From patchwork Thu Mar 11 15:11:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Konovalov X-Patchwork-Id: 12131699 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2266C433DB for ; Thu, 11 Mar 2021 15:13:50 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2A06B64E66 for ; Thu, 11 Mar 2021 15:13:50 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2A06B64E66 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version:Message-Id:Date: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=8lF58wDXDisHMKz7selWkS8SQe14OJ2AIW2rvbbUj6c=; b=e0m+KnjLtwLUqDMRIa1S6o6uit /YQITclgqNbWhN0zS9xJF2lStsh61q+9O455q+5vNN8tx6y+I+ONAsgMblj4ok7hBUWmqUHv1jxSS f77RXeEpzNfuC6HziqJxb6Cjqwrtl0HGZwlcqlEPiOn2NrxQJOzaWjcZO6G5WjmIRXiL1KFw38srK LF/JcL8RTTF4F6WU3baep53Saw1ekb6l/szcULMkbMqUI+vVTF1aa5TI4qdJ1cLpbXJrH7petjF/V Z9SHRUbI3S+0vEGOrxLw4/atIMXYAvh4WP2F3eKJuA0U3qgb79xaOY20viGYgJXyhp8AtgwHWEhxT Ix8MY6ug==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lKMyh-009OrN-IM; Thu, 11 Mar 2021 15:11:55 +0000 Received: from mail-qk1-x74a.google.com ([2607:f8b0:4864:20::74a]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lKMyY-009Oqg-OM for linux-arm-kernel@lists.infradead.org; Thu, 11 Mar 2021 15:11:50 +0000 Received: by mail-qk1-x74a.google.com with SMTP id g18so15725992qki.15 for ; Thu, 11 Mar 2021 07:11:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=AApTWOpa7ui0/YyXhD3tUhfEI1bu0UZzTT8+Disz7/w=; b=RHJUA4xfDCj19gTdtnLY8BzgPsWIGu8LEWnYDr9Cy8aPAwzNTdDYRRyoUzwo4cMqf2 cD+acaWmz4tmGDVlM/dpk6biRUtSAz1iamX8bvSb9rgtMOT0xgC9ncWfL+3gIKfUyw5B 25QGtk8QUVqrC/5dYGGc+fEWyIF4a1xA3wyatNUUfdmHKyZq/i7PQjBYQ/CvKw5ktLPV JHtnJdjr89mu/LZViYGBGXneDSr16+n4cqPZokACKXYN8aK5tVBxsCwEgTPZ7aU3UiA2 U8fJXmmFRZxkhqprV5YAMsysgeEgVNbcfMG8UoH6C31MW27OuBHQ6VgJFgHlgSljozH2 DMwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=AApTWOpa7ui0/YyXhD3tUhfEI1bu0UZzTT8+Disz7/w=; b=RB+x8xtTpGnYlV/KsjLSjEIKPkWVBHpSTbs0DuPgKrLYcC6g5ByaxkTw9TKcsQfzx7 ftmy7JtUk2gEPSCeUtKbzQDhfOf/W+DZNSDS3k0cK+9CdTWxWi7p4ZItoloTPNV76Rt+ xatAPGp4ODqg3vJMOhuf0+47RNKEbG2kjxT2zWvXyN8JYvz3aixJJVx4hH53w99qspue GdQV9wLBdtuI3Ul6vXAsZhKVt/Jd5aKoLzGLmUXNxBQGZO8wr1trxL8FAAbDpEScVvBQ 9UeFlfJHKJNItD4UwdhAz6VJ0UyR4ImSuXyGx1PQgSJD+HNa81TJhpY0kY/Pow7kzObv Wy2A== X-Gm-Message-State: AOAM533qbsbpOsyGMydl9Ie+LOoepOw4sl/nHg/MiglDfRtSGBSuuNXu sqctE1nWxpZu+oQwqWeTXU3IbkKUo2JER7F0 X-Google-Smtp-Source: ABdhPJw/9WyeAXPJh+ppicdtiNcPiRyV/8swmShG4RkM2/ZfaIcVwbL+Oyqk4hDD0utK59rhqPheAfu7VAe8mIQc X-Received: from andreyknvl3.muc.corp.google.com ([2a00:79e0:15:13:95a:d8a8:4925:42be]) (user=andreyknvl job=sendgmr) by 2002:a0c:ea4b:: with SMTP id u11mr7819047qvp.43.1615475504801; Thu, 11 Mar 2021 07:11:44 -0800 (PST) Date: Thu, 11 Mar 2021 16:11:41 +0100 Message-Id: <1a41abb11c51b264511d9e71c303bb16d5cb367b.1615475452.git.andreyknvl@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.0.rc2.261.g7f71774620-goog Subject: [PATCH] kasan: fix per-page tags for non-page_alloc pages From: Andrey Konovalov To: Andrew Morton Cc: Catalin Marinas , Will Deacon , Vincenzo Frascino , Dmitry Vyukov , Andrey Ryabinin , Alexander Potapenko , Marco Elver , Peter Collingbourne , Evgenii Stepanov , Branislav Rankov , Kevin Brodsky , kasan-dev@googlegroups.com, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov , stable@vger.kernel.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210311_151146_937093_BDA4F939 X-CRM114-Status: GOOD ( 15.73 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org To allow performing tag checks on page_alloc addresses obtained via page_address(), tag-based KASAN modes store tags for page_alloc allocations in page->flags. Currently, the default tag value stored in page->flags is 0x00. Therefore, page_address() returns a 0x00ffff... address for pages that were not allocated via page_alloc. This might cause problems. A particular case we encountered is a conflict with KFENCE. If a KFENCE-allocated slab object is being freed via kfree(page_address(page) + offset), the address passed to kfree() will get tagged with 0x00 (as slab pages keep the default per-page tags). This leads to is_kfence_address() check failing, and a KFENCE object ending up in normal slab freelist, which causes memory corruptions. This patch changes the way KASAN stores tag in page-flags: they are now stored xor'ed with 0xff. This way, KASAN doesn't need to initialize per-page flags for every created page, which might be slow. With this change, page_address() returns natively-tagged (with 0xff) pointers for pages that didn't have tags set explicitly. This patch fixes the encountered conflict with KFENCE and prevents more similar issues that can occur in the future. Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc") Cc: stable@vger.kernel.org Signed-off-by: Andrey Konovalov Reviewed-by: Marco Elver --- include/linux/mm.h | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 77e64e3eac80..c45c28f094a7 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1440,16 +1440,28 @@ static inline bool cpupid_match_pid(struct task_struct *task, int cpupid) #if defined(CONFIG_KASAN_SW_TAGS) || defined(CONFIG_KASAN_HW_TAGS) +/* + * KASAN per-page tags are stored xor'ed with 0xff. This allows to avoid + * setting tags for all pages to native kernel tag value 0xff, as the default + * value 0x00 maps to 0xff. + */ + static inline u8 page_kasan_tag(const struct page *page) { - if (kasan_enabled()) - return (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK; - return 0xff; + u8 tag = 0xff; + + if (kasan_enabled()) { + tag = (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK; + tag ^= 0xff; + } + + return tag; } static inline void page_kasan_tag_set(struct page *page, u8 tag) { if (kasan_enabled()) { + tag ^= 0xff; page->flags &= ~(KASAN_TAG_MASK << KASAN_TAG_PGSHIFT); page->flags |= (tag & KASAN_TAG_MASK) << KASAN_TAG_PGSHIFT; }