From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=dTKa=JC=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-13.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 13076C433B4
	for <linux-mm@archiver.kernel.org>; Mon,  5 Apr 2021 19:04:42 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 9BF796138D
	for <linux-mm@archiver.kernel.org>; Mon,  5 Apr 2021 19:04:41 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9BF796138D
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 233BC6B006E; Mon,  5 Apr 2021 15:04:41 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1B9056B0073; Mon,  5 Apr 2021 15:04:41 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 00AAC6B0075; Mon,  5 Apr 2021 15:04:40 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0027.hostedemail.com [216.40.44.27])
	by kanga.kvack.org (Postfix) with ESMTP id D53D26B006E
	for <linux-mm@kvack.org>; Mon,  5 Apr 2021 15:04:40 -0400 (EDT)
Received: from smtpin08.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 8E33A8249980
	for <linux-mm@kvack.org>; Mon,  5 Apr 2021 19:04:40 +0000 (UTC)
X-FDA: 77999239920.08.199620A
Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54])
	by imf29.hostedemail.com (Postfix) with ESMTP id C39CF3C5
	for <linux-mm@kvack.org>; Mon,  5 Apr 2021 19:04:38 +0000 (UTC)
Received: by mail-io1-f54.google.com with SMTP id z136so4281435iof.10
        for <linux-mm@kvack.org>; Mon, 05 Apr 2021 12:04:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=wtQ/iLv+P2BCeEfpOcDLO0PQnggEhhArpE78rF7iphg=;
        b=NAb0SiRSe1AlRkL2bmmINYRdC8ThFQ3ukE/dpa44nJ5GYFyIiWmOAYpLY5tKXKRg7D
         O1/FBpa4NJOvwWDjbxDdF1VmizuoDKRi5IeWN7AqZvTaeGtuBrpEgYdMmIr1LLOz7t75
         cJjmVxhmoG9/QiH//3RAwu3HDEstFnkbi88RFe+0BSaBAQi179+7A+t576d9KyGfp+CK
         Xta3GrwX71FttaU0RsS9FKaiPTjBYXaGrveYsg5Dl/q11OdaCuvxaOuFtWy25YxbYBPM
         nkelWJ8e5WU8x0sv76Yt0Ln0K1Zh23cwGEW77B0RhfeySn6cmfLznQlAiHu+ZCP2BWWC
         mtUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=wtQ/iLv+P2BCeEfpOcDLO0PQnggEhhArpE78rF7iphg=;
        b=Jbf9xCg6wcWTcbkA464X457SCZQbvprPBweppqhD32BXCp2hHYQWZqMtonk3ktbVLQ
         cfv4eLPoXgzz4QwaEflhltlra0xbKVps2FHrhuknIfcq/cUcVKLgeA3RuLS/Mcgy1wuA
         Jp6673kYmolfQy930O+V6+ZHxE4EcDkVzQM22W+UTzKSoM7bsQ6HXBi43X1oVrRCyWVB
         5SwVHQ/usPPYAtLNIycaPWpiT5awsuxlByg5KB/O7iYd//LAgX83AHgoaKwWV0+Z037f
         hOvd+D1f2rByvFgUqASqgqhJdhDxufULE/d7LmOc4nYB8a9vCAqgbtQ7DKXsNqDrYJ7V
         EJNA==
X-Gm-Message-State: AOAM533lnLDPusUdKRrlxK0KbhhW0UIImvjXy+awl09O6a86Zdv5xfif
	DuqXdvXbwBYlp5igCfyLoDZububVr60KF7mghyKMeg==
X-Google-Smtp-Source: ABdhPJzIKqxoQCsNbUfm9Y3yjcNlIcYGi/rTWHMvpFVcm309RO2qkfaj7h6fjFZu33MLbjK/27mP8SfZVfFNrFUB7EQ=
X-Received: by 2002:a02:b39a:: with SMTP id p26mr25364409jan.20.1617649479285;
 Mon, 05 Apr 2021 12:04:39 -0700 (PDT)
MIME-Version: 1.0
References: <20210403051325.683071-1-pcc@google.com> <CANpmjNOzaOJY5K+Sq78AF5N1_6=1kv3rXZ6w+XPuEf9G+cd8iA@mail.gmail.com>
 <CAMn1gO5mQ2WPs9B9jN91T90Qxf3k6eK-GeBUhs=YqmkZu4NKFg@mail.gmail.com>
 <CANpmjNM__Dk_MVd-9fPT=TbPw=a1giicUcFS+RwCfQ7yue8Xdw@mail.gmail.com> <CA+fCnZd4BaejuyyWuT4xeiEyY1J0-6RWiyP3_u+w-xdOrALd9w@mail.gmail.com>
In-Reply-To: <CA+fCnZd4BaejuyyWuT4xeiEyY1J0-6RWiyP3_u+w-xdOrALd9w@mail.gmail.com>
From: Peter Collingbourne <pcc@google.com>
Date: Mon, 5 Apr 2021 12:04:28 -0700
Message-ID: <CAMn1gO6bmtA6mtTg5OzDPV1Ta=rRhKknJO324_eS3CWtuThaHQ@mail.gmail.com>
Subject: Re: [PATCH] kfence: unpoison pool region before use
To: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Marco Elver <elver@google.com>, Dmitry Vyukov <dvyukov@google.com>, 
	Alexander Potapenko <glider@google.com>, Evgenii Stepanov <eugenis@google.com>, 
	Linux Memory Management List <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, 
	Andrew Morton <akpm@linux-foundation.org>
Content-Type: text/plain; charset="UTF-8"
X-Stat-Signature: w97tmqifpn4uoqkne3cxnwzobnjftu6j
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: C39CF3C5
Received-SPF: none (google.com>: No applicable sender policy available) receiver=imf29; identity=mailfrom; envelope-from="<pcc@google.com>"; helo=mail-io1-f54.google.com; client-ip=209.85.166.54
X-HE-DKIM-Result: pass/pass
X-HE-Tag: 1617649478-339026
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Sat, Apr 3, 2021 at 4:52 PM Andrey Konovalov <andreyknvl@gmail.com> wrote:
>
> On Sun, Apr 4, 2021 at 12:31 AM Marco Elver <elver@google.com> wrote:
> >
> > However, given the above, I think we need to explain this in the
> > commit message (which also makes the dependency between these 2
> > patches clear) and add a comment above the new kasan_unpoison_range().
> > That is, if we still think this is the right fix -- I'm not entirely
> > sure it is.
> >
> > Because what I gather from "kasan: initialize shadow to TAG_INVALID
> > for SW_TAGS", is the requirement that "0xFF pointer tag is a match-all
> > tag, it doesn't matter what tag the accessed memory has".
> >
> > While KFENCE memory is accessible through the slab API, and in this
> > case ksize() calling kasan_check_byte() leading to a failure, the
> > kasan_check_byte() call is part of the public KASAN API. Which means
> > that if some subsystem decides to memblock_alloc() some memory, and
> > wishes to use kasan_check_byte() on that memory but with an untagged
> > pointer, will get the same problem as KFENCE: with generic and HW_TAGS
> > mode everything is fine, but with SW_TAGS mode things break.
>
> It makes sense to allow this function to operate on any kind of
> memory, including memory that hasn't been previously marked by KASAN.
>
> > To me this indicates the fix is not with KFENCE, but should be in
> > mm/kasan/sw_tags.c:kasan_byte_accessible(), which should not load the
> > shadow when the pointer is untagged.
>
> The problem isn't in accessing shadow per se. Looking at
> kasan_byte_accessible() (in both sw_tags.c and kasan.h), the return
> statement there seems just wrong and redundant. The KASAN_TAG_KERNEL
> check should come first:
>
> return tag == KASAN_TAG_KERNEL || (shadow_byte != KASAN_TAG_INVALID &&
> tag == shadow_byte);
>
> This way, if the pointer tag is KASAN_TAG_KERNEL, the memory is
> accessible no matter what the memory tag is.
>
> But then the KASAN_TAG_INVALID check isn't needed, as this value is
> never assigned to a pointer tag. Which brings us to:
>
> return tag == KASAN_TAG_KERNEL || tag == shadow_byte;
>
> Which is essentially the same check that kasan_check_range() performs.
>
> Although, kasan_check_range() also checks that the shadow is <
> KASAN_SHADOW_START. It makes makes sense to add this check into
> kasan_byte_accessible() as well, before accessing shadow.
>
> Thanks!

Okay, if the intent is that kasan_byte_accessible() should work on any
memory, not just slab memory, then I agree that it should do the same
thing as kasan_check_range().

Peter