From: Dmitry Vyukov <dvyukov@google.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
LKML <linux-kernel@vger.kernel.org>,
kasan-dev <kasan-dev@googlegroups.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Alexander Potapenko <glider@google.com>,
linux-arm-kernel@lists.infradead.org,
Yuri Gribov <tetra2005@gmail.com>
Subject: Re: [PATCH 3/4] arm64/kasan: don't allocate extra shadow memory
Date: Thu, 1 Jun 2017 19:05:54 +0200 [thread overview]
Message-ID: <CACT4Y+Z02Un5DEjmhow4bSLOBygoC2mg7t_KKGn64WnWXQw0qw@mail.gmail.com> (raw)
In-Reply-To: <31a41822-35e1-1b4a-09f7-0a99571ee89a@virtuozzo.com>
On Thu, Jun 1, 2017 at 7:00 PM, Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
>
>
> On 06/01/2017 07:59 PM, Andrey Ryabinin wrote:
>>
>>
>> On 06/01/2017 07:52 PM, Mark Rutland wrote:
>>> On Thu, Jun 01, 2017 at 06:45:32PM +0200, Dmitry Vyukov wrote:
>>>> On Thu, Jun 1, 2017 at 6:34 PM, Mark Rutland <mark.rutland@arm.com> wrote:
>>>>> On Thu, Jun 01, 2017 at 07:23:37PM +0300, Andrey Ryabinin wrote:
>>>>>> We used to read several bytes of the shadow memory in advance.
>>>>>> Therefore additional shadow memory mapped to prevent crash if
>>>>>> speculative load would happen near the end of the mapped shadow memory.
>>>>>>
>>>>>> Now we don't have such speculative loads, so we no longer need to map
>>>>>> additional shadow memory.
>>>>>
>>>>> I see that patch 1 fixed up the Linux helpers for outline
>>>>> instrumentation.
>>>>>
>>>>> Just to check, is it also true that the inline instrumentation never
>>>>> performs unaligned accesses to the shadow memory?
>>>>
>>
>> Correct, inline instrumentation assumes that all accesses are properly aligned as it
>> required by C standard. I knew that the kernel violates this rule in many places,
>> therefore I decided to add checks for unaligned accesses in outline case.
>>
>>
>>>> Inline instrumentation generally accesses only a single byte.
>>>
>>> Sorry to be a little pedantic, but does that mean we'll never access the
>>> additional shadow, or does that mean it's very unlikely that we will?
>>>
>>> I'm guessing/hoping it's the former!
>>>
>>
>> Outline will never access additional shadow byte: https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm#unaligned-accesses
>
> s/Outline/inline of course.
I suspect that actual implementations have diverged from that
description. Trying to follow asan_expand_check_ifn in:
https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/asan.c?revision=246703&view=markup
but it's not trivial.
+Yuri, maybe you know off the top of your head if asan instrumentation
in gcc ever accesses off-by-one shadow byte (i.e. 1 byte after actual
object end)?
WARNING: multiple messages have this Message-ID (diff)
From: Dmitry Vyukov <dvyukov@google.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
LKML <linux-kernel@vger.kernel.org>,
kasan-dev <kasan-dev@googlegroups.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Alexander Potapenko <glider@google.com>,
linux-arm-kernel@lists.infradead.org,
Yuri Gribov <tetra2005@gmail.com>
Subject: Re: [PATCH 3/4] arm64/kasan: don't allocate extra shadow memory
Date: Thu, 1 Jun 2017 19:05:54 +0200 [thread overview]
Message-ID: <CACT4Y+Z02Un5DEjmhow4bSLOBygoC2mg7t_KKGn64WnWXQw0qw@mail.gmail.com> (raw)
In-Reply-To: <31a41822-35e1-1b4a-09f7-0a99571ee89a@virtuozzo.com>
On Thu, Jun 1, 2017 at 7:00 PM, Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
>
>
> On 06/01/2017 07:59 PM, Andrey Ryabinin wrote:
>>
>>
>> On 06/01/2017 07:52 PM, Mark Rutland wrote:
>>> On Thu, Jun 01, 2017 at 06:45:32PM +0200, Dmitry Vyukov wrote:
>>>> On Thu, Jun 1, 2017 at 6:34 PM, Mark Rutland <mark.rutland@arm.com> wrote:
>>>>> On Thu, Jun 01, 2017 at 07:23:37PM +0300, Andrey Ryabinin wrote:
>>>>>> We used to read several bytes of the shadow memory in advance.
>>>>>> Therefore additional shadow memory mapped to prevent crash if
>>>>>> speculative load would happen near the end of the mapped shadow memory.
>>>>>>
>>>>>> Now we don't have such speculative loads, so we no longer need to map
>>>>>> additional shadow memory.
>>>>>
>>>>> I see that patch 1 fixed up the Linux helpers for outline
>>>>> instrumentation.
>>>>>
>>>>> Just to check, is it also true that the inline instrumentation never
>>>>> performs unaligned accesses to the shadow memory?
>>>>
>>
>> Correct, inline instrumentation assumes that all accesses are properly aligned as it
>> required by C standard. I knew that the kernel violates this rule in many places,
>> therefore I decided to add checks for unaligned accesses in outline case.
>>
>>
>>>> Inline instrumentation generally accesses only a single byte.
>>>
>>> Sorry to be a little pedantic, but does that mean we'll never access the
>>> additional shadow, or does that mean it's very unlikely that we will?
>>>
>>> I'm guessing/hoping it's the former!
>>>
>>
>> Outline will never access additional shadow byte: https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm#unaligned-accesses
>
> s/Outline/inline of course.
I suspect that actual implementations have diverged from that
description. Trying to follow asan_expand_check_ifn in:
https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/asan.c?revision=246703&view=markup
but it's not trivial.
+Yuri, maybe you know off the top of your head if asan instrumentation
in gcc ever accesses off-by-one shadow byte (i.e. 1 byte after actual
object end)?
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: dvyukov@google.com (Dmitry Vyukov)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 3/4] arm64/kasan: don't allocate extra shadow memory
Date: Thu, 1 Jun 2017 19:05:54 +0200 [thread overview]
Message-ID: <CACT4Y+Z02Un5DEjmhow4bSLOBygoC2mg7t_KKGn64WnWXQw0qw@mail.gmail.com> (raw)
In-Reply-To: <31a41822-35e1-1b4a-09f7-0a99571ee89a@virtuozzo.com>
On Thu, Jun 1, 2017 at 7:00 PM, Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
>
>
> On 06/01/2017 07:59 PM, Andrey Ryabinin wrote:
>>
>>
>> On 06/01/2017 07:52 PM, Mark Rutland wrote:
>>> On Thu, Jun 01, 2017 at 06:45:32PM +0200, Dmitry Vyukov wrote:
>>>> On Thu, Jun 1, 2017 at 6:34 PM, Mark Rutland <mark.rutland@arm.com> wrote:
>>>>> On Thu, Jun 01, 2017 at 07:23:37PM +0300, Andrey Ryabinin wrote:
>>>>>> We used to read several bytes of the shadow memory in advance.
>>>>>> Therefore additional shadow memory mapped to prevent crash if
>>>>>> speculative load would happen near the end of the mapped shadow memory.
>>>>>>
>>>>>> Now we don't have such speculative loads, so we no longer need to map
>>>>>> additional shadow memory.
>>>>>
>>>>> I see that patch 1 fixed up the Linux helpers for outline
>>>>> instrumentation.
>>>>>
>>>>> Just to check, is it also true that the inline instrumentation never
>>>>> performs unaligned accesses to the shadow memory?
>>>>
>>
>> Correct, inline instrumentation assumes that all accesses are properly aligned as it
>> required by C standard. I knew that the kernel violates this rule in many places,
>> therefore I decided to add checks for unaligned accesses in outline case.
>>
>>
>>>> Inline instrumentation generally accesses only a single byte.
>>>
>>> Sorry to be a little pedantic, but does that mean we'll never access the
>>> additional shadow, or does that mean it's very unlikely that we will?
>>>
>>> I'm guessing/hoping it's the former!
>>>
>>
>> Outline will never access additional shadow byte: https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm#unaligned-accesses
>
> s/Outline/inline of course.
I suspect that actual implementations have diverged from that
description. Trying to follow asan_expand_check_ifn in:
https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/asan.c?revision=246703&view=markup
but it's not trivial.
+Yuri, maybe you know off the top of your head if asan instrumentation
in gcc ever accesses off-by-one shadow byte (i.e. 1 byte after actual
object end)?
next prev parent reply other threads:[~2017-06-01 17:06 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-01 16:23 [PATCH 1/4] mm/kasan: get rid of speculative shadow checks Andrey Ryabinin
2017-06-01 16:23 ` Andrey Ryabinin
2017-06-01 16:23 ` [PATCH 2/4] x86/kasan: don't allocate extra shadow memory Andrey Ryabinin
2017-06-01 16:23 ` Andrey Ryabinin
2017-06-01 16:23 ` [PATCH 3/4] arm64/kasan: " Andrey Ryabinin
2017-06-01 16:23 ` Andrey Ryabinin
2017-06-01 16:23 ` Andrey Ryabinin
2017-06-01 16:34 ` Mark Rutland
2017-06-01 16:34 ` Mark Rutland
2017-06-01 16:34 ` Mark Rutland
2017-06-01 16:45 ` Dmitry Vyukov
2017-06-01 16:45 ` Dmitry Vyukov
2017-06-01 16:45 ` Dmitry Vyukov
2017-06-01 16:52 ` Mark Rutland
2017-06-01 16:52 ` Mark Rutland
2017-06-01 16:52 ` Mark Rutland
2017-06-01 16:59 ` Andrey Ryabinin
2017-06-01 16:59 ` Andrey Ryabinin
2017-06-01 16:59 ` Andrey Ryabinin
2017-06-01 17:00 ` Andrey Ryabinin
2017-06-01 17:00 ` Andrey Ryabinin
2017-06-01 17:00 ` Andrey Ryabinin
2017-06-01 17:05 ` Dmitry Vyukov [this message]
2017-06-01 17:05 ` Dmitry Vyukov
2017-06-01 17:05 ` Dmitry Vyukov
2017-06-01 17:38 ` Dmitry Vyukov
2017-06-01 17:38 ` Dmitry Vyukov
2017-06-01 17:38 ` Dmitry Vyukov
2017-06-01 16:23 ` [PATCH 4/4] mm/kasan: Add support for memory hotplug Andrey Ryabinin
2017-06-01 16:23 ` Andrey Ryabinin
2017-06-01 17:45 ` [PATCH 1/4] mm/kasan: get rid of speculative shadow checks Dmitry Vyukov
2017-06-01 17:45 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+Z02Un5DEjmhow4bSLOBygoC2mg7t_KKGn64WnWXQw0qw@mail.gmail.com \
--to=dvyukov@google.com \
--cc=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=catalin.marinas@arm.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mark.rutland@arm.com \
--cc=tetra2005@gmail.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.