+ mm-kfence-select-random-number-before-taking-raw-lock.patch added to mm-unstable branch

+ mm-kfence-select-random-number-before-taking-raw-lock.patch added to mm-unstable branch

[Andrew Morton]

The patch titled
     Subject: mm/kfence: select random number before taking raw lock
has been added to the -mm mm-unstable branch.  Its filename is
     mm-kfence-select-random-number-before-taking-raw-lock.patch

This patch will shortly appear at
     https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/mm-kfence-select-random-number-before-taking-raw-lock.patch

This patch will later appear in the mm-unstable branch at
    git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days

------------------------------------------------------
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: mm/kfence: select random number before taking raw lock
Date: Thu, 9 Jun 2022 14:33:19 +0200

The RNG uses vanilla spinlocks, not raw spinlocks, so kfence should pick
its random numbers before taking its raw spinlocks.  This also has the
nice effect of doing less work inside the lock.  It should fix a splat
that Geert saw with CONFIG_PROVE_RAW_LOCK_NESTING:

     dump_backtrace.part.0+0x98/0xc0
     show_stack+0x14/0x28
     dump_stack_lvl+0xac/0xec
     dump_stack+0x14/0x2c
     __lock_acquire+0x388/0x10a0
     lock_acquire+0x190/0x2c0
     _raw_spin_lock_irqsave+0x6c/0x94
     crng_make_state+0x148/0x1e4
     _get_random_bytes.part.0+0x4c/0xe8
     get_random_u32+0x4c/0x140
     __kfence_alloc+0x460/0x5c4
     kmem_cache_alloc_trace+0x194/0x1dc
     __kthread_create_on_node+0x5c/0x1a8
     kthread_create_on_node+0x58/0x7c
     printk_start_kthread.part.0+0x34/0xa8
     printk_activate_kthreads+0x4c/0x54
     do_one_initcall+0xec/0x278
     kernel_init_freeable+0x11c/0x214
     kernel_init+0x24/0x124
     ret_from_fork+0x10/0x20

Link: https://lkml.kernel.org/r/20220609123319.17576-1-Jason@zx2c4.com
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Marco Elver <elver@google.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Cc: John Ogness <john.ogness@linutronix.de>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/kfence/core.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/mm/kfence/core.c~mm-kfence-select-random-number-before-taking-raw-lock
+++ a/mm/kfence/core.c
@@ -360,6 +360,9 @@ static void *kfence_guarded_alloc(struct
 	unsigned long flags;
 	struct slab *slab;
 	void *addr;
+	const bool random_right_allocate = prandom_u32_max(2);
+	const bool random_fault = CONFIG_KFENCE_STRESS_TEST_FAULTS &&
+				  !prandom_u32_max(CONFIG_KFENCE_STRESS_TEST_FAULTS);
 
 	/* Try to obtain a free object. */
 	raw_spin_lock_irqsave(&kfence_freelist_lock, flags);
@@ -404,7 +407,7 @@ static void *kfence_guarded_alloc(struct
 	 * is that the out-of-bounds accesses detected are deterministic for
 	 * such allocations.
 	 */
-	if (prandom_u32_max(2)) {
+	if (random_right_allocate) {
 		/* Allocate on the "right" side, re-calculate address. */
 		meta->addr += PAGE_SIZE - size;
 		meta->addr = ALIGN_DOWN(meta->addr, cache->align);
@@ -444,7 +447,7 @@ static void *kfence_guarded_alloc(struct
 	if (cache->ctor)
 		cache->ctor(addr);
 
-	if (CONFIG_KFENCE_STRESS_TEST_FAULTS && !prandom_u32_max(CONFIG_KFENCE_STRESS_TEST_FAULTS))
+	if (random_fault)
 		kfence_protect(meta->addr); /* Random "faults" by protecting the object. */
 
 	atomic_long_inc(&counters[KFENCE_COUNTER_ALLOCATED]);
_

Patches currently in -mm which might be from Jason@zx2c4.com are

mm-kfence-select-random-number-before-taking-raw-lock.patch

Re: + mm-kfence-select-random-number-before-taking-raw-lock.patch added to mm-unstable branch

[Jason A. Donenfeld]

Hi Andrew,

On Thu, Jun 9, 2022 at 6:56 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>      Subject: mm/kfence: select random number before taking raw lock
> has been added to the -mm mm-unstable branch.

I believe this belongs in the hotfixes branch, actually. It's a
regression in 5.19.

Jason

Re: + mm-kfence-select-random-number-before-taking-raw-lock.patch added to mm-unstable branch

[Andrew Morton]

On Thu, 9 Jun 2022 19:02:55 +0200 "Jason A. Donenfeld" <Jason@zx2c4.com> wrote:

> Hi Andrew,
> 
> On Thu, Jun 9, 2022 at 6:56 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >      Subject: mm/kfence: select random number before taking raw lock
> > has been added to the -mm mm-unstable branch.
> 
> I believe this belongs in the hotfixes branch, actually. It's a
> regression in 5.19.
> 

Oh, OK.  Do we have a Fixes: tag?

Re: + mm-kfence-select-random-number-before-taking-raw-lock.patch added to mm-unstable branch

[Jason A. Donenfeld]

Hi Andrew,

On Thu, Jun 9, 2022 at 7:17 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Thu, 9 Jun 2022 19:02:55 +0200 "Jason A. Donenfeld" <Jason@zx2c4.com> wrote:
>
> > Hi Andrew,
> >
> > On Thu, Jun 9, 2022 at 6:56 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> > >      Subject: mm/kfence: select random number before taking raw lock
> > > has been added to the -mm mm-unstable branch.
> >
> > I believe this belongs in the hotfixes branch, actually. It's a
> > regression in 5.19.
> >
>
> Oh, OK.  Do we have a Fixes: tag?

Errr, I guess so technically.

Fixes: d4150779e60f ("random32: use real rng for non-deterministic randomness")

Jason