From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44C2AC05027 for ; Thu, 2 Feb 2023 12:59:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6F1156B0071; Thu, 2 Feb 2023 07:59:45 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6A1A46B0072; Thu, 2 Feb 2023 07:59:45 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 542236B0073; Thu, 2 Feb 2023 07:59:45 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 43BE46B0071 for ; Thu, 2 Feb 2023 07:59:45 -0500 (EST) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 0A635160E8B for ; Thu, 2 Feb 2023 12:59:45 +0000 (UTC) X-FDA: 80422358730.09.92A9FE2 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by imf21.hostedemail.com (Postfix) with ESMTP id 249EA1C0003 for ; Thu, 2 Feb 2023 12:59:42 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=UXfyf0kk; spf=pass (imf21.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.215.182 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1675342783; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=loinkwxJErq9bon+a0JV3BFJ9k0H/+4mhcuNPmPw26M=; b=dI6ygWFJueoVNXWhsVT895W+mCpNDOpjIHqShLvAC6CBdLohKHlh+3AV46AVtAccw8M5eo Y23bzEaeuo5N+FqTxOJ5/isGtGTxAy90h3E4q3tthXq46HlHjvq/i0FwpR0oytCzDXi4eB +LSkfESKDVbNn/PRKuclfF8J+fiX37A= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=UXfyf0kk; spf=pass (imf21.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.215.182 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1675342783; a=rsa-sha256; cv=none; b=joBOwHivbgWwWisqXz9bz8gwUImHTClmNtnopnW/NPJvY5Dctu7sO4uc+A00O4+Vyx8dbb 8WAey2DIMFdsKlGZchcyKT26Z8lHBgR3JliI2ygULMliNd0lcC5aR3u6r4y4vNDKiwVPhu YQZiF0W+8ey5pDAAZfBZcfuuWZpoOHo= Received: by mail-pg1-f182.google.com with SMTP id z14so1236702pgs.10 for ; Thu, 02 Feb 2023 04:59:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=loinkwxJErq9bon+a0JV3BFJ9k0H/+4mhcuNPmPw26M=; b=UXfyf0kkg8dFI5VwMiuf2sCV1lPCTHIMAgjn+tFoot0wzEQIt00cYLHFMeqV9AMDNy aYWTF89h6cdcNAJRbapkU3Z3XubA7RKiSyEyd5/TCxsJ7BEN2/PvrzeoO66gwm8ujsld QdwHVohhCs+YZVCbIYEDGKPtwCg6EM0w9303VEP7bwOlhKG7RJJJ08ar2KoDpb8/sGyt FvjsLbvizTXV0/knseV8dnpEHWKqqT9MEZUH/o5ALgIPnH+7wq5QyLNY5dpE7wARc/+J vHiielFCKe0xEjBcvhgai9I4BBcDY9rZFfuu5JDO43F22pPhgDvXToRmcxyZTZqkIEmq tbPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=loinkwxJErq9bon+a0JV3BFJ9k0H/+4mhcuNPmPw26M=; b=2ioO6J0aOPks+ElLBo9ns1Dd4RJtcEgejwelM/Y6yRCAzBzCtmD35D0El37UpedNqf pDKGgPX7AZ1qisNYXfUTDo97OVxT/0sK3E4hrEp05oYWnJDLQpo218urqqd6IZAGMee3 z8AKK9gaynTC9ffM4Q+KgKUl4ipP1KkJA6SFLFRcMecGYvZ4jWmkDJ5DWa40Bk7YfcPb Zyaxufej/oApNPboBIPinrUGHYybM3UC74Iv352kqHl6vQqnskz5Ga+jOvTPOlRTWgKz XwKJKDxO0+BcU/B9YQk1mFT56HW/jtgUUkLvc7Xu6rBcSS26zdp2YcITWvI63DvrmM2k cp7A== X-Gm-Message-State: AO0yUKWVrylwv5cVaVdl7MbnyFbL01GPTRd1aImlbQil02mqSPnLDSP3 veo8JkTvdILo+VHx4bVA+2FR3dkzWyaXcLGUBIE= X-Google-Smtp-Source: AK7set9yC/AYKc0znf6lBo+MkfoGDSuQ0y82Ozmm1jN6V9QIVpLD5B6So2k4CNfAu7V6HFeoigCMpdvjLsUT8ONKaLk= X-Received: by 2002:a62:6581:0:b0:593:c739:da73 with SMTP id z123-20020a626581000000b00593c739da73mr1304490pfb.10.1675342781846; Thu, 02 Feb 2023 04:59:41 -0800 (PST) MIME-Version: 1.0 References: <20220610152141.2148929-1-catalin.marinas@arm.com> <66cc7277b0e9778ba33e8b22a4a51c19a50fe6f0.camel@mediatek.com> In-Reply-To: <66cc7277b0e9778ba33e8b22a4a51c19a50fe6f0.camel@mediatek.com> From: Andrey Konovalov Date: Thu, 2 Feb 2023 13:59:29 +0100 Message-ID: Subject: Re: [PATCH v2 0/4] kasan: Fix ordering between MTE tag colouring and page->flags To: =?UTF-8?B?S3Vhbi1ZaW5nIExlZSAo5p2O5Yag56mOKQ==?= Cc: "ryabinin.a.a@gmail.com" , "catalin.marinas@arm.com" , =?UTF-8?B?UXVuLXdlaSBMaW4gKOael+e+pOW0tCk=?= , =?UTF-8?B?R3Vhbmd5ZSBZYW5nICjmnajlhYnkuJop?= , "linux-mm@kvack.org" , "kasan-dev@googlegroups.com" , "linux-arm-kernel@lists.infradead.org" , "pcc@google.com" , "vincenzo.frascino@arm.com" , "will@kernel.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: w9ksteugog13g6mn7ckjdougqubobjgm X-Rspam-User: X-Rspamd-Queue-Id: 249EA1C0003 X-Rspamd-Server: rspam06 X-HE-Tag: 1675342782-532959 X-HE-Meta: U2FsdGVkX184D6jq+LNGLNfcVxBlE37f+wgDnpGmVhKhBpgdmZO6i3SNyXhI6Z2fr2jGukvkjjC8KKqc0q9MWrBQBsdqbcEybFufHTsGLIIr/z8K9qUJFpT+IWBYaAvNYa/YDfhKgw6pxNMUCTx5HHbpiXjzCgx4CcxfeYkpT7H5RkENwkjxAYee1r0mEflJD2vzYWXyKf0Y8u8e/7nRUcxeupLsjKo+if2ik/YqVtkRWKMtO627LBhxDzWXlHovZKlkOjO38vmXPXl4kxt3LbvdmWW/L1eSvtFNUQWM8GPOb4M8udQV5aLIkMVJJVmHHh3KmyORRwtPyTEBBIjOdwAzyDNG/5FBJGuImG8u9SnS9s8JRLLcVr3aLg9hiIStm7OgEAF/R0KAIdekerWxdIdtCoAsS3FixQXqEjS2FF1a/Y5/fLiWsCoBJYr9rd+n/Zd1HSSdICqP+//EiDv6HZAxOKk26fkrRaSxlvKekevtJ2qtj/V/hk+xddDsnVOuHimNDaFN77xwDjJZ7A2VXEGM5YO5A9AB5XydVOxFnLfiq09YZtA8FZ3BJFN1hQP5FnlePGS+g4lHpwZ/jrv2bAaxOBrc7Da+N3awWNwUtcGeRts/+Q0eZl3Qebm4u771hxaQ7pY+Q2GNGEzSOt35L8nwqFJDiUPZC701FugTK6JW8PozCu49SqbZUA+z+bt3Yx5apSGcbSBTg6BQqiszZJEwF0D256m2dv+tV8Lle35hwBxGQtXw3gQ+uhvCSagJYvA2rpCAXJo2TNtavbqBRQVp80V4BnXff/LjZLmZ5HdigDNYLHbkFEBzGx6emHexaFwNli4Xk6gQ5LkZ5ChGUBkdv5msCfYXyxWuKbTF2GaaTZxMkX4LkB/nMCP7URG1jedijNDwJPNCN4bHOodg2Ytorl8kpqWhlRIMG17WaXAoCKVNZ6fdXrTJ0Bmneu3N22++fEjYgicNaQ6SP9J qxhQvMpz SaEdiSqhRVgVJUYLjHNzb+A18lR17af7UE2RIH53kV4WwU/sksXyR0eHB9x8vQCsVbdRTQNd4DRj3XRj9UR/YtVWc2CMaqjzvohO+OnrvLjS+1N0RSSamiW26bvHCx7MGjEcMsfl6DVxg7HgwrWNEr6s9AHDCVxKuJ1I1C2ITDT11Zc07cFDrSKNJuVGqhp7uDnzHe+K4jOn8wrMdcGlj5i1bJkv+Yapjh1yE4KXrlfPEJOEvXu/6ngMhTmzwAfjJbsXLXmaRSWKRaDcW0lM5CRQ+a6x2eWehZQOCD5Zw2y1lJFC0KP0iurKdWyV8XPEsyo14W0+HU32LHqiIkQDOPH5Lo4BwB9ljcYdJNUQgZYeB0p0k+moc3ZZjdmwDIrit0HToKk2eNVeNozFVwB70hK2gzKOxvLMf5oShtcTPPoKYMDCq+41WlLn2Qobs7I2pV2MJPEQZlASQawO3ZrSWPvWua8mE+TIiyrnEUzhvofy8Ks6BqnoNm6b1mcwuc951xc+LIteBLP1Gi1pes0gA1qaO0HOzcrLi7S0wJ668dEiTP3GVFyS+sqdICmGI1cRMUOlydSI6m0dIVtOxLt7fapQbL19IDvmyj8UuxsmuvrKG/O0Mmr5Y36I7TzV+NByDYSxkx03brsULEu6YvQwj8tGMMqRxdiLwxfLpvHJgT2tCV1w= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Feb 2, 2023 at 6:25 AM Kuan-Ying Lee (=E6=9D=8E=E5=86=A0=E7=A9=8E) wrote: > > On Fri, 2022-06-10 at 16:21 +0100, Catalin Marinas wrote: > > Hi, > > > > That's a second attempt on fixing the race race between setting the > > allocation (in-memory) tags in a page and the corresponding logical > > tag > > in page->flags. Initial version here: > > > > > https://lore.kernel.org/r/20220517180945.756303-1-catalin.marinas@arm.com > > > > This new series does not introduce any new GFP flags but instead > > always > > skips unpoisoning of the user pages (we already skip the poisoning on > > free). Any unpoisoned page will have the page->flags tag reset. > > > > For the background: > > > > On a system with MTE and KASAN_HW_TAGS enabled, when a page is > > allocated > > kasan_unpoison_pages() sets a random tag and saves it in page->flags > > so > > that page_to_virt() re-creates the correct tagged pointer. We need to > > ensure that the in-memory tags are visible before setting the > > page->flags: > > > > P0 (__kasan_unpoison_range): P1 (access via virt_to_page): > > Wtags=3Dx Rflags=3Dx > > | | > > | DMB | address dependency > > V V > > Wflags=3Dx Rtags=3Dx > > > > The first patch changes the order of page unpoisoning with the tag > > storing in page->flags. page_kasan_tag_set() has the right barriers > > through try_cmpxchg(). > > > > If a page is mapped in user-space with PROT_MTE, the architecture > > code > > will set the allocation tag to 0 and a subsequent page_to_virt() > > dereference will fault. We currently try to fix this by resetting the > > tag in page->flags so that it is 0xff (match-all, not faulting). > > However, setting the tags and flags can race with another CPU reading > > the flags (page_to_virt()) and barriers can't help, e.g.: > > > > P0 (mte_sync_page_tags): P1 (memcpy from virt_to_page): > > Rflags!=3D0xff > > Wflags=3D0xff > > DMB (doesn't help) > > Wtags=3D0 > > Rtags=3D0 // fault > > > > Since clearing the flags in the arch code doesn't work, to do this at > > page allocation time when __GFP_SKIP_KASAN_UNPOISON is passed. > > > > Thanks. > > > > Catalin Marinas (4): > > mm: kasan: Ensure the tags are visible before the tag in page- > > >flags > > mm: kasan: Skip unpoisoning of user pages > > mm: kasan: Skip page unpoisoning only if __GFP_SKIP_KASAN_UNPOISON > > arm64: kasan: Revert "arm64: mte: reset the page tag in page- > > >flags" > > > > arch/arm64/kernel/hibernate.c | 5 ----- > > arch/arm64/kernel/mte.c | 9 --------- > > arch/arm64/mm/copypage.c | 9 --------- > > arch/arm64/mm/fault.c | 1 - > > arch/arm64/mm/mteswap.c | 9 --------- > > include/linux/gfp.h | 2 +- > > mm/kasan/common.c | 3 ++- > > mm/page_alloc.c | 19 ++++++++++--------- > > 8 files changed, 13 insertions(+), 44 deletions(-) > > > > Hi kasan maintainers, > > We hit the following issue on the android-6.1 devices with MTE and HW > tag kasan enabled. > > I observe that the anon flag doesn't have skip_kasan_poison and > skip_kasan_unpoison flag and kasantag is weird. > > AFAIK, kasantag of anon flag needs to be 0x0. > > [ 71.953938] [T1403598] FramePolicy: > [name:report&]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D > [ 71.955305] [T1403598] FramePolicy: [name:report&]BUG: KASAN: > invalid-access in copy_page+0x10/0xd0 > [ 71.956476] [T1403598] FramePolicy: [name:report&]Read at addr > f0ffff81332a8000 by task FramePolicy/3598 > [ 71.957673] [T1403598] FramePolicy: [name:report_hw_tags&]Pointer > tag: [f0], memory tag: [ff] > [ 71.958746] [T1403598] FramePolicy: [name:report&] > [ 71.959354] [T1403598] FramePolicy: CPU: 4 PID: 3598 Comm: > FramePolicy Tainted: G S W OE 6.1.0-mainline-android14-0- > ga8a53f83b9e4 #1 > [ 71.960978] [T1403598] FramePolicy: Hardware name: MT6985(ENG) (DT) > [ 71.961767] [T1403598] FramePolicy: Call trace: > [ 71.962338] [T1403598] FramePolicy: dump_backtrace+0x108/0x158 > [ 71.963097] [T1403598] FramePolicy: show_stack+0x20/0x48 > [ 71.963782] [T1403598] FramePolicy: dump_stack_lvl+0x6c/0x88 > [ 71.964512] [T1403598] FramePolicy: print_report+0x2cc/0xa64 > [ 71.965263] [T1403598] FramePolicy: kasan_report+0xb8/0x138 > [ 71.965986] [T1403598] FramePolicy: __do_kernel_fault+0xd4/0x248 > [ 71.966782] [T1403598] FramePolicy: do_bad_area+0x38/0xe8 > [ 71.967484] [T1403598] FramePolicy: do_tag_check_fault+0x24/0x38 > [ 71.968261] [T1403598] FramePolicy: do_mem_abort+0x48/0xb0 > [ 71.968973] [T1403598] FramePolicy: el1_abort+0x44/0x68 > [ 71.969646] [T1403598] FramePolicy: el1h_64_sync_handler+0x68/0xb8 > [ 71.970440] [T1403598] FramePolicy: el1h_64_sync+0x68/0x6c > [ 71.971146] [T1403598] FramePolicy: copy_page+0x10/0xd0 > [ 71.971824] [T1403598] FramePolicy: copy_user_highpage+0x20/0x40 > [ 71.972603] [T1403598] FramePolicy: wp_page_copy+0xd0/0x9f8 > [ 71.973344] [T1403598] FramePolicy: do_wp_page+0x374/0x3b0 > [ 71.974056] [T1403598] FramePolicy: handle_mm_fault+0x3ec/0x119c > [ 71.974833] [T1403598] FramePolicy: do_page_fault+0x344/0x4ac > [ 71.975583] [T1403598] FramePolicy: do_mem_abort+0x48/0xb0 > [ 71.976294] [T1403598] FramePolicy: el0_da+0x4c/0xe0 > [ 71.976934] [T1403598] FramePolicy: el0t_64_sync_handler+0xd4/0xfc > [ 71.977725] [T1403598] FramePolicy: el0t_64_sync+0x1a0/0x1a4 > [ 71.978451] [T1403598] FramePolicy: [name:report&] > [ 71.979057] [T1403598] FramePolicy: [name:report&]The buggy address > belongs to the physical page: > [ 71.980173] [T1403598] FramePolicy: > [name:debug&]page:fffffffe04ccaa00 refcount:14 mapcount:13 > mapping:0000000000000000 index:0x7884c74 pfn:0x1732a8 > [ 71.981849] [T1403598] FramePolicy: > [name:debug&]memcg:faffff80c0241000 > [ 71.982680] [T1403598] FramePolicy: [name:debug&]anon flags: > 0x43c000000048003e(referenced|uptodate|dirty|lru|active|swapbacked|arch > _2|zone=3D1|kasantag=3D0xf) > [ 71.984446] [T1403598] FramePolicy: raw: 43c000000048003e > fffffffe04b99648 fffffffe04cca308 f2ffff8103390831 > [ 71.985684] [T1403598] FramePolicy: raw: 0000000007884c74 > 0000000000000000 0000000e0000000c faffff80c0241000 > [ 71.986919] [T1403598] FramePolicy: [name:debug&]page dumped > because: kasan: bad access detected > [ 71.988022] [T1403598] FramePolicy: [name:report&] > [ 71.988624] [T1403598] FramePolicy: [name:report&]Memory state > around the buggy address: > [ 71.989641] [T1403598] FramePolicy: ffffff81332a7e00: fe fe fe fe > fe fe fe fe fe fe fe fe fe fe fe fe > [ 71.990811] [T1403598] FramePolicy: ffffff81332a7f00: fe fe fe fe > fe fe fe fe fe fe fe fe fe fe fe fe > [ 71.991982] [T1403598] FramePolicy: >ffffff81332a8000: ff ff ff ff > f0 f0 fc fc fc fc fc fc fc f0 f0 f3 > [ 71.993149] [T1403598] FramePolicy: > [name:report&] ^ > [ 71.993972] [T1403598] FramePolicy: ffffff81332a8100: f3 f3 f3 f3 > f3 f3 f0 f0 f8 f8 f8 f8 f8 f8 f8 f0 > [ 71.995141] [T1403598] FramePolicy: ffffff81332a8200: f0 fb fb fb > fb fb fb fb f0 f0 fe fe fe fe fe fe > [ 71.996332] [T1403598] FramePolicy: > [name:report&]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D > > Originally, I suspect that some userspace pages have been migrated so > the page->flags will be lost and page->flags is re-generated by > alloc_pages(). Hi Kuan-Ying, There recently was a similar crash due to incorrectly implemented sampling. Do you have the following patch in your tree? https://android.googlesource.com/kernel/common/+/9f7f5a25f335e6e1484695da91= 80281a728db7e2 If not, please sync your 6.1 tree with the Android common kernel. Hopefully this will fix the issue. Thanks!