From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=8yH2=Z3=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5BBD5C2D0C1
	for <linux-mm@archiver.kernel.org>; Thu,  5 Dec 2019 14:04:25 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 0F79022525
	for <linux-mm@archiver.kernel.org>; Thu,  5 Dec 2019 14:04:25 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (1024-bit key) header.d=axtens.net header.i=@axtens.net header.b="TdxvDXVF"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0F79022525
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=axtens.net
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id A9A6D6B1088; Thu,  5 Dec 2019 09:04:24 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A4A066B1089; Thu,  5 Dec 2019 09:04:24 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 939F86B108A; Thu,  5 Dec 2019 09:04:24 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0192.hostedemail.com [216.40.44.192])
	by kanga.kvack.org (Postfix) with ESMTP id 7F7FF6B1088
	for <linux-mm@kvack.org>; Thu,  5 Dec 2019 09:04:24 -0500 (EST)
Received: from smtpin18.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with SMTP id 240A51812D6D5
	for <linux-mm@kvack.org>; Thu,  5 Dec 2019 14:04:24 +0000 (UTC)
X-FDA: 76231257648.18.knife09_6077fd20df712
X-HE-Tag: knife09_6077fd20df712
X-Filterd-Recvd-Size: 6803
Received: from mail-pj1-f65.google.com (mail-pj1-f65.google.com [209.85.216.65])
	by imf26.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Thu,  5 Dec 2019 14:04:22 +0000 (UTC)
Received: by mail-pj1-f65.google.com with SMTP id l4so1346502pjt.5
        for <linux-mm@kvack.org>; Thu, 05 Dec 2019 06:04:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=axtens.net; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=U+rYuarcFGCelyfsuzmoID8VbDpvPXs1LM8fcwC/sPE=;
        b=TdxvDXVFzR+61ypb+pkDPPMEjQCXeQyzL1jbq0HfNnf8R45+X/Tq1+GrRUfToFVMhr
         Zk+sUDBIx4cA3P46G2dqpvqsZdm7TNnQh1XTTXYyolmD+fjA6wViiPUD72sS0R4Xqa1e
         UG9/MvphoVnmZ8fE5uTs25ux3qgptunBk+NLU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=U+rYuarcFGCelyfsuzmoID8VbDpvPXs1LM8fcwC/sPE=;
        b=BPbPOfhgk9QZB2hw9raM05H2759+C5NRoRddE8DpuXn4XAMD2VCvwRlRJSFjapt8Rq
         c2ii6q03XW2Ypd3UONm1Ize/Q83JXiaIRnuqCT/tm3I7G15AtQczypAxEIRac3W/oh00
         Z3SKRl373XKAwWK6+bbC/ESp0sSdASGaVZmsFZWBKFOrfoqhIP37ABCWi3sxHVDpd3zL
         klJfa6+SEPpvj6co/3ZBxRwIgSakU6hwLj8aWnE/VaCvwN9qVOgySVF5wJy17rEdgGdh
         VwMJzVNUbbelWfydWvyd2WqZo9tT3qoMpDmcWXCdpoK5eVM8AGWXDyw9Rk0d8e8ofbMw
         gmBA==
X-Gm-Message-State: APjAAAXFdCsSPGy0G+y8zT5f3VmMtQaZ7GRQZfXPdM54NvXEz5GWrwW8
	kBwbA6og0QxhMQ0bIc0/R1vYDQ==
X-Google-Smtp-Source: APXvYqxVDhF8ueI6xXs6y+EV68T16oJerbdtvwULNuHUTWfYDLhkt+8b64AvbBxFH7IT4ww5pVig1w==
X-Received: by 2002:a17:902:904b:: with SMTP id w11mr5268735plz.204.1575554661870;
        Thu, 05 Dec 2019 06:04:21 -0800 (PST)
Received: from localhost (2001-44b8-111e-5c00-61b9-031c-bed1-3502.static.ipv6.internode.on.net. [2001:44b8:111e:5c00:61b9:31c:bed1:3502])
        by smtp.gmail.com with ESMTPSA id q67sm5745928pjb.4.2019.12.05.06.04.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Dec 2019 06:04:21 -0800 (PST)
From: Daniel Axtens <dja@axtens.net>
To: kasan-dev@googlegroups.com,
	linux-mm@kvack.org,
	aryabinin@virtuozzo.com,
	glider@google.com,
	linux-kernel@vger.kernel.org,
	dvyukov@google.com
Cc: daniel@iogearbox.net,
	cai@lca.pw,
	Daniel Axtens <dja@axtens.net>,
	syzbot+82e323920b78d54aaed5@syzkaller.appspotmail.com,
	syzbot+59b7daa4315e07a994f1@syzkaller.appspotmail.com
Subject: [PATCH 3/3] kasan: don't assume percpu shadow allocations will succeed
Date: Fri,  6 Dec 2019 01:04:07 +1100
Message-Id: <20191205140407.1874-3-dja@axtens.net>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20191205140407.1874-1-dja@axtens.net>
References: <20191205140407.1874-1-dja@axtens.net>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

syzkaller and the fault injector showed that I was wrong to assume
that we could ignore percpu shadow allocation failures.

Handle failures properly. Merge all the allocated areas back into the fre=
e
list and release the shadow, then clean up and return NULL. The shadow
is released unconditionally, which relies upon the fact that the release
function is able to tolerate pages not being present.

Also clean up shadows in the recovery path - currently they are not
released, which leaks a bit of memory.

Fixes: 3c5c3cfb9ef4 ("kasan: support backing vmalloc space with real shad=
ow memory")
Reported-by: syzbot+82e323920b78d54aaed5@syzkaller.appspotmail.com
Reported-by: syzbot+59b7daa4315e07a994f1@syzkaller.appspotmail.com
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 mm/vmalloc.c | 48 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 10 deletions(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 37af94b6cf30..fa5688093a88 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -3291,7 +3291,7 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned=
 long *offsets,
 	struct vmap_area **vas, *va;
 	struct vm_struct **vms;
 	int area, area2, last_area, term_area;
-	unsigned long base, start, size, end, last_end;
+	unsigned long base, start, size, end, last_end, orig_start, orig_end;
 	bool purged =3D false;
 	enum fit_type type;
=20
@@ -3421,6 +3421,15 @@ struct vm_struct **pcpu_get_vm_areas(const unsigne=
d long *offsets,
=20
 	spin_unlock(&free_vmap_area_lock);
=20
+	/* populate the kasan shadow space */
+	for (area =3D 0; area < nr_vms; area++) {
+		if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area]))
+			goto err_free_shadow;
+
+		kasan_unpoison_vmalloc((void *)vas[area]->va_start,
+				       sizes[area]);
+	}
+
 	/* insert all vm's */
 	spin_lock(&vmap_area_lock);
 	for (area =3D 0; area < nr_vms; area++) {
@@ -3431,13 +3440,6 @@ struct vm_struct **pcpu_get_vm_areas(const unsigne=
d long *offsets,
 	}
 	spin_unlock(&vmap_area_lock);
=20
-	/* populate the shadow space outside of the lock */
-	for (area =3D 0; area < nr_vms; area++) {
-		/* assume success here */
-		kasan_populate_vmalloc(vas[area]->va_start, sizes[area]);
-		kasan_unpoison_vmalloc((void *)vms[area]->addr, sizes[area]);
-	}
-
 	kfree(vas);
 	return vms;
=20
@@ -3449,8 +3451,12 @@ struct vm_struct **pcpu_get_vm_areas(const unsigne=
d long *offsets,
 	 * and when pcpu_get_vm_areas() is success.
 	 */
 	while (area--) {
-		merge_or_add_vmap_area(vas[area], &free_vmap_area_root,
-				       &free_vmap_area_list);
+		orig_start =3D vas[area]->va_start;
+		orig_end =3D vas[area]->va_end;
+		va =3D merge_or_add_vmap_area(vas[area], &free_vmap_area_root,
+					    &free_vmap_area_list);
+		kasan_release_vmalloc(orig_start, orig_end,
+				      va->va_start, va->va_end);
 		vas[area] =3D NULL;
 	}
=20
@@ -3485,6 +3491,28 @@ struct vm_struct **pcpu_get_vm_areas(const unsigne=
d long *offsets,
 	kfree(vas);
 	kfree(vms);
 	return NULL;
+
+err_free_shadow:
+	spin_lock(&free_vmap_area_lock);
+	/*
+	 * We release all the vmalloc shadows, even the ones for regions that
+	 * hadn't been successfully added. This relies on kasan_release_vmalloc
+	 * being able to tolerate this case.
+	 */
+	for (area =3D 0; area < nr_vms; area++) {
+		orig_start =3D vas[area]->va_start;
+		orig_end =3D vas[area]->va_end;
+		va =3D merge_or_add_vmap_area(vas[area], &free_vmap_area_root,
+					    &free_vmap_area_list);
+		kasan_release_vmalloc(orig_start, orig_end,
+				      va->va_start, va->va_end);
+		vas[area] =3D NULL;
+		kfree(vms[area]);
+	}
+	spin_unlock(&free_vmap_area_lock);
+	kfree(vas);
+	kfree(vms);
+	return NULL;
 }
=20
 /**
--=20
2.20.1