Re: [PATCH v2 0/7] KASan for arm

Re: [PATCH v2 0/7] KASan for arm

[Liuwenliang (Abbott Liu)]

On 26 March 2018 at 7:59, Joel Stanley  <joel.stan@gmail.com> wrote:
>On 18 March 2018 at 23:23, Abbott Liu <liuwenliang@huawei.com> wrote:
>
>>    These patches add arch specific code for kernel address sanitizer 
>> (see Documentation/kasan.txt).
>
>Thanks for implementing this. I gave the series a spin on an ASPEED
>ast2500 (ARMv5) system with aspeed_g5_defconfig.
>
>It found a bug in the NCSI code (https://github.com/openbmc/linux/issues/146).
>
>Tested-by: Joel Stanley <joel@jms.id.au>
>
>Cheers,
>
>Joel

Thanks for your test.

Re: [PATCH v2 0/7] KASan for arm

[Joel Stanley]

On 18 March 2018 at 23:23, Abbott Liu <liuwenliang@huawei.com> wrote:

>    These patches add arch specific code for kernel address sanitizer
> (see Documentation/kasan.txt).

Thanks for implementing this. I gave the series a spin on an ASPEED
ast2500 (ARMv5) system with aspeed_g5_defconfig.

It found a bug in the NCSI code (https://github.com/openbmc/linux/issues/146).

Tested-by: Joel Stanley <joel@jms.id.au>

Cheers,

Joel

Re: [PATCH v2 0/7] KASan for arm

[Liuwenliang (Abbott Liu)]

On 03/20/2018 2:30 AM, Abbott Liu wrote:
>BTW, it looks like you have some section mismatches:
>
>WARNING: vmlinux.o(.meminit.text+0x40): Section mismatch in reference
>from the function kasan_pte_populate() to the function
>.init.text:kasan_alloc_block.constprop.5()
>The function __meminit kasan_pte_populate() references
>a function __init kasan_alloc_block.constprop.5().
>If kasan_alloc_block.constprop.5 is only used by kasan_pte_populate then
>annotate kasan_alloc_block.constprop.5 with a matching annotation.
>
>WARNING: vmlinux.o(.meminit.text+0x144): Section mismatch in reference
>from the function kasan_pmd_populate() to the function
>.init.text:kasan_alloc_block.constprop.5()
>The function __meminit kasan_pmd_populate() references
>a function __init kasan_alloc_block.constprop.5().
>If kasan_alloc_block.constprop.5 is only used by kasan_pmd_populate then
>annotate kasan_alloc_block.constprop.5 with a matching annotation.
>
>WARNING: vmlinux.o(.meminit.text+0x1a4): Section mismatch in reference
>from the function kasan_pud_populate() to the function
>.init.text:kasan_alloc_block.constprop.5()
>The function __meminit kasan_pud_populate() references
>a function __init kasan_alloc_block.constprop.5().
>If kasan_alloc_block.constprop.5 is only used by kasan_pud_populate then
>annotate kasan_alloc_block.constprop.5 with a matching annotation.

Thanks for your testing.
I don't know why the compiler on my machine doesn't report this waring.
Could you test again with adding the following code:
liuwenliang@linux:/home/soft_disk/yocto/linux-git/linux> git diff
diff --git a/arch/arm/mm/kasan_init.c b/arch/arm/mm/kasan_init.c
index d316f37..ae14d19 100644
--- a/arch/arm/mm/kasan_init.c
+++ b/arch/arm/mm/kasan_init.c
@@ -115,7 +115,7 @@ static void __init clear_pgds(unsigned long start,
                pmd_clear(pmd_off_k(start));
 }

-pte_t * __meminit kasan_pte_populate(pmd_t *pmd, unsigned long addr, int node)
+pte_t * __init kasan_pte_populate(pmd_t *pmd, unsigned long addr, int node)
 {
        pte_t *pte = pte_offset_kernel(pmd, addr);

@@ -132,7 +132,7 @@ pte_t * __meminit kasan_pte_populate(pmd_t *pmd, unsigned long addr, int node)
        return pte;
 }

-pmd_t * __meminit kasan_pmd_populate(pud_t *pud, unsigned long addr, int node)
+pmd_t * __init kasan_pmd_populate(pud_t *pud, unsigned long addr, int node)
 {
        pmd_t *pmd = pmd_offset(pud, addr);

@@ -146,7 +146,7 @@ pmd_t * __meminit kasan_pmd_populate(pud_t *pud, unsigned long addr, int node)
        return pmd;
 }

-pud_t * __meminit kasan_pud_populate(pgd_t *pgd, unsigned long addr, int node)
+pud_t * __init kasan_pud_populate(pgd_t *pgd, unsigned long addr, int node)
 {
        pud_t *pud = pud_offset(pgd, addr);

@@ -161,7 +161,7 @@ pud_t * __meminit kasan_pud_populate(pgd_t *pgd, unsigned long addr, int node)
        return pud;
 }

-pgd_t * __meminit kasan_pgd_populate(unsigned long addr, int node)
+pgd_t * __init kasan_pgd_populate(unsigned long addr, int node)
 {
        pgd_t *pgd = pgd_offset_k(addr);

Re: [PATCH v2 0/7] KASan for arm

[Liuwenliang (Abbott Liu)]

On Mon, Mar 19, 2018 at 16:44 , Dmitry Vyukov wrote:
>Hi Abbott,
>
>I've skimmed through the changes and they generally look good to me. I
>am not an expect in arm, so I did not look too closely on these parts
>(which is actually most of the changes).
>
>FWIW
>Acked-by: Dmitry Vyukov <dvyukov@google.com>
>
>Please also update set of supported archs at the top of
>Documentation/dev-tools/kasan.rst
>
>Thanks for working on upstreaming this!

Thanks for your review.
I will update set of supported archs just like this:
diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst
index f7a18f2..d92120d 100644
--- a/Documentation/dev-tools/kasan.rst
+++ b/Documentation/dev-tools/kasan.rst
@@ -12,7 +12,7 @@ KASAN uses compile-time instrumentation for checking every memory access,
 therefore you will need a GCC version 4.9.2 or later. GCC 5.0 or later is
 required for detection of out-of-bounds accesses to stack or global variables.

-Currently KASAN is supported only for the x86_64 and arm64 architectures.
+Currently KASAN is supported only for the x86_64, arm64 and arm architectures.

Re: [PATCH v2 0/7] KASan for arm

[Florian Fainelli]

On 03/18/2018 05:53 AM, Abbott Liu wrote:
> Changelog:
> v2 - v1
> - Fixed some compiling error which happens on changing kernel compression
>   mode to lzma/xz/lzo/lz4.
>   ---Reported by: Florian Fainelli <f.fainelli@gmail.com>,
> 	     Russell King - ARM Linux <linux@armlinux.org.uk>
> - Fixed a compiling error cause by some older arm instruction set(armv4t)
>   don't suppory movw/movt which is reported by kbuild.
> - Changed the pte flag from _L_PTE_DEFAULT | L_PTE_DIRTY | L_PTE_XN to
>   pgprot_val(PAGE_KERNEL).
>   ---Reported by: Russell King - ARM Linux <linux@armlinux.org.uk>
> - Moved Enable KASan patch as the last one.
>   ---Reported by: Florian Fainelli <f.fainelli@gmail.com>,
>      Russell King - ARM Linux <linux@armlinux.org.uk>
> - Moved the definitions of cp15 registers from 
>   arch/arm/include/asm/kvm_hyp.h to arch/arm/include/asm/cp15.h.
>   ---Asked by: Mark Rutland <mark.rutland@arm.com>
> - Merge the following commits into the commit
>   Define the virtual space of KASan's shadow region:
>   1) Define the virtual space of KASan's shadow region;
>   2) Avoid cleaning the KASan shadow area's mapping table;
>   3) Add KASan layout;
> - Merge the following commits into the commit
>   Initialize the mapping of KASan shadow memory:
>   1) Initialize the mapping of KASan shadow memory;
>   2) Add support arm LPAE;
>   3) Don't need to map the shadow of KASan's shadow memory;
>      ---Reported by: Russell King - ARM Linux <linux@armlinux.org.uk>
>   4) Change mapping of kasan_zero_page int readonly.
> 
> Hi,all:
>    These patches add arch specific code for kernel address sanitizer
> (see Documentation/kasan.txt).
> 
>    1/8 of kernel addresses reserved for shadow memory. There was no
> big enough hole for this, so virtual addresses for shadow were
> stolen from user space.
> 
>    At early boot stage the whole shadow region populated with just
> one physical page (kasan_zero_page). Later, this page reused
> as readonly zero shadow for some memory that KASan currently
> don't track (vmalloc).
> 
>   After mapping the physical memory, pages for shadow memory are
> allocated and mapped.
>   
>   KASan's stack instrumentation significantly increases stack's
> consumption, so CONFIG_KASAN doubles THREAD_SIZE.
> 
>   Functions like memset/memmove/memcpy do a lot of memory accesses.
> If bad pointer passed to one of these function it is important
> to catch this. Compiler's instrumentation cannot do this since
> these functions are written in assembly.
> 
>   KASan replaces memory functions with manually instrumented variants.
> Original functions declared as weak symbols so strong definitions
> in mm/kasan/kasan.c could replace them. Original functions have aliases
> with '__' prefix in name, so we could call non-instrumented variant
> if needed.
> 
>   Some files built without kasan instrumentation (e.g. mm/slub.c).
> Original mem* function replaced (via #define) with prefixed variants
> to disable memory access checks for such files.
> 
>   On arm LPAE architecture,  the mapping table of KASan shadow memory(if
> PAGE_OFFSET is 0xc0000000, the KASan shadow memory's virtual space is
> 0xb6e000000~0xbf000000) can't be filled in do_translation_fault function,
> because kasan instrumentation maybe cause do_translation_fault function
> accessing KASan shadow memory. The accessing of KASan shadow memory in
> do_translation_fault function maybe cause dead circle. So the mapping table
> of KASan shadow memory need be copyed in pgd_alloc function.
> 
> 
> Most of the code comes from:
> https://github.com/aryabinin/linux/commit/0b54f17e70ff50a902c4af05bb92716eb95acefe
> 
> These patches are tested on vexpress-ca15, vexpress-ca9

BTW, it looks like you have some section mismatches:

WARNING: vmlinux.o(.meminit.text+0x40): Section mismatch in reference
from the function kasan_pte_populate() to the function
.init.text:kasan_alloc_block.constprop.5()
The function __meminit kasan_pte_populate() references
a function __init kasan_alloc_block.constprop.5().
If kasan_alloc_block.constprop.5 is only used by kasan_pte_populate then
annotate kasan_alloc_block.constprop.5 with a matching annotation.

WARNING: vmlinux.o(.meminit.text+0x144): Section mismatch in reference
from the function kasan_pmd_populate() to the function
.init.text:kasan_alloc_block.constprop.5()
The function __meminit kasan_pmd_populate() references
a function __init kasan_alloc_block.constprop.5().
If kasan_alloc_block.constprop.5 is only used by kasan_pmd_populate then
annotate kasan_alloc_block.constprop.5 with a matching annotation.

WARNING: vmlinux.o(.meminit.text+0x1a4): Section mismatch in reference
from the function kasan_pud_populate() to the function
.init.text:kasan_alloc_block.constprop.5()
The function __meminit kasan_pud_populate() references
a function __init kasan_alloc_block.constprop.5().
If kasan_alloc_block.constprop.5 is only used by kasan_pud_populate then
annotate kasan_alloc_block.constprop.5 with a matching annotation.


> 
> 
> 
> Cc: Andrey Ryabinin <a.ryabinin@samsung.com>
> Tested-by: Abbott Liu <liuwenliang@huawei.com>
> Signed-off-by: Abbott Liu <liuwenliang@huawei.com>
> 
> Abbott Liu (3):
>   2 1-byte checks more safer for memory_is_poisoned_16
>   Add TTBR operator for kasan_init
>   Define the virtual space of KASan's shadow region
> 
> Andrey Ryabinin (4):
>   Disable instrumentation for some code
>   Replace memory function for kasan
>   Initialize the mapping of KASan shadow memory
>   Enable KASan for arm
> 
>  arch/arm/Kconfig                      |   1 +
>  arch/arm/boot/compressed/Makefile     |   1 +
>  arch/arm/boot/compressed/decompress.c |   2 +
>  arch/arm/boot/compressed/libfdt_env.h |   2 +
>  arch/arm/include/asm/cp15.h           | 104 ++++++++++++
>  arch/arm/include/asm/kasan.h          |  23 +++
>  arch/arm/include/asm/kasan_def.h      |  52 ++++++
>  arch/arm/include/asm/kvm_hyp.h        |  52 ------
>  arch/arm/include/asm/memory.h         |   5 +
>  arch/arm/include/asm/pgalloc.h        |   7 +-
>  arch/arm/include/asm/string.h         |  17 ++
>  arch/arm/include/asm/thread_info.h    |   4 +
>  arch/arm/kernel/entry-armv.S          |   5 +-
>  arch/arm/kernel/entry-common.S        |   6 +-
>  arch/arm/kernel/head-common.S         |   7 +-
>  arch/arm/kernel/setup.c               |   2 +
>  arch/arm/kernel/unwind.c              |   3 +-
>  arch/arm/kvm/hyp/cp15-sr.c            |  12 +-
>  arch/arm/kvm/hyp/switch.c             |   6 +-
>  arch/arm/lib/memcpy.S                 |   3 +
>  arch/arm/lib/memmove.S                |   5 +-
>  arch/arm/lib/memset.S                 |   3 +
>  arch/arm/mm/Makefile                  |   3 +
>  arch/arm/mm/init.c                    |   6 +
>  arch/arm/mm/kasan_init.c              | 290 ++++++++++++++++++++++++++++++++++
>  arch/arm/mm/mmu.c                     |   7 +-
>  arch/arm/mm/pgd.c                     |  14 ++
>  arch/arm/vdso/Makefile                |   2 +
>  mm/kasan/kasan.c                      |  24 ++-
>  29 files changed, 588 insertions(+), 80 deletions(-)
>  create mode 100644 arch/arm/include/asm/kasan.h
>  create mode 100644 arch/arm/include/asm/kasan_def.h
>  create mode 100644 arch/arm/mm/kasan_init.c
> 


-- 
Florian

Re: [PATCH v2 0/7] KASan for arm

[Dmitry Vyukov]

On Mon, Mar 19, 2018 at 2:56 AM, Liuwenliang (Abbott Liu)
<liuwenliang@huawei.com> wrote:
> On 03/19/2018 09:23 AM, Florian Fainelli wrote:
>>On 03/18/2018 06:20 PM, Liuwenliang (Abbott Liu) wrote:
>>> On 03/19/2018 03:14 AM, Florian Fainelli wrote:
>>>> Thanks for posting these patches! Just FWIW, you cannot quite add
>>>> someone's Tested-by for a patch series that was just resubmitted given
>>>> the differences with v1. I just gave it a spin on a Cortex-A5 (no LPAE)
>>>> and it looks like test_kasan.ko is passing, great job!
>>>
>>> I'm sorry.
>>> Thanks for your testing very much!
>>> I forget to add Tested-by in cover letter patch file. But I have alreadly added
>>> Tested-by in some of following patch.
>>> In the next version I am going to add Tested-by in all patches.
>>
>>This is not exactly what I meant. When you submit a v2 of your patches,
>>you must wait for people to give you their test results. The Tested-by
>>applied to v1, and so much has changed it is no longer valid for v2
>>unless someone tells you they tested v2. Hope this is clearer.
>
> Ok, I understand now. thank you for your explanation.


Hi Abbott,

I've skimmed through the changes and they generally look good to me. I
am not an expect in arm, so I did not look too closely on these parts
(which is actually most of the changes).

FWIW
Acked-by: Dmitry Vyukov <dvyukov@google.com>

Please also update set of supported archs at the top of
Documentation/dev-tools/kasan.rst

Thanks for working on upstreaming this!

Re: [PATCH v2 0/7] KASan for arm

[Liuwenliang (Abbott Liu)]

On 03/19/2018 09:23 AM, Florian Fainelli wrote:
>On 03/18/2018 06:20 PM, Liuwenliang (Abbott Liu) wrote:
>> On 03/19/2018 03:14 AM, Florian Fainelli wrote:
>>> Thanks for posting these patches! Just FWIW, you cannot quite add
>>> someone's Tested-by for a patch series that was just resubmitted given
>>> the differences with v1. I just gave it a spin on a Cortex-A5 (no LPAE)
>>> and it looks like test_kasan.ko is passing, great job!
>> 
>> I'm sorry.
>> Thanks for your testing very much!
>> I forget to add Tested-by in cover letter patch file. But I have alreadly added
>> Tested-by in some of following patch. 
>> In the next version I am going to add Tested-by in all patches.
>
>This is not exactly what I meant. When you submit a v2 of your patches,
>you must wait for people to give you their test results. The Tested-by
>applied to v1, and so much has changed it is no longer valid for v2
>unless someone tells you they tested v2. Hope this is clearer.

Ok, I understand now. thank you for your explanation.

Re: [PATCH v2 0/7] KASan for arm

[Florian Fainelli]

On 03/18/2018 06:20 PM, Liuwenliang (Abbott Liu) wrote:
> On 03/19/2018 03:14 AM, Florian Fainelli wrote:
>> Thanks for posting these patches! Just FWIW, you cannot quite add
>> someone's Tested-by for a patch series that was just resubmitted given
>> the differences with v1. I just gave it a spin on a Cortex-A5 (no LPAE)
>> and it looks like test_kasan.ko is passing, great job!
> 
> I'm sorry.
> Thanks for your testing very much!
> I forget to add Tested-by in cover letter patch file. But I have alreadly added
> Tested-by in some of following patch. 
> In the next version I am going to add Tested-by in all patches.

This is not exactly what I meant. When you submit a v2 of your patches,
you must wait for people to give you their test results. The Tested-by
applied to v1, and so much has changed it is no longer valid for v2
unless someone tells you they tested v2. Hope this is clearer.
-- 
Florian

Re: [PATCH v2 0/7] KASan for arm

[Liuwenliang (Abbott Liu)]

On 03/19/2018 03:14 AM, Florian Fainelli wrote:
>Thanks for posting these patches! Just FWIW, you cannot quite add
>someone's Tested-by for a patch series that was just resubmitted given
>the differences with v1. I just gave it a spin on a Cortex-A5 (no LPAE)
>and it looks like test_kasan.ko is passing, great job!

I'm sorry.
Thanks for your testing very much!
I forget to add Tested-by in cover letter patch file. But I have alreadly added
Tested-by in some of following patch. 
In the next version I am going to add Tested-by in all patches.

Re: [PATCH v2 0/7] KASan for arm

[Florian Fainelli]

Hi Abbott,

On 03/18/2018 05:53 AM, Abbott Liu wrote:
> Changelog:
> v2 - v1
> - Fixed some compiling error which happens on changing kernel compression
>   mode to lzma/xz/lzo/lz4.
>   ---Reported by: Florian Fainelli <f.fainelli@gmail.com>,
> 	     Russell King - ARM Linux <linux@armlinux.org.uk>
> - Fixed a compiling error cause by some older arm instruction set(armv4t)
>   don't suppory movw/movt which is reported by kbuild.
> - Changed the pte flag from _L_PTE_DEFAULT | L_PTE_DIRTY | L_PTE_XN to
>   pgprot_val(PAGE_KERNEL).
>   ---Reported by: Russell King - ARM Linux <linux@armlinux.org.uk>
> - Moved Enable KASan patch as the last one.
>   ---Reported by: Florian Fainelli <f.fainelli@gmail.com>,
>      Russell King - ARM Linux <linux@armlinux.org.uk>
> - Moved the definitions of cp15 registers from 
>   arch/arm/include/asm/kvm_hyp.h to arch/arm/include/asm/cp15.h.
>   ---Asked by: Mark Rutland <mark.rutland@arm.com>
> - Merge the following commits into the commit
>   Define the virtual space of KASan's shadow region:
>   1) Define the virtual space of KASan's shadow region;
>   2) Avoid cleaning the KASan shadow area's mapping table;
>   3) Add KASan layout;
> - Merge the following commits into the commit
>   Initialize the mapping of KASan shadow memory:
>   1) Initialize the mapping of KASan shadow memory;
>   2) Add support arm LPAE;
>   3) Don't need to map the shadow of KASan's shadow memory;
>      ---Reported by: Russell King - ARM Linux <linux@armlinux.org.uk>
>   4) Change mapping of kasan_zero_page int readonly.

Thanks for posting these patches! Just FWIW, you cannot quite add
someone's Tested-by for a patch series that was just resubmitted given
the differences with v1. I just gave it a spin on a Cortex-A5 (no LPAE)
and it looks like test_kasan.ko is passing, great job!

> 
> Hi,all:
>    These patches add arch specific code for kernel address sanitizer
> (see Documentation/kasan.txt).
> 
>    1/8 of kernel addresses reserved for shadow memory. There was no
> big enough hole for this, so virtual addresses for shadow were
> stolen from user space.
> 
>    At early boot stage the whole shadow region populated with just
> one physical page (kasan_zero_page). Later, this page reused
> as readonly zero shadow for some memory that KASan currently
> don't track (vmalloc).
> 
>   After mapping the physical memory, pages for shadow memory are
> allocated and mapped.
>   
>   KASan's stack instrumentation significantly increases stack's
> consumption, so CONFIG_KASAN doubles THREAD_SIZE.
> 
>   Functions like memset/memmove/memcpy do a lot of memory accesses.
> If bad pointer passed to one of these function it is important
> to catch this. Compiler's instrumentation cannot do this since
> these functions are written in assembly.
> 
>   KASan replaces memory functions with manually instrumented variants.
> Original functions declared as weak symbols so strong definitions
> in mm/kasan/kasan.c could replace them. Original functions have aliases
> with '__' prefix in name, so we could call non-instrumented variant
> if needed.
> 
>   Some files built without kasan instrumentation (e.g. mm/slub.c).
> Original mem* function replaced (via #define) with prefixed variants
> to disable memory access checks for such files.
> 
>   On arm LPAE architecture,  the mapping table of KASan shadow memory(if
> PAGE_OFFSET is 0xc0000000, the KASan shadow memory's virtual space is
> 0xb6e000000~0xbf000000) can't be filled in do_translation_fault function,
> because kasan instrumentation maybe cause do_translation_fault function
> accessing KASan shadow memory. The accessing of KASan shadow memory in
> do_translation_fault function maybe cause dead circle. So the mapping table
> of KASan shadow memory need be copyed in pgd_alloc function.
> 
> 
> Most of the code comes from:
> https://github.com/aryabinin/linux/commit/0b54f17e70ff50a902c4af05bb92716eb95acefe
> 
> These patches are tested on vexpress-ca15, vexpress-ca9
> 
> 
> 
> Cc: Andrey Ryabinin <a.ryabinin@samsung.com>
> Tested-by: Abbott Liu <liuwenliang@huawei.com>
> Signed-off-by: Abbott Liu <liuwenliang@huawei.com>
> 
> Abbott Liu (3):
>   2 1-byte checks more safer for memory_is_poisoned_16
>   Add TTBR operator for kasan_init
>   Define the virtual space of KASan's shadow region
> 
> Andrey Ryabinin (4):
>   Disable instrumentation for some code
>   Replace memory function for kasan
>   Initialize the mapping of KASan shadow memory
>   Enable KASan for arm
> 
>  arch/arm/Kconfig                      |   1 +
>  arch/arm/boot/compressed/Makefile     |   1 +
>  arch/arm/boot/compressed/decompress.c |   2 +
>  arch/arm/boot/compressed/libfdt_env.h |   2 +
>  arch/arm/include/asm/cp15.h           | 104 ++++++++++++
>  arch/arm/include/asm/kasan.h          |  23 +++
>  arch/arm/include/asm/kasan_def.h      |  52 ++++++
>  arch/arm/include/asm/kvm_hyp.h        |  52 ------
>  arch/arm/include/asm/memory.h         |   5 +
>  arch/arm/include/asm/pgalloc.h        |   7 +-
>  arch/arm/include/asm/string.h         |  17 ++
>  arch/arm/include/asm/thread_info.h    |   4 +
>  arch/arm/kernel/entry-armv.S          |   5 +-
>  arch/arm/kernel/entry-common.S        |   6 +-
>  arch/arm/kernel/head-common.S         |   7 +-
>  arch/arm/kernel/setup.c               |   2 +
>  arch/arm/kernel/unwind.c              |   3 +-
>  arch/arm/kvm/hyp/cp15-sr.c            |  12 +-
>  arch/arm/kvm/hyp/switch.c             |   6 +-
>  arch/arm/lib/memcpy.S                 |   3 +
>  arch/arm/lib/memmove.S                |   5 +-
>  arch/arm/lib/memset.S                 |   3 +
>  arch/arm/mm/Makefile                  |   3 +
>  arch/arm/mm/init.c                    |   6 +
>  arch/arm/mm/kasan_init.c              | 290 ++++++++++++++++++++++++++++++++++
>  arch/arm/mm/mmu.c                     |   7 +-
>  arch/arm/mm/pgd.c                     |  14 ++
>  arch/arm/vdso/Makefile                |   2 +
>  mm/kasan/kasan.c                      |  24 ++-
>  29 files changed, 588 insertions(+), 80 deletions(-)
>  create mode 100644 arch/arm/include/asm/kasan.h
>  create mode 100644 arch/arm/include/asm/kasan_def.h
>  create mode 100644 arch/arm/mm/kasan_init.c
> 

-- 
Florian

[PATCH v2 0/7] KASan for arm

[Abbott Liu]

Changelog:
v2 - v1
- Fixed some compiling error which happens on changing kernel compression
  mode to lzma/xz/lzo/lz4.
  ---Reported by: Florian Fainelli <f.fainelli@gmail.com>,
	     Russell King - ARM Linux <linux@armlinux.org.uk>
- Fixed a compiling error cause by some older arm instruction set(armv4t)
  don't suppory movw/movt which is reported by kbuild.
- Changed the pte flag from _L_PTE_DEFAULT | L_PTE_DIRTY | L_PTE_XN to
  pgprot_val(PAGE_KERNEL).
  ---Reported by: Russell King - ARM Linux <linux@armlinux.org.uk>
- Moved Enable KASan patch as the last one.
  ---Reported by: Florian Fainelli <f.fainelli@gmail.com>,
     Russell King - ARM Linux <linux@armlinux.org.uk>
- Moved the definitions of cp15 registers from 
  arch/arm/include/asm/kvm_hyp.h to arch/arm/include/asm/cp15.h.
  ---Asked by: Mark Rutland <mark.rutland@arm.com>
- Merge the following commits into the commit
  Define the virtual space of KASan's shadow region:
  1) Define the virtual space of KASan's shadow region;
  2) Avoid cleaning the KASan shadow area's mapping table;
  3) Add KASan layout;
- Merge the following commits into the commit
  Initialize the mapping of KASan shadow memory:
  1) Initialize the mapping of KASan shadow memory;
  2) Add support arm LPAE;
  3) Don't need to map the shadow of KASan's shadow memory;
     ---Reported by: Russell King - ARM Linux <linux@armlinux.org.uk>
  4) Change mapping of kasan_zero_page int readonly.

Hi,all:
   These patches add arch specific code for kernel address sanitizer
(see Documentation/kasan.txt).

   1/8 of kernel addresses reserved for shadow memory. There was no
big enough hole for this, so virtual addresses for shadow were
stolen from user space.

   At early boot stage the whole shadow region populated with just
one physical page (kasan_zero_page). Later, this page reused
as readonly zero shadow for some memory that KASan currently
don't track (vmalloc).

  After mapping the physical memory, pages for shadow memory are
allocated and mapped.
  
  KASan's stack instrumentation significantly increases stack's
consumption, so CONFIG_KASAN doubles THREAD_SIZE.

  Functions like memset/memmove/memcpy do a lot of memory accesses.
If bad pointer passed to one of these function it is important
to catch this. Compiler's instrumentation cannot do this since
these functions are written in assembly.

  KASan replaces memory functions with manually instrumented variants.
Original functions declared as weak symbols so strong definitions
in mm/kasan/kasan.c could replace them. Original functions have aliases
with '__' prefix in name, so we could call non-instrumented variant
if needed.

  Some files built without kasan instrumentation (e.g. mm/slub.c).
Original mem* function replaced (via #define) with prefixed variants
to disable memory access checks for such files.

  On arm LPAE architecture,  the mapping table of KASan shadow memory(if
PAGE_OFFSET is 0xc0000000, the KASan shadow memory's virtual space is
0xb6e000000~0xbf000000) can't be filled in do_translation_fault function,
because kasan instrumentation maybe cause do_translation_fault function
accessing KASan shadow memory. The accessing of KASan shadow memory in
do_translation_fault function maybe cause dead circle. So the mapping table
of KASan shadow memory need be copyed in pgd_alloc function.


Most of the code comes from:
https://github.com/aryabinin/linux/commit/0b54f17e70ff50a902c4af05bb92716eb95acefe

These patches are tested on vexpress-ca15, vexpress-ca9



Cc: Andrey Ryabinin <a.ryabinin@samsung.com>
Tested-by: Abbott Liu <liuwenliang@huawei.com>
Signed-off-by: Abbott Liu <liuwenliang@huawei.com>

Abbott Liu (3):
  2 1-byte checks more safer for memory_is_poisoned_16
  Add TTBR operator for kasan_init
  Define the virtual space of KASan's shadow region

Andrey Ryabinin (4):
  Disable instrumentation for some code
  Replace memory function for kasan
  Initialize the mapping of KASan shadow memory
  Enable KASan for arm

 arch/arm/Kconfig                      |   1 +
 arch/arm/boot/compressed/Makefile     |   1 +
 arch/arm/boot/compressed/decompress.c |   2 +
 arch/arm/boot/compressed/libfdt_env.h |   2 +
 arch/arm/include/asm/cp15.h           | 104 ++++++++++++
 arch/arm/include/asm/kasan.h          |  23 +++
 arch/arm/include/asm/kasan_def.h      |  52 ++++++
 arch/arm/include/asm/kvm_hyp.h        |  52 ------
 arch/arm/include/asm/memory.h         |   5 +
 arch/arm/include/asm/pgalloc.h        |   7 +-
 arch/arm/include/asm/string.h         |  17 ++
 arch/arm/include/asm/thread_info.h    |   4 +
 arch/arm/kernel/entry-armv.S          |   5 +-
 arch/arm/kernel/entry-common.S        |   6 +-
 arch/arm/kernel/head-common.S         |   7 +-
 arch/arm/kernel/setup.c               |   2 +
 arch/arm/kernel/unwind.c              |   3 +-
 arch/arm/kvm/hyp/cp15-sr.c            |  12 +-
 arch/arm/kvm/hyp/switch.c             |   6 +-
 arch/arm/lib/memcpy.S                 |   3 +
 arch/arm/lib/memmove.S                |   5 +-
 arch/arm/lib/memset.S                 |   3 +
 arch/arm/mm/Makefile                  |   3 +
 arch/arm/mm/init.c                    |   6 +
 arch/arm/mm/kasan_init.c              | 290 ++++++++++++++++++++++++++++++++++
 arch/arm/mm/mmu.c                     |   7 +-
 arch/arm/mm/pgd.c                     |  14 ++
 arch/arm/vdso/Makefile                |   2 +
 mm/kasan/kasan.c                      |  24 ++-
 29 files changed, 588 insertions(+), 80 deletions(-)
 create mode 100644 arch/arm/include/asm/kasan.h
 create mode 100644 arch/arm/include/asm/kasan_def.h
 create mode 100644 arch/arm/mm/kasan_init.c

-- 
2.9.0