* [PATCH v3 0/2] kasan: fixes for 5.11-rc
@ 2021-01-15 17:41 Andrey Konovalov
2021-01-15 17:41 ` [PATCH v3 1/2] kasan, mm: fix conflicts with init_on_alloc/free Andrey Konovalov
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Andrey Konovalov @ 2021-01-15 17:41 UTC (permalink / raw)
To: Andrew Morton, Catalin Marinas, Vincenzo Frascino, Dmitry Vyukov,
Alexander Potapenko, Marco Elver
Cc: Will Deacon, Andrey Ryabinin, Peter Collingbourne,
Evgenii Stepanov, Branislav Rankov, Kevin Brodsky, kasan-dev,
linux-arm-kernel, linux-mm, linux-kernel, Andrey Konovalov
Changes v2->v3:
- Fix up kernel pointer tag in do_tag_check_fault() instead of
report_tag_fault().
Andrey Konovalov (2):
kasan, mm: fix conflicts with init_on_alloc/free
kasan, arm64: fix pointer tags in KASAN reports
arch/arm64/mm/fault.c | 7 ++++---
mm/slub.c | 7 ++++---
2 files changed, 8 insertions(+), 6 deletions(-)
--
2.30.0.284.gd98b1dd5eaa7-goog
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v3 1/2] kasan, mm: fix conflicts with init_on_alloc/free
2021-01-15 17:41 [PATCH v3 0/2] kasan: fixes for 5.11-rc Andrey Konovalov
@ 2021-01-15 17:41 ` Andrey Konovalov
2021-01-15 17:41 ` [PATCH v3 2/2] kasan, arm64: fix pointer tags in KASAN reports Andrey Konovalov
2021-01-18 18:31 ` [PATCH v3 0/2] kasan: fixes for 5.11-rc Catalin Marinas
2 siblings, 0 replies; 7+ messages in thread
From: Andrey Konovalov @ 2021-01-15 17:41 UTC (permalink / raw)
To: Andrew Morton, Catalin Marinas, Vincenzo Frascino, Dmitry Vyukov,
Alexander Potapenko, Marco Elver
Cc: Will Deacon, Andrey Ryabinin, Peter Collingbourne,
Evgenii Stepanov, Branislav Rankov, Kevin Brodsky, kasan-dev,
linux-arm-kernel, linux-mm, linux-kernel, Andrey Konovalov,
Vlastimil Babka
A few places where SLUB accesses object's data or metadata were missed in
a previous patch. This leads to false positives with hardware tag-based
KASAN when bulk allocations are used with init_on_alloc/free.
Fix the false-positives by resetting pointer tags during these accesses.
(The kasan_reset_tag call is removed from slab_alloc_node, as it's added
into maybe_wipe_obj_freeptr.)
Link: https://linux-review.googlesource.com/id/I50dd32838a666e173fe06c3c5c766f2c36aae901
Fixes: aa1ef4d7b3f67 ("kasan, mm: reset tags when accessing metadata")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
mm/slub.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/mm/slub.c b/mm/slub.c
index dc5b42e700b8..75fb097d990d 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2791,7 +2791,8 @@ static __always_inline void maybe_wipe_obj_freeptr(struct kmem_cache *s,
void *obj)
{
if (unlikely(slab_want_init_on_free(s)) && obj)
- memset((void *)((char *)obj + s->offset), 0, sizeof(void *));
+ memset((void *)((char *)kasan_reset_tag(obj) + s->offset),
+ 0, sizeof(void *));
}
/*
@@ -2883,7 +2884,7 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s,
stat(s, ALLOC_FASTPATH);
}
- maybe_wipe_obj_freeptr(s, kasan_reset_tag(object));
+ maybe_wipe_obj_freeptr(s, object);
if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object)
memset(kasan_reset_tag(object), 0, s->object_size);
@@ -3329,7 +3330,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size,
int j;
for (j = 0; j < i; j++)
- memset(p[j], 0, s->object_size);
+ memset(kasan_reset_tag(p[j]), 0, s->object_size);
}
/* memcg and kmem_cache debug support */
--
2.30.0.284.gd98b1dd5eaa7-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v3 2/2] kasan, arm64: fix pointer tags in KASAN reports
2021-01-15 17:41 [PATCH v3 0/2] kasan: fixes for 5.11-rc Andrey Konovalov
2021-01-15 17:41 ` [PATCH v3 1/2] kasan, mm: fix conflicts with init_on_alloc/free Andrey Konovalov
@ 2021-01-15 17:41 ` Andrey Konovalov
2021-01-15 17:59 ` Catalin Marinas
2021-01-15 18:03 ` Vincenzo Frascino
2021-01-18 18:31 ` [PATCH v3 0/2] kasan: fixes for 5.11-rc Catalin Marinas
2 siblings, 2 replies; 7+ messages in thread
From: Andrey Konovalov @ 2021-01-15 17:41 UTC (permalink / raw)
To: Andrew Morton, Catalin Marinas, Vincenzo Frascino, Dmitry Vyukov,
Alexander Potapenko, Marco Elver
Cc: Will Deacon, Andrey Ryabinin, Peter Collingbourne,
Evgenii Stepanov, Branislav Rankov, Kevin Brodsky, kasan-dev,
linux-arm-kernel, linux-mm, linux-kernel, Andrey Konovalov
As of the "arm64: expose FAR_EL1 tag bits in siginfo" patch, the address
that is passed to report_tag_fault has pointer tags in the format of 0x0X,
while KASAN uses 0xFX format (note the difference in the top 4 bits).
Fix up the pointer tag for kernel pointers in do_tag_check_fault by
setting them to the same value as bit 55. Explicitly use __untagged_addr()
instead of untagged_addr(), as the latter doesn't affect TTBR1 addresses.
Link: https://linux-review.googlesource.com/id/I9ced973866036d8679e8f4ae325de547eb969649
Fixes: dceec3ff7807 ("arm64: expose FAR_EL1 tag bits in siginfo")
Fixes: 4291e9ee6189 ("kasan, arm64: print report from tag fault handler")
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
arch/arm64/mm/fault.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 3c40da479899..35d75c60e2b8 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -709,10 +709,11 @@ static int do_tag_check_fault(unsigned long far, unsigned int esr,
struct pt_regs *regs)
{
/*
- * The architecture specifies that bits 63:60 of FAR_EL1 are UNKNOWN for tag
- * check faults. Mask them out now so that userspace doesn't see them.
+ * The architecture specifies that bits 63:60 of FAR_EL1 are UNKNOWN
+ * for tag check faults. Set them to corresponding bits in the untagged
+ * address.
*/
- far &= (1UL << 60) - 1;
+ far = (__untagged_addr(far) & ~MTE_TAG_MASK) | (far & MTE_TAG_MASK);
do_bad_area(far, esr, regs);
return 0;
}
--
2.30.0.284.gd98b1dd5eaa7-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v3 2/2] kasan, arm64: fix pointer tags in KASAN reports
2021-01-15 17:41 ` [PATCH v3 2/2] kasan, arm64: fix pointer tags in KASAN reports Andrey Konovalov
@ 2021-01-15 17:59 ` Catalin Marinas
2021-01-15 18:08 ` Andrey Konovalov
2021-01-15 18:03 ` Vincenzo Frascino
1 sibling, 1 reply; 7+ messages in thread
From: Catalin Marinas @ 2021-01-15 17:59 UTC (permalink / raw)
To: Andrey Konovalov
Cc: Andrew Morton, Vincenzo Frascino, Dmitry Vyukov,
Alexander Potapenko, Marco Elver, Will Deacon, Andrey Ryabinin,
Peter Collingbourne, Evgenii Stepanov, Branislav Rankov,
Kevin Brodsky, kasan-dev, linux-arm-kernel, linux-mm,
linux-kernel
On Fri, Jan 15, 2021 at 06:41:53PM +0100, Andrey Konovalov wrote:
> As of the "arm64: expose FAR_EL1 tag bits in siginfo" patch, the address
> that is passed to report_tag_fault has pointer tags in the format of 0x0X,
> while KASAN uses 0xFX format (note the difference in the top 4 bits).
>
> Fix up the pointer tag for kernel pointers in do_tag_check_fault by
> setting them to the same value as bit 55. Explicitly use __untagged_addr()
> instead of untagged_addr(), as the latter doesn't affect TTBR1 addresses.
>
> Link: https://linux-review.googlesource.com/id/I9ced973866036d8679e8f4ae325de547eb969649
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Unless there are other comments, I'll queue this for -rc5 through the
arm64 tree (I already finalised the arm64 for-next/fixes branch for this
week).
--
Catalin
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3 2/2] kasan, arm64: fix pointer tags in KASAN reports
2021-01-15 17:41 ` [PATCH v3 2/2] kasan, arm64: fix pointer tags in KASAN reports Andrey Konovalov
2021-01-15 17:59 ` Catalin Marinas
@ 2021-01-15 18:03 ` Vincenzo Frascino
1 sibling, 0 replies; 7+ messages in thread
From: Vincenzo Frascino @ 2021-01-15 18:03 UTC (permalink / raw)
To: Andrey Konovalov, Andrew Morton, Catalin Marinas, Dmitry Vyukov,
Alexander Potapenko, Marco Elver
Cc: Will Deacon, Andrey Ryabinin, Peter Collingbourne,
Evgenii Stepanov, Branislav Rankov, Kevin Brodsky, kasan-dev,
linux-arm-kernel, linux-mm, linux-kernel
On 1/15/21 5:41 PM, Andrey Konovalov wrote:
> As of the "arm64: expose FAR_EL1 tag bits in siginfo" patch, the address
> that is passed to report_tag_fault has pointer tags in the format of 0x0X,
> while KASAN uses 0xFX format (note the difference in the top 4 bits).
>
> Fix up the pointer tag for kernel pointers in do_tag_check_fault by
> setting them to the same value as bit 55. Explicitly use __untagged_addr()
> instead of untagged_addr(), as the latter doesn't affect TTBR1 addresses.
>
> Link: https://linux-review.googlesource.com/id/I9ced973866036d8679e8f4ae325de547eb969649
> Fixes: dceec3ff7807 ("arm64: expose FAR_EL1 tag bits in siginfo")
> Fixes: 4291e9ee6189 ("kasan, arm64: print report from tag fault handler")
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
> ---
> arch/arm64/mm/fault.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index 3c40da479899..35d75c60e2b8 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> @@ -709,10 +709,11 @@ static int do_tag_check_fault(unsigned long far, unsigned int esr,
> struct pt_regs *regs)
> {
> /*
> - * The architecture specifies that bits 63:60 of FAR_EL1 are UNKNOWN for tag
> - * check faults. Mask them out now so that userspace doesn't see them.
> + * The architecture specifies that bits 63:60 of FAR_EL1 are UNKNOWN
> + * for tag check faults. Set them to corresponding bits in the untagged
> + * address.
> */
> - far &= (1UL << 60) - 1;
> + far = (__untagged_addr(far) & ~MTE_TAG_MASK) | (far & MTE_TAG_MASK);
> do_bad_area(far, esr, regs);
> return 0;
> }
>
--
Regards,
Vincenzo
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3 2/2] kasan, arm64: fix pointer tags in KASAN reports
2021-01-15 17:59 ` Catalin Marinas
@ 2021-01-15 18:08 ` Andrey Konovalov
0 siblings, 0 replies; 7+ messages in thread
From: Andrey Konovalov @ 2021-01-15 18:08 UTC (permalink / raw)
To: Catalin Marinas
Cc: Andrew Morton, Vincenzo Frascino, Dmitry Vyukov,
Alexander Potapenko, Marco Elver, Will Deacon, Andrey Ryabinin,
Peter Collingbourne, Evgenii Stepanov, Branislav Rankov,
Kevin Brodsky, kasan-dev, Linux ARM,
Linux Memory Management List, LKML
On Fri, Jan 15, 2021 at 6:59 PM Catalin Marinas <catalin.marinas@arm.com> wrote:
>
> On Fri, Jan 15, 2021 at 06:41:53PM +0100, Andrey Konovalov wrote:
> > As of the "arm64: expose FAR_EL1 tag bits in siginfo" patch, the address
> > that is passed to report_tag_fault has pointer tags in the format of 0x0X,
> > while KASAN uses 0xFX format (note the difference in the top 4 bits).
> >
> > Fix up the pointer tag for kernel pointers in do_tag_check_fault by
> > setting them to the same value as bit 55. Explicitly use __untagged_addr()
> > instead of untagged_addr(), as the latter doesn't affect TTBR1 addresses.
> >
> > Link: https://linux-review.googlesource.com/id/I9ced973866036d8679e8f4ae325de547eb969649
>
> Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
>
> Unless there are other comments, I'll queue this for -rc5 through the
> arm64 tree (I already finalised the arm64 for-next/fixes branch for this
> week).
Sounds good, thank you!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3 0/2] kasan: fixes for 5.11-rc
2021-01-15 17:41 [PATCH v3 0/2] kasan: fixes for 5.11-rc Andrey Konovalov
2021-01-15 17:41 ` [PATCH v3 1/2] kasan, mm: fix conflicts with init_on_alloc/free Andrey Konovalov
2021-01-15 17:41 ` [PATCH v3 2/2] kasan, arm64: fix pointer tags in KASAN reports Andrey Konovalov
@ 2021-01-18 18:31 ` Catalin Marinas
2 siblings, 0 replies; 7+ messages in thread
From: Catalin Marinas @ 2021-01-18 18:31 UTC (permalink / raw)
To: Vincenzo Frascino, Andrey Konovalov, Alexander Potapenko,
Andrew Morton, Dmitry Vyukov, Marco Elver
Cc: Will Deacon, linux-kernel, Branislav Rankov, Kevin Brodsky,
Will Deacon, Andrey Ryabinin, linux-arm-kernel, Evgenii Stepanov,
Peter Collingbourne, linux-mm, kasan-dev
On Fri, 15 Jan 2021 18:41:51 +0100, Andrey Konovalov wrote:
> Changes v2->v3:
> - Fix up kernel pointer tag in do_tag_check_fault() instead of
> report_tag_fault().
>
> Andrey Konovalov (2):
> kasan, mm: fix conflicts with init_on_alloc/free
> kasan, arm64: fix pointer tags in KASAN reports
>
> [...]
Applied to arm64 (for-next/fixes), thanks!
[2/2] kasan, arm64: fix pointer tags in KASAN reports
https://git.kernel.org/arm64/c/3ed86b9a7140
--
Catalin
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-01-18 18:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-15 17:41 [PATCH v3 0/2] kasan: fixes for 5.11-rc Andrey Konovalov
2021-01-15 17:41 ` [PATCH v3 1/2] kasan, mm: fix conflicts with init_on_alloc/free Andrey Konovalov
2021-01-15 17:41 ` [PATCH v3 2/2] kasan, arm64: fix pointer tags in KASAN reports Andrey Konovalov
2021-01-15 17:59 ` Catalin Marinas
2021-01-15 18:08 ` Andrey Konovalov
2021-01-15 18:03 ` Vincenzo Frascino
2021-01-18 18:31 ` [PATCH v3 0/2] kasan: fixes for 5.11-rc Catalin Marinas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).