From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.2 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3906CC433B4 for ; Sat, 3 Apr 2021 20:40:38 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 9037561353 for ; Sat, 3 Apr 2021 20:40:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9037561353 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id AC40F6B0071; Sat, 3 Apr 2021 16:40:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A73D36B0075; Sat, 3 Apr 2021 16:40:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9147E6B0078; Sat, 3 Apr 2021 16:40:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0100.hostedemail.com [216.40.44.100]) by kanga.kvack.org (Postfix) with ESMTP id 7092C6B0071 for ; Sat, 3 Apr 2021 16:40:36 -0400 (EDT) Received: from smtpin08.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 1D7FB180588C7 for ; Sat, 3 Apr 2021 20:40:36 +0000 (UTC) X-FDA: 77992224072.08.1D8FF14 Received: from mail-io1-f46.google.com (mail-io1-f46.google.com [209.85.166.46]) by imf05.hostedemail.com (Postfix) with ESMTP id 46D5AE000102 for ; Sat, 3 Apr 2021 20:40:35 +0000 (UTC) Received: by mail-io1-f46.google.com with SMTP id n198so6268344iod.0 for ; Sat, 03 Apr 2021 13:40:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2HC30Rj8ifwDBRABz3lITE7mW/dkra4pLBJwwtutOkI=; b=tcVmHAa7SH1b1VBI6CzuInfKn47/sPo9VqybZJp/Ma45DcYm8Xz84l3Nk3DxC9PpfL GpH1OzTLg57H6Znm80P9ChSX/4O7Pt5urIJuvdsEPROtv/+izG4/7ZdRzuuPemVGSlDo KsHPD6mWLXVqmLmpUD3Nyx6a5Y0pF4fDgV6h0F6WCkY4q+BpXzl2Y6pcokUEefZr66On gmdxLtY14r9A/AfVh7gMeN7+eO3MicKyzZSr2G6Q8ogmAmUJwKmo+Tul+Wb2Ydk1YKgc 5YqSAjzYyuYWq/029VbDJtTt0dvV0r7zRaZJuXKfvJaRkS8JxyEEwT7oJ/JBv3WbYfPM t+/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2HC30Rj8ifwDBRABz3lITE7mW/dkra4pLBJwwtutOkI=; b=D0IVWKKm9U9qJB/h2eZ751tnSTeyq/ofOufYfZuncUJd7+o/QUvhSd48HHl/YHZwZk mFYAoNe/JYK+SK8xzkwx4fZpKLN8NJnRqDxpWzURjUw8Ud78ZooUv7PzmcFrieTRpjAu euIsyCx4ELVGVm9NCsqmPDA5PJeyBYoMJuCJNxFLvepi1FGLwq4UnNm7e9F0Plzpbwy7 fvBjLeL3OPw9IGQPdJARtHBxtRjaY+tbvOSW+FVfw3q10y6BKe7gVK33rfWgc3g6U7Qj hrOIWtFOOx6IOW1O4Z49/xRki9pi8LiQNyOj/tLoc0V6Py4qmcXP4FtmcTCEihr8L0v2 bLFg== X-Gm-Message-State: AOAM532X0PFNZKqQPPfB1hxt1m/DhSg7Xi4DYqyzyowquQwsGpdn/3z3 2rVaY/qdrdBgR1Nyjf996DULIUzmKceC5phlM/pEFA== X-Google-Smtp-Source: ABdhPJwUtiG/axUocvdwW1yHt6nZ3+SDSbLk1W8dg0rN9ZW2ii/D5EVIUPtI4SYoJseLa9PFMO8r1MiaRy2oqw6Zhzo= X-Received: by 2002:a05:6602:1353:: with SMTP id i19mr15343857iov.202.1617482434702; Sat, 03 Apr 2021 13:40:34 -0700 (PDT) MIME-Version: 1.0 References: <20210403051325.683071-1-pcc@google.com> In-Reply-To: From: Peter Collingbourne Date: Sat, 3 Apr 2021 13:40:23 -0700 Message-ID: Subject: Re: [PATCH] kfence: unpoison pool region before use To: Marco Elver Cc: Dmitry Vyukov , Alexander Potapenko , Evgenii Stepanov , Andrey Konovalov , Linux Memory Management List , LKML , Andrew Morton Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: 7sonn7swnd6dq74w191a8j3n6z84oout X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 46D5AE000102 Received-SPF: none (google.com>: No applicable sender policy available) receiver=imf05; identity=mailfrom; envelope-from=""; helo=mail-io1-f46.google.com; client-ip=209.85.166.46 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1617482435-683858 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, Apr 3, 2021 at 3:03 AM Marco Elver wrote: > > On Sat, 3 Apr 2021 at 07:13, Peter Collingbourne wrote: > > If the memory region allocated by KFENCE had previously been poisoned, > > any validity checks done using kasan_byte_accessible() will fail. Fix > > it by unpoisoning the memory before using it as the pool region. > > > > Link: https://linux-review.googlesource.com/id/I0af99e9f1c25eaf7e1ec295836b5d148d76940c5 > > Signed-off-by: Peter Collingbourne > > Thanks, at a high level this seems reasonable, because we always want > to ensure that KFENCE memory remains unpoisoned with KASAN on. FWIW I > subjected a config with KFENCE+KASAN (generic, SW_TAGS, and HW_TAGS) > to syzkaller testing and ran kfence_test: > > Tested-by: Marco Elver > > > However, it is unclear to me under which circumstances we actually > need this, i.e. something would grab some memblock memory, somehow > poison it, and then release the memory back during early boot (note, > kfence_alloc_pool() is called before slab setup). If we can somehow > understand what actually did this, perhaps it'd help tell us if this > actually needs fixing in KFENCE or it's the other thing that needs a > fix. > > Given all this is happening during really early boot, I'd expect no or > very few calls to kasan_poison() until kfence_alloc_pool() is called. > We can probably debug it more by having kasan_poison() do a "if > (!__kfence_pool) dump_stack();" somewhere. Can you try this on the > system where you can repro the problem? I tried this just now on the > latest mainline kernel, and saw 0 calls until kfence_alloc_pool(). I looked into the issue some more, and it turned out that the memory wasn't getting poisoned by kasan_poison() but rather by the calls to kasan_map_populate() in kasan_init_shadow(). Starting with the patch "kasan: initialize shadow to TAG_INVALID for SW_TAGS", KASAN_SHADOW_INIT is set to 0xFE rather than 0xFF, which caused the failure. The Android kernel branch for 5.10 (and the downstream kernel I was working with) already have this patch, but it isn't in the mainline kernel yet. Now that I understand the cause of the issue, I can reproduce it using the KFENCE unit tests on a db845c board, using both the Android 5.10 and mainline branches if I cherry-pick that change. Here's an example crash from the unit tests (the failure was originally also observed from ksize in the downstream kernel): [ 46.692195][ T175] BUG: KASAN: invalid-access in test_krealloc+0x1c4/0xf98 [ 46.699282][ T175] Read of size 1 at addr ffffff80e9e7b000 by task kunit_try_catch/175 [ 46.707400][ T175] Pointer tag: [ff], memory tag: [fe] [ 46.712710][ T175] [ 46.714955][ T175] CPU: 4 PID: 175 Comm: kunit_try_catch Tainted: G B 5.12.0-rc5-mainline-09505-ga2ab5b26d445-dirty #1 [ 46.727193][ T175] Hardware name: Thundercomm Dragonboard 845c (DT) [ 46.733636][ T175] Call trace: [ 46.736841][ T175] dump_backtrace+0x0/0x2f8 [ 46.741295][ T175] show_stack+0x2c/0x3c [ 46.745388][ T175] dump_stack+0x124/0x1bc [ 46.749668][ T175] print_address_description+0x7c/0x308 [ 46.755178][ T175] __kasan_report+0x1a8/0x398 [ 46.759816][ T175] kasan_report+0x50/0x7c [ 46.764103][ T175] __kasan_check_byte+0x3c/0x54 [ 46.768916][ T175] ksize+0x4c/0x94 [ 46.772573][ T175] test_krealloc+0x1c4/0xf98 [ 46.777108][ T175] kunit_try_run_case+0x94/0x1c4 [ 46.781990][ T175] kunit_generic_run_threadfn_adapter+0x30/0x44 [ 46.788196][ T175] kthread+0x20c/0x234 [ 46.792213][ T175] ret_from_fork+0x10/0x30 Since "kasan: initialize shadow to TAG_INVALID for SW_TAGS" hasn't landed in mainline yet, it seems like we should insert this patch before that one rather than adding a Fixes: tag. Peter