From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8354FC6FD1D for ; Thu, 30 Mar 2023 07:06:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 073916B0072; Thu, 30 Mar 2023 03:06:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 023E36B0074; Thu, 30 Mar 2023 03:06:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E07036B0075; Thu, 30 Mar 2023 03:06:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id CE7886B0072 for ; Thu, 30 Mar 2023 03:06:45 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 934F61C6484 for ; Thu, 30 Mar 2023 07:06:45 +0000 (UTC) X-FDA: 80624681970.13.E0898F6 Received: from mail-yb1-f174.google.com (mail-yb1-f174.google.com [209.85.219.174]) by imf18.hostedemail.com (Postfix) with ESMTP id CB2181C0013 for ; Thu, 30 Mar 2023 07:06:42 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=tAPDCrL2; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf18.hostedemail.com: domain of elver@google.com designates 209.85.219.174 as permitted sender) smtp.mailfrom=elver@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1680160002; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=3Jf77sSPY4oJIgQXlj2P7B6cPGnB5oBp7xZ5q79ACU4=; b=5jgrFvWlCLxfkA5ISru5AS0h/B+Eb8RfWQjqTNh3OoBlB12G+GPKpmtHGiGQOyUnCtFYGf 9ki3pUsw0PrUm1z8Qe9tRId1vqmJXoqUmxaazKJGIvbuo3CwkqfpBGfbbtqX29ISiRqqAq bk+Fcznh70NiXIpBtAjpG7uomlzlAZ0= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=tAPDCrL2; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf18.hostedemail.com: domain of elver@google.com designates 209.85.219.174 as permitted sender) smtp.mailfrom=elver@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1680160002; a=rsa-sha256; cv=none; b=eC1Uk6eV4qIUuY2GlqjZwdDVpAiyQAxj7Y9L/gkiMIwohTTGs5vf4ApdWXmte/DjJA9iAS kpysttYVPD2v+xmeFv7L3uXqz8s+eOPC7y+pyhZbB8uJHsw/PjoLVQBs6RyLNf3JiADYF7 2CzdOxzGeSN0ds313IU6eLenxmQoHuc= Received: by mail-yb1-f174.google.com with SMTP id m16so1972534ybk.0 for ; Thu, 30 Mar 2023 00:06:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; t=1680160002; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3Jf77sSPY4oJIgQXlj2P7B6cPGnB5oBp7xZ5q79ACU4=; b=tAPDCrL2l70JzfK5IDRgyKtBBCTcL9x12XP5hJwhPUPAaHgRsFc4Lbhcr7+ZEhxBBv 5RqEJCzoerA4NSB7SNrnC2G5Kh9QOn5Qt1W3AKm9JsXksblueS66sk67GxnqjN1gKtnw MPHurtP010u5TA4epRL2VuakoyHdUwLy9PPvxBIPT4mstKnbTXW/bPewPs3y/8q+ATLN i5bKt0RafgMYNsa46LmyeMPrmcj7g3MyO4sHNIuSZm9Db5C+oQQpVjqEij1JhJj2lhaa /n2Bu2wG3DSzqgK1JavCoK2M1Tw3/gQl2iKzvfDWYu/IhGoqKJo8c4OqLiSqqmf8pkMo 8I6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680160002; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3Jf77sSPY4oJIgQXlj2P7B6cPGnB5oBp7xZ5q79ACU4=; b=6uuZKUDFgUIP3JXuFslUOBRZvcpRWA6o2v3Vy8yruPBSjiUldUrjmP3jaJyEfZnAcP hjEe9ttmbGPBTjq5hJa7aokRbouCFJGE2B/K4QLDddFplZLyFgrQSRxidgZqp1FnaSxM rySRmQOYIzJ2M3nUqvAUGO3JNRtP/De03P568DH8zweTo+/mf3JeNmHyy1MHeMlOF6Xe T0pEN1vfM5HQ09dIWTyaB4IVBxY02rqIiQBIHPzQ2odePo9SUjfLAlxvuETRH/eYb594 COQglcVw0bLOGFa0YZys1fS6FA6v9Q2PGLwAvpcNd3R+YeTA5/3rG6zWPhtjH1fUbrZb 1S5g== X-Gm-Message-State: AAQBX9d4UaclH3hO+OoqGMYF4+LVwb+6ZoBkzUfEFxsag0fGUg1kBJhu 6wJ/uYbihSUzAXEe1F1Et2HKI7OPW+GRn+6QBrkQXg== X-Google-Smtp-Source: AKy350a9RTBsIrAw0usRf5gZ1lq9Iezvq0yBsVqYnhiXdNOWCH+9RvphJGcQLYOa31ZRfwLSvY6pcHqRtltq7ymsEjA= X-Received: by 2002:a25:3606:0:b0:b72:1fae:defe with SMTP id d6-20020a253606000000b00b721faedefemr5211656yba.25.1680160001845; Thu, 30 Mar 2023 00:06:41 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Marco Elver Date: Thu, 30 Mar 2023 09:06:05 +0200 Message-ID: Subject: Re: [PATCH v2 5/5] kasan: suppress recursive reports for HW_TAGS To: andrey.konovalov@linux.dev Cc: Catalin Marinas , Andrey Konovalov , Alexander Potapenko , Dmitry Vyukov , Andrey Ryabinin , kasan-dev@googlegroups.com, Vincenzo Frascino , Will Deacon , linux-arm-kernel@lists.infradead.org, Peter Collingbourne , Evgenii Stepanov , Andrew Morton , linux-mm@kvack.org, Weizhao Ouyang , linux-kernel@vger.kernel.org, Andrey Konovalov Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: CB2181C0013 X-Stat-Signature: f4kz3qghdfjuhpjs4brric3np6de88ww X-HE-Tag: 1680160002-497648 X-HE-Meta: U2FsdGVkX194nKVA0tATlob9eqhWFZaCaJ52Dqy5kkSnMK+fNGQhcy/MQN9YDYRAyqgDrRqWHZmw/Qr/3G6rCWBkcdkaOtr4mXixALi0Vs03xKixS4BTMXZSAUdhS+60l47yuVBQvsGFcO1yHAm8jDnYi2/cisLreeWK0WDcTTW24lBU0jznBKygktiV8xr2NrY25cRcbkMny7CPdemsLMnEQMGUqR/xF9FTBGT5QJjb1AqHIu7v6sW5sGxELWQR4a+vxRG8Ijm9n5fm6Z8rG3qiS45bW0qhBWR/0rmfVf3wzUPSNWT1KxL+BMpxHeewWiExpufAMXNvxxhzaLagDgrFUyq722ZgTJs8IIGqyZMV7kc73qpe1AyWfmvcILfYfXrrq1h8Mg1S/6wt2G9E/CxkWW83AYlnvKeixSmxxeVKoLQdgGh3IDYkw0Xv22C8nwSXBGEk2U7EWK0sxv27yyZqWDcE09PqvA8fs5pd1ZnjU6D5KCOJbZgRUREjuH5Xx8bzdlC6+G8XPCDZzJwSDNAI2QEO7U+r9LdiOKOWlUkF1zv7uYsAPrCtD79rFsT3sDuefYM7eR/dwc4FDnA5ZbKAyfg/XQmT3BPyi8gCcS9Hr04HVHgDlPby5eST7Zmvgv55KMhuOZEAODlHU2vN08e3R+vvk+1yMWbjxDlSJp5ZDmd0uJg6Wq19+YOaFAoDawN1gryHXU3W4rcfaK0dLHXf2cshBDUki15XiGlJSDFj2Jtpji/V3RoiUEWkX0B9Mn8lJfHrnGt3P0F3kgJgKd+kF69mnqWQfT8tifR6SeJr8/TDYi1FXTY2s55ho4q4rWpgvd3vcER0cjFiokuAPnL0d4o+FKCjf2AFnqGjYYmSy7Ip76HMaTXCudIKl7qdUnC6kfr1Bg0vTEHNmehzwEiYjtdldaECJrABSrUJTUuPRCbl0dwh3RLew3A+XWQPAZcYTEouwTdouLcHS3h 1L6VBtks m90YT5moMuNxHTqWDuC264xgs8sR5qD5OtZHUYI0GZBL1z0shVLaJ/1nwNPom+cg0TN8Bh7Ep9SCfy1+f6BqPUlathHNs6MBF5Eo2Vz7cT74IwIZwqmAicHVKUjHJMadyhEdeBX8zUBSsujCM5PEixhkdtcaXhWkAq5UiADAiY9OP6v89GDguNb1Ojzl6gI3/8Z5CsdcJaYwvJVQzjKeFUYCXM82Si1yy138z/jOnU5lxAr7easdKXFP4y/05dB6crBXs36V6fCp4BEkxu/biUhWDzE3ooZ7AHyd1LstzZECl/7AjHiBm4fS78JtmZzmg9T0+nW+tPE38cN+XjxSKSWY+EsdctKuND+ZpvQqm5Wm07CDUqfXgpzK+fWPbmOMlVRbgrcwspoRSv4Lrfwu0t97ZSQrZldCXqvTTp5J/HEQKyqu8TdQn+8z43rSvGZ5JWtcp X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 29 Mar 2023 at 20:38, wrote: > > From: Andrey Konovalov > > KASAN suppresses reports for bad accesses done by the KASAN reporting > code. The reporting code might access poisoned memory for reporting > purposes. > > Software KASAN modes do this by suppressing reports during reporting > via current->kasan_depth, the same way they suppress reports during > accesses to poisoned slab metadata. > > Hardware Tag-Based KASAN does not use current->kasan_depth, and instead > resets pointer tags for accesses to poisoned memory done by the reporting > code. > > Despite that, a recursive report can still happen: > > 1. On hardware with faulty MTE support. This was observed by Weizhao > Ouyang on a faulty hardware that caused memory tags to randomly change > from time to time. > > 2. Theoretically, due to a previous MTE-undetected memory corruption. > > A recursive report can happen via: > > 1. Accessing a pointer with a non-reset tag in the reporting code, e.g. > slab->slab_cache, which is what Weizhao Ouyang observed. > > 2. Theoretically, via external non-annotated routines, e.g. stackdepot. > > To resolve this issue, resetting tags for all of the pointers in the > reporting code and all the used external routines would be impractical. > > Instead, disable tag checking done by the CPU for the duration of KASAN > reporting for Hardware Tag-Based KASAN. > > Without this fix, Hardware Tag-Based KASAN reporting code might deadlock. > > Fixes: 2e903b914797 ("kasan, arm64: implement HW_TAGS runtime") > Reported-by: Weizhao Ouyang > Signed-off-by: Andrey Konovalov Reviewed-by: Marco Elver > --- > > Considering that 1. the bug this patch fixes was only observed on faulty > MTE hardware, and 2. the patch depends on the other patches in this series, > I don't think it's worth backporting it into stable. Given the Fixes above, it's likely this may or may not still end up in stable. > Changes v1->v2: > - Disable preemption instead of migration. > - Fix comment typo. > --- > mm/kasan/report.c | 59 ++++++++++++++++++++++++++++++++++++++--------- > 1 file changed, 48 insertions(+), 11 deletions(-) > > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > index 89078f912827..892a9dc9d4d3 100644 > --- a/mm/kasan/report.c > +++ b/mm/kasan/report.c > @@ -72,10 +72,18 @@ static int __init kasan_set_multi_shot(char *str) > __setup("kasan_multi_shot", kasan_set_multi_shot); > > /* > - * Used to suppress reports within kasan_disable/enable_current() critical > - * sections, which are used for marking accesses to slab metadata. > + * This function is used to check whether KASAN reports are suppressed for > + * software KASAN modes via kasan_disable/enable_current() critical sections. > + * > + * This is done to avoid: > + * 1. False-positive reports when accessing slab metadata, > + * 2. Deadlocking when poisoned memory is accessed by the reporting code. > + * > + * Hardware Tag-Based KASAN instead relies on: > + * For #1: Resetting tags via kasan_reset_tag(). > + * For #2: Suppression of tag checks via CPU, see report_suppress_start/end(). > */ > -static bool report_suppressed(void) > +static bool report_suppressed_sw(void) > { > #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) > if (current->kasan_depth) > @@ -84,6 +92,30 @@ static bool report_suppressed(void) > return false; > } > > +static void report_suppress_start(void) > +{ > +#ifdef CONFIG_KASAN_HW_TAGS > + /* > + * Disable preemption for the duration of printing a KASAN report, as > + * hw_suppress_tag_checks_start() disables checks on the current CPU. > + */ > + preempt_disable(); > + hw_suppress_tag_checks_start(); > +#else > + kasan_disable_current(); > +#endif > +} > + > +static void report_suppress_stop(void) > +{ > +#ifdef CONFIG_KASAN_HW_TAGS > + hw_suppress_tag_checks_stop(); > + preempt_enable(); > +#else > + kasan_enable_current(); > +#endif > +} > + > /* > * Used to avoid reporting more than one KASAN bug unless kasan_multi_shot > * is enabled. Note that KASAN tests effectively enable kasan_multi_shot > @@ -174,7 +206,7 @@ static void start_report(unsigned long *flags, bool sync) > /* Do not allow LOCKDEP mangling KASAN reports. */ > lockdep_off(); > /* Make sure we don't end up in loop. */ > - kasan_disable_current(); > + report_suppress_start(); > spin_lock_irqsave(&report_lock, *flags); > pr_err("==================================================================\n"); > } > @@ -192,7 +224,7 @@ static void end_report(unsigned long *flags, void *addr) > panic("kasan.fault=panic set ...\n"); > add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); > lockdep_on(); > - kasan_enable_current(); > + report_suppress_stop(); > } > > static void print_error_description(struct kasan_report_info *info) > @@ -480,9 +512,13 @@ void kasan_report_invalid_free(void *ptr, unsigned long ip, enum kasan_report_ty > struct kasan_report_info info; > > /* > - * Do not check report_suppressed(), as an invalid-free cannot be > - * caused by accessing slab metadata and thus should not be > - * suppressed by kasan_disable/enable_current() critical sections. > + * Do not check report_suppressed_sw(), as an invalid-free cannot be > + * caused by accessing poisoned memory and thus should not be suppressed > + * by kasan_disable/enable_current() critical sections. > + * > + * Note that for Hardware Tag-Based KASAN, kasan_report_invalid_free() > + * is triggered by explicit tag checks and not by the ones performed by > + * the CPU. Thus, reporting invalid-free is not suppressed as well. > */ > if (unlikely(!report_enabled())) > return; > @@ -517,7 +553,7 @@ bool kasan_report(unsigned long addr, size_t size, bool is_write, > unsigned long irq_flags; > struct kasan_report_info info; > > - if (unlikely(report_suppressed()) || unlikely(!report_enabled())) { > + if (unlikely(report_suppressed_sw()) || unlikely(!report_enabled())) { > ret = false; > goto out; > } > @@ -549,8 +585,9 @@ void kasan_report_async(void) > unsigned long flags; > > /* > - * Do not check report_suppressed(), as kasan_disable/enable_current() > - * critical sections do not affect Hardware Tag-Based KASAN. > + * Do not check report_suppressed_sw(), as > + * kasan_disable/enable_current() critical sections do not affect > + * Hardware Tag-Based KASAN. > */ > if (unlikely(!report_enabled())) > return; > -- > 2.25.1 >