From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5EB5DC4338F for ; Wed, 28 Jul 2021 12:43:54 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id D460160F9C for ; Wed, 28 Jul 2021 12:43:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D460160F9C Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 2D59C8D0001; Wed, 28 Jul 2021 08:43:53 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2856D6B005D; Wed, 28 Jul 2021 08:43:53 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 174438D0001; Wed, 28 Jul 2021 08:43:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0104.hostedemail.com [216.40.44.104]) by kanga.kvack.org (Postfix) with ESMTP id F1E4D6B0036 for ; Wed, 28 Jul 2021 08:43:52 -0400 (EDT) Received: from smtpin31.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 9B345231C6 for ; Wed, 28 Jul 2021 12:43:52 +0000 (UTC) X-FDA: 78411963504.31.281D689 Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) by imf22.hostedemail.com (Postfix) with ESMTP id 5534867F9 for ; Wed, 28 Jul 2021 12:43:52 +0000 (UTC) Received: by mail-ot1-f50.google.com with SMTP id c7-20020a9d27870000b02904d360fbc71bso1887316otb.10 for ; Wed, 28 Jul 2021 05:43:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z8JopdaUBmz7iXRtArgg3xHwWvgUd1IpWAikP8/7uLI=; b=hHX52BoT5mvsWaw+jIRYoR2Rq+qYRXIzlDDOh91WdbkCp7WfevrqT5bUmx3TR2tZ4W rHoAbJBWFF7xLvhYcXT0dVleOhCskofJQ0AUDqKOuBS9/rhnz8BqAZlIt5HMDpihm9pv L+yNTo02wEDNNqgW0U9jIeG5hKO8QkH/rMfeH5FI+8dHKmw4Img4jrCuOYK7czpFZcsZ FVscVQS+u7o39JdI7SN9bnKhsa5a+if/auPUGjZjznsRvcO8+koJbgNcbXiKDHjWFmqJ 4GS4DELsbRPCyMZgDLQVI+3u/9S6t8SskGregZGblGaUEB6j5AmYIdw4BUR61/XNbfnA KSGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z8JopdaUBmz7iXRtArgg3xHwWvgUd1IpWAikP8/7uLI=; b=d9c40flEvPdCVeA6PEOMhqrpIr0m3q37MNJ4Jy6s+ewkiW47pj/wLjulERv6TJP9hS cNlMDtQ14n11eiUwY5LH+/xdamTXwHumEA4GX0NsREn7zJBUTGL3TqjRNPs7I2PQ+kKq GhxUhzQc842hV0W1uG9l+5BaqRQuySN+Yo47djZgunYBSqQDzwSlbXrq1jMB4WR7zLm7 0ITM5QN3yvgRbgV6WOADA1YwJDtWrhtPwP14qmfCyyxnispOc2a20vnJUMdevLzj5yZn zx2aoUPA4QXXTvFGtW2quZD6WYXwwjYnbFN6nYe/HfbtVC3HT3KECXVUF5Pz1DLVTOIk vY7Q== X-Gm-Message-State: AOAM532qovRHQuBiudMvMXcKPoW3r2DKZwHdzsjTLyUczFzxfyKVaHY5 n2sPXaSPud+LYtkVEvvaopUIrurw6lk3xx7O8egF0A== X-Google-Smtp-Source: ABdhPJzhOrOWLA4RPWj30Wiy+9Zw3F5RKbHYFHAqOwKOZWucLtAfuUNLgPxj9dvD4Pk3+Y8aQB9oXucDocLmRymC7ro= X-Received: by 2002:a9d:650e:: with SMTP id i14mr19173472otl.233.1627476231336; Wed, 28 Jul 2021 05:43:51 -0700 (PDT) MIME-Version: 1.0 References: <20210727040021.21371-1-Kuan-Ying.Lee@mediatek.com> <20210727040021.21371-2-Kuan-Ying.Lee@mediatek.com> <20210727192217.GV13920@arm.com> <29f4844b1af163b0ec463fccbc9b902b3150f5c1.camel@mediatek.com> In-Reply-To: <29f4844b1af163b0ec463fccbc9b902b3150f5c1.camel@mediatek.com> From: Marco Elver Date: Wed, 28 Jul 2021 14:43:39 +0200 Message-ID: Subject: Re: [PATCH 1/2] kasan, mm: reset tag when access metadata To: Kuan-Ying Lee Cc: Catalin Marinas , Nicholas Tang , Andrew Yang , Andrey Konovalov , Andrey Ryabinin , Alexander Potapenko , Chinwen Chang , Andrew Morton , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 5534867F9 Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=google.com header.s=20161025 header.b=hHX52BoT; spf=pass (imf22.hostedemail.com: domain of elver@google.com designates 209.85.210.50 as permitted sender) smtp.mailfrom=elver@google.com; dmarc=pass (policy=reject) header.from=google.com X-Stat-Signature: 9jo8ujeue5frkttjzwd7biq88ow4g149 X-HE-Tag: 1627476232-192343 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 28 Jul 2021 at 13:05, Kuan-Ying Lee wrote: > > On Tue, 2021-07-27 at 20:22 +0100, Catalin Marinas wrote: > > On Tue, Jul 27, 2021 at 04:32:02PM +0800, Kuan-Ying Lee wrote: > > > On Tue, 2021-07-27 at 09:10 +0200, Marco Elver wrote: > > > > +Cc Catalin > > > > > > > > On Tue, 27 Jul 2021 at 06:00, Kuan-Ying Lee < > > > > Kuan-Ying.Lee@mediatek.com> wrote: > > > > > > > > > > Hardware tag-based KASAN doesn't use compiler instrumentation, > > > > > we > > > > > can not use kasan_disable_current() to ignore tag check. > > > > > > > > > > Thus, we need to reset tags when accessing metadata. > > > > > > > > > > Signed-off-by: Kuan-Ying Lee > > > > > > > > This looks reasonable, but the patch title is not saying this is > > > > kmemleak, nor does the description say what the problem is. What > > > > problem did you encounter? Was it a false positive? > > > > > > kmemleak would scan kernel memory to check memory leak. > > > When it scans on the invalid slab and dereference, the issue > > > will occur like below. > > > > > > So I think we should reset the tag before scanning. > > > > > > # echo scan > /sys/kernel/debug/kmemleak > > > [ 151.905804] > > > ================================================================== > > > [ 151.907120] BUG: KASAN: out-of-bounds in scan_block+0x58/0x170 > > > [ 151.908773] Read at addr f7ff0000c0074eb0 by task kmemleak/138 > > > [ 151.909656] Pointer tag: [f7], memory tag: [fe] > > > > It would be interesting to find out why the tag doesn't match. > > Kmemleak > > should in principle only scan valid objects that have been allocated > > and > > the pointer can be safely dereferenced. 0xfe is KASAN_TAG_INVALID, so > > it > > either goes past the size of the object (into the red zone) or it > > still > > accesses the object after it was marked as freed but before being > > released from kmemleak. > > > > With slab, looking at __cache_free(), it calls kasan_slab_free() > > before > > ___cache_free() -> kmemleak_free_recursive(), so the second scenario > > is > > possible. With slub, however, slab_free_hook() first releases the > > object > > from kmemleak before poisoning it. Based on the stack dump, you are > > using slub, so it may be that kmemleak goes into the object red > > zones. > > > > I'd like this clarified before blindly resetting the tag. > > This kasan issue only happened on hardware tag-based kasan mode. > Because kasan_disable_current() works for generic and sw tag-based > kasan. > > HW tag-based kasan depends on slub so slab will not hit this > issue. > I think we can just check if HW tag-based kasan is enabled or not > and decide to reset the tag as below. > > if (kasan_has_integrated_init()) // slub case, hw-tag kasan > pointer = *(unsigned long *)kasan_reset_tag((void *)ptr); > else > pointer = *ptr; // slab This is redundant. kasan_reset_tag() is a noop if !IS_ENABLED(CONFIG_KASAN_HW_TAGS). > Is this better or any other suggestions? > Any suggestion is appreciated. The current version is fine. But I think Catalin's point about why kmemleak accesses the data in the first place still deserves some investigation. Could it be a race between free and kmemleak scan?