Re: [PATCH 0/6 v14] KASan for Arm

From: Ard Biesheuvel <ardb@kernel.org>
To: Florian Fainelli <f.fainelli@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
	Abbott Liu <liuwenliang@huawei.com>,
	Linus Walleij <linus.walleij@linaro.org>,
	Russell King <linux@armlinux.org.uk>,
	Mike Rapoport <rppt@linux.ibm.com>,
	Andrey Ryabinin <aryabinin@virtuozzo.com>,
	Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH 0/6 v14] KASan for Arm
Date: Sun, 4 Oct 2020 10:06:07 +0200	[thread overview]
Message-ID: <CAMj1kXF+=gJXD2foOWzv6OG_Z+gKSG4sTPNT_X-C9deD9LcZcw@mail.gmail.com> (raw)
In-Reply-To: <CAMj1kXFcnQdm0bnuLEhDTW=WBgkTLu0BDd2C3uN3AtMt+AUinw@mail.gmail.com>

On Sat, 3 Oct 2020 at 17:50, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Thu, 1 Oct 2020 at 21:19, Florian Fainelli <f.fainelli@gmail.com> wrote:
> >
> >
> >
> > On 10/1/2020 8:22 AM, Linus Walleij wrote:
> > > This is the 14th iteration of KASan for ARM/Aarch32.
> > >
> > > I have added one patch in the beginning of the series to
> > > fix the issue when the DTB (often attached DTB) ends up
> > > in lowmem. It also amends ARM to copy the device tree
> > > instead of just unflattening it and using it from where
> > > it is.
> > >
> > > This fixes my particular issue on the Qualcomm APQ8060
> > > and I hope it may also solve Florian's issue and what
> > > Ard has been seeing. If you inspect patch 1/6 you can
> > > see what has been going on for me. My hypothesis about
> > > what was going on was mostly right.
> > >
> > > You are encouraged to test this patch set to find memory out
> > > of bounds bugs with ARM32 platforms and drivers.
> > >
> > > There is a git branch you can pull in:
> > > https://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-integrator.git/log/?h=kasan
> >
> > It does appear to be slight better, although all platforms that I have
> > where memory starts at physical address 0 cannot boot, attached logs
> > which are all more or less the same.
> >
> > The physical memory map looks like this:
> >
> > 0..3GB -> DRAM
> > 3GB..4GB -> Registers, Boot ROM, Boot SRAM
> > 4GB..12GB -> DRAM extension
> >
> > Do any of the platforms you use for testing have a similar memory map?
> > Could you try to contrive a QEMU machine to have something similar in
> > case that helps reproducing these failures?
> >
>
> I am getting very similar failures on a Raspberry Pi4 booting in
> 32-bit mode from U-boot+EFI
>
> Full log attached.
>
> I will try to dig a bit deeper.

OK, one obvious issue with the code as-is is that the following routine

static __init void *kasan_alloc_block(size_t size)
{
  return memblock_alloc_try_nid(size, size, __pa(MAX_DMA_ADDRESS),
                                MEMBLOCK_ALLOC_KASAN, NUMA_NO_NODE);
}

is called after the early shadow is unmapped, but before the permanent
shadow is in place. memblock_alloc_try_nid() clears the newly
allocated memory using memset(), which checks the associated shadow,
which is unmapped -> BOOM.

With the following implementation, I can avoid the crash similar to
the one Florian is reporting:

static __init void *kasan_alloc_block(size_t size)
{
  void *p = memblock_alloc_try_nid_raw(size, size,
    __pa(MAX_DMA_ADDRESS), MEMBLOCK_ALLOC_KASAN,
    NUMA_NO_NODE);

  if (p)
    __memset(p, 0, size);
  return p;
}

However, I still get a hang a bit later, and I haven't tracked that down yet.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel