RzRwuohL+zE= X-Received: by 2002:a19:710b:0:b0:48a:cf83:7551 with SMTP id m11-20020a19710b000000b0048acf837551mr7412233lfc.137.1659427152271; Tue, 02 Aug 2022 00:59:12 -0700 (PDT) MIME-Version: 1.0 References: <20220727071042.8796-4-feng.tang@intel.com> <0e545088-d140-4c84-bbb2-a3be669740b2@suse.cz> In-Reply-To: From: Dmitry Vyukov Date: Tue, 2 Aug 2022 09:59:00 +0200 Message-ID: Subject: Re: [mm/slub] 3616799128: BUG_kmalloc-#(Not_tainted):kmalloc_Redzone_overwritten To: Feng Tang Cc: Vlastimil Babka , "Sang, Oliver" , lkp , LKML , "linux-mm@kvack.org" , "lkp@lists.01.org" , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, "Hansen, Dave" , Robin Murphy , John Garry , Kefeng Wang , Andrey Konovalov , Andrey Ryabinin , Alexander Potapenko , "kasan-dev@googlegroups.com" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2 Aug 2022 at 09:47, Feng Tang wrote: > > > On Mon, Aug 01, 2022 at 10:23:23PM +0800, Vlastimil Babka wrote: > > > > On 8/1/22 08:21, Feng Tang wrote: > > > [snip] > > > > > Cc kansan mail list. > > > > > > > > > > This is really related with KASAN debug, that in free path, some > > > > > kmalloc redzone ([orig_size+1, object_size]) area is written by > > > > > kasan to save free meta info. > > > > > > > > > > The callstack is: > > > > > > > > > > kfree > > > > > slab_free > > > > > slab_free_freelist_hook > > > > > slab_free_hook > > > > > __kasan_slab_free > > > > > ____kasan_slab_free > > > > > kasan_set_free_info > > > > > kasan_set_track > > > > > > > > > > And this issue only happens with "kmalloc-16" slab. Kasan has 2 > > > > > tracks: alloc_track and free_track, for x86_64 test platform, most > > > > > of the slabs will reserve space for alloc_track, and reuse the > > > > > 'object' area for free_track. The kasan free_track is 16 bytes > > > > > large, that it will occupy the whole 'kmalloc-16's object area, > > > > > so when kmalloc-redzone is enabled by this patch, the 'overwritten' > > > > > error is triggered. > > > > > > > > > > But it won't hurt other kmalloc slabs, as kasan's free meta won't > > > > > conflict with kmalloc-redzone which stay in the latter part of > > > > > kmalloc area. > > > > > > > > > > So the solution I can think of is: > > > > > * skip the kmalloc-redzone for kmalloc-16 only, or > > > > > * skip kmalloc-redzone if kasan is enabled, or > > > > > * let kasan reserve the free meta (16 bytes) outside of object > > > > > just like for alloc meta > > > > > > > > Maybe we could add some hack that if both kasan and SLAB_STORE_USER is > > > > enabled, we bump the stored orig_size from <16 to 16? Similar to what > > > > __ksize() does. > > > > > > How about the following patch: > > > > > > --- > > > diff --git a/mm/slub.c b/mm/slub.c > > > index added2653bb0..33bbac2afaef 100644 > > > --- a/mm/slub.c > > > +++ b/mm/slub.c > > > @@ -830,6 +830,16 @@ static inline void set_orig_size(struct kmem_cache *s, > > > if (!slub_debug_orig_size(s)) > > > return; > > > > > > +#ifdef CONFIG_KASAN > > > + /* > > > + * When kasan is enabled, it could save its free meta data in the > > > + * start part of object area, so skip the kmalloc redzone check > > > + * for small kmalloc slabs to avoid the data conflict. > > > + */ > > > + if (s->object_size <= 32) > > > + orig_size = s->object_size; > > > +#endif I think this can be done only when CONFIG_KASAN_GENERIC. Only CONFIG_KASAN_GENERIC stores free meta info in objects: https://elixir.bootlin.com/linux/latest/source/mm/kasan/common.c#L176 And KASAN_HW_TAGS has chances of being enabled with DEBUG_SLUB in real-world uses (with Arm MTE). > > > + > > > p += get_info_end(s); > > > p += sizeof(struct track) * 2; > > > > > > I extend the size to 32 for potential's kasan meta data size increase. > > > This is tested locally, if people are OK with it, I can ask for 0Day's > > > help to verify this. > > > > Where is set_orig_size() function defined? Don't see it upstream nor > > in linux-next. > > This looks fine but my only concern is that this should not increase > > memory consumption when slub debug tracking is not enabled, which > > should be the main operation mode when KASAN is enabled. But I can't > > figure this out w/o context. > > Yes, the patchset was only posted on LKML, and not in any tree now. > The link to the original patches is: > > https://lore.kernel.org/lkml/20220727071042.8796-1-feng.tang@intel.com/t/ Lots of code... This SLAB_STORE_USER seems to be set on all kmalloc slabs by default when CONFIG_SLUB_DEBUG is enabled, right? And KASAN enables CONFIG_SLUB_DEBUG, this means that this is stored always when KASAN is enabled? Looks wrong. From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============0600885052109971512==" MIME-Version: 1.0 From: Dmitry Vyukov To: lkp@lists.01.org Subject: Re: [mm/slub] 3616799128: BUG_kmalloc-#(Not_tainted):kmalloc_Redzone_overwritten Date: Tue, 02 Aug 2022 09:59:00 +0200 Message-ID: In-Reply-To: List-Id: --===============0600885052109971512== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Tue, 2 Aug 2022 at 09:47, Feng Tang wrote: > > > On Mon, Aug 01, 2022 at 10:23:23PM +0800, Vlastimil Babka wrote: > > > > On 8/1/22 08:21, Feng Tang wrote: > > > [snip] > > > > > Cc kansan mail list. > > > > > > > > > > This is really related with KASAN debug, that in free path, some > > > > > kmalloc redzone ([orig_size+1, object_size]) area is written by > > > > > kasan to save free meta info. > > > > > > > > > > The callstack is: > > > > > > > > > > kfree > > > > > slab_free > > > > > slab_free_freelist_hook > > > > > slab_free_hook > > > > > __kasan_slab_free > > > > > ____kasan_slab_free > > > > > kasan_set_free_info > > > > > kasan_set_track > > > > > > > > > > And this issue only happens with "kmalloc-16" slab. Kasan has 2 > > > > > tracks: alloc_track and free_track, for x86_64 test platform, most > > > > > of the slabs will reserve space for alloc_track, and reuse the > > > > > 'object' area for free_track. The kasan free_track is 16 bytes > > > > > large, that it will occupy the whole 'kmalloc-16's object area, > > > > > so when kmalloc-redzone is enabled by this patch, the 'overwritte= n' > > > > > error is triggered. > > > > > > > > > > But it won't hurt other kmalloc slabs, as kasan's free meta won't > > > > > conflict with kmalloc-redzone which stay in the latter part of > > > > > kmalloc area. > > > > > > > > > > So the solution I can think of is: > > > > > * skip the kmalloc-redzone for kmalloc-16 only, or > > > > > * skip kmalloc-redzone if kasan is enabled, or > > > > > * let kasan reserve the free meta (16 bytes) outside of object > > > > > just like for alloc meta > > > > > > > > Maybe we could add some hack that if both kasan and SLAB_STORE_USER= is > > > > enabled, we bump the stored orig_size from <16 to 16? Similar to wh= at > > > > __ksize() does. > > > > > > How about the following patch: > > > > > > --- > > > diff --git a/mm/slub.c b/mm/slub.c > > > index added2653bb0..33bbac2afaef 100644 > > > --- a/mm/slub.c > > > +++ b/mm/slub.c > > > @@ -830,6 +830,16 @@ static inline void set_orig_size(struct kmem_cac= he *s, > > > if (!slub_debug_orig_size(s)) > > > return; > > > > > > +#ifdef CONFIG_KASAN > > > + /* > > > + * When kasan is enabled, it could save its free meta data in= the > > > + * start part of object area, so skip the kmalloc redzone che= ck > > > + * for small kmalloc slabs to avoid the data conflict. > > > + */ > > > + if (s->object_size <=3D 32) > > > + orig_size =3D s->object_size; > > > +#endif I think this can be done only when CONFIG_KASAN_GENERIC. Only CONFIG_KASAN_GENERIC stores free meta info in objects: https://elixir.bootlin.com/linux/latest/source/mm/kasan/common.c#L176 And KASAN_HW_TAGS has chances of being enabled with DEBUG_SLUB in real-world uses (with Arm MTE). > > > + > > > p +=3D get_info_end(s); > > > p +=3D sizeof(struct track) * 2; > > > > > > I extend the size to 32 for potential's kasan meta data size increase. > > > This is tested locally, if people are OK with it, I can ask for 0Day's > > > help to verify this. > > > > Where is set_orig_size() function defined? Don't see it upstream nor > > in linux-next. > > This looks fine but my only concern is that this should not increase > > memory consumption when slub debug tracking is not enabled, which > > should be the main operation mode when KASAN is enabled. But I can't > > figure this out w/o context. > > Yes, the patchset was only posted on LKML, and not in any tree now. > The link to the original patches is: > > https://lore.kernel.org/lkml/20220727071042.8796-1-feng.tang(a)intel.com/= t/ Lots of code... This SLAB_STORE_USER seems to be set on all kmalloc slabs by default when CONFIG_SLUB_DEBUG is enabled, right? And KASAN enables CONFIG_SLUB_DEBUG, this means that this is stored always when KASAN is enabled? Looks wrong. --===============0600885052109971512==--