From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Qian Cai <cai@lca.pw>, Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-mm@kvack.org
Subject: [PATCH AUTOSEL 5.0 044/262] page_poison: play nicely with KASAN
Date: Wed, 27 Mar 2019 13:58:19 -0400 [thread overview]
Message-ID: <20190327180158.10245-44-sashal@kernel.org> (raw)
In-Reply-To: <20190327180158.10245-1-sashal@kernel.org>
From: Qian Cai <cai@lca.pw>
[ Upstream commit 4117992df66a26fa33908b4969e04801534baab1 ]
KASAN does not play well with the page poisoning (CONFIG_PAGE_POISONING).
It triggers false positives in the allocation path:
BUG: KASAN: use-after-free in memchr_inv+0x2ea/0x330
Read of size 8 at addr ffff88881f800000 by task swapper/0
CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc1+ #54
Call Trace:
dump_stack+0xe0/0x19a
print_address_description.cold.2+0x9/0x28b
kasan_report.cold.3+0x7a/0xb5
__asan_report_load8_noabort+0x19/0x20
memchr_inv+0x2ea/0x330
kernel_poison_pages+0x103/0x3d5
get_page_from_freelist+0x15e7/0x4d90
because KASAN has not yet unpoisoned the shadow page for allocation
before it checks memchr_inv() but only found a stale poison pattern.
Also, false positives in free path,
BUG: KASAN: slab-out-of-bounds in kernel_poison_pages+0x29e/0x3d5
Write of size 4096 at addr ffff8888112cc000 by task swapper/0/1
CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc1+ #55
Call Trace:
dump_stack+0xe0/0x19a
print_address_description.cold.2+0x9/0x28b
kasan_report.cold.3+0x7a/0xb5
check_memory_region+0x22d/0x250
memset+0x28/0x40
kernel_poison_pages+0x29e/0x3d5
__free_pages_ok+0x75f/0x13e0
due to KASAN adds poisoned redzones around slab objects, but the page
poisoning needs to poison the whole page.
Link: http://lkml.kernel.org/r/20190114233405.67843-1-cai@lca.pw
Signed-off-by: Qian Cai <cai@lca.pw>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/page_alloc.c | 2 +-
mm/page_poison.c | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 0b9f577b1a2a..10d0f2ed9f69 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1945,8 +1945,8 @@ inline void post_alloc_hook(struct page *page, unsigned int order,
arch_alloc_page(page, order);
kernel_map_pages(page, 1 << order, 1);
- kernel_poison_pages(page, 1 << order, 1);
kasan_alloc_pages(page, order);
+ kernel_poison_pages(page, 1 << order, 1);
set_page_owner(page, order, gfp_flags);
}
diff --git a/mm/page_poison.c b/mm/page_poison.c
index f0c15e9017c0..21d4f97cb49b 100644
--- a/mm/page_poison.c
+++ b/mm/page_poison.c
@@ -6,6 +6,7 @@
#include <linux/page_ext.h>
#include <linux/poison.h>
#include <linux/ratelimit.h>
+#include <linux/kasan.h>
static bool want_page_poisoning __read_mostly;
@@ -40,7 +41,10 @@ static void poison_page(struct page *page)
{
void *addr = kmap_atomic(page);
+ /* KASAN still think the page is in-use, so skip it. */
+ kasan_disable_current();
memset(addr, PAGE_POISON, PAGE_SIZE);
+ kasan_enable_current();
kunmap_atomic(addr);
}
--
2.19.1
next prev parent reply other threads:[~2019-03-27 18:03 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190327180158.10245-1-sashal@kernel.org>
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 015/262] memblock: memblock_phys_alloc_try_nid(): don't panic Sasha Levin
2019-03-28 5:57 ` Mike Rapoport
2019-04-04 0:57 ` Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 030/262] mm/sparse: fix a bad comparison Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 031/262] mm/cma.c: cma_declare_contiguous: correct err handling Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 032/262] mm/page_ext.c: fix an imbalance with kmemleak Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 033/262] mm, swap: bounds check swap_info array accesses to avoid NULL derefs Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 035/262] mm,oom: don't kill global init via memory.oom.group Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 036/262] memcg: killed threads should not invoke memcg OOM killer Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 037/262] mm, mempolicy: fix uninit memory access Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 038/262] mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 039/262] mm/slab.c: kmemleak no scan alien caches Sasha Levin
2019-03-27 17:58 ` Sasha Levin [this message]
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 045/262] kasan: fix kasan_check_read/write definitions Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 061/262] mm/resource: Return real error codes from walk failures Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190327180158.10245-44-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=cai@lca.pw \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox