From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=r8za=IJ=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7F62AC433DB
	for <linux-mm@archiver.kernel.org>; Thu, 11 Mar 2021 15:18:00 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id E17DC64FA6
	for <linux-mm@archiver.kernel.org>; Thu, 11 Mar 2021 15:17:59 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E17DC64FA6
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 644898D02C5; Thu, 11 Mar 2021 10:17:59 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 608C68D02B2; Thu, 11 Mar 2021 10:17:59 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4D1058D02C5; Thu, 11 Mar 2021 10:17:59 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0144.hostedemail.com [216.40.44.144])
	by kanga.kvack.org (Postfix) with ESMTP id 30E048D02B2
	for <linux-mm@kvack.org>; Thu, 11 Mar 2021 10:17:59 -0500 (EST)
Received: from smtpin11.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id E463A1E19
	for <linux-mm@kvack.org>; Thu, 11 Mar 2021 15:17:58 +0000 (UTC)
X-FDA: 77907948636.11.8898EA4
Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45])
	by imf10.hostedemail.com (Postfix) with ESMTP id 1A46B40B8CDE
	for <linux-mm@kvack.org>; Thu, 11 Mar 2021 15:17:52 +0000 (UTC)
Received: by mail-ot1-f45.google.com with SMTP id m1so1675120ote.10
        for <linux-mm@kvack.org>; Thu, 11 Mar 2021 07:17:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=F5wgH+AYh/WyBJYoU8SW+a64FMCETkhDvGXcF7UG8O0=;
        b=aSWbR3Pvn7pX6f0WXhotBAv9D8NImhk+RaEESRDwAttp8xGG3gwuYCDghud8rWELsw
         79MvmcR+jdn5nrt8VgqML22BCf7v8lsIAk9mw0KGqViwIaC/GsBw3SNXzgS6Jzcd5pJj
         PL3xcLndwDvqe5k/ABaAWUV8c1zAkZ4N/gpxt9wYGplTZ4Ruls2t2MeSWmfufVKTZEQC
         Kxj2gIJWeHS/YGaWuiktzXee02XKUYgDcEEbiG3rymVUYJpc6fCg3tCSSOuUWOAQmBnY
         9TopooQdPXsXgbkbDlr/jBXhK6GGc/YBN/eKOxEYLHOzrWfkQ6ZYqZSRjCbMEj1bN7Aa
         O4wA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=F5wgH+AYh/WyBJYoU8SW+a64FMCETkhDvGXcF7UG8O0=;
        b=HpJ3Z1/dkO2VPUPEMUhui/Yrww960+TPqDfzEjnmxoqMcysBVgNpk7+E03bL8umqXd
         ssYeVsVfT59SPBxx62WhzV4NK8tJW7GRyinRc8pxsDl/Rqy9opaT3zWloaEaMapCpc1o
         AYRYH2ZiVX+xgN2jESEHezWS0QzrtvPS3RRLWxwpeBD5rSZ//w2AX4fukSDS6n5hPNxR
         fUieqmHdHpHReK4P8jfXCOwSF6tM6Tn8xXSPtw82zxl2TNUir4gBtql1Zx0Jb2gP/o66
         JY/DWAVmp20ejmdvu9DevcAPOFBNZod9gtX4u81icL9dyXrNs9FVvs9ma1t3xv8cA08B
         hmyw==
X-Gm-Message-State: AOAM533MqpZ9zTaqmaRKAmpeogjGoMhs13j1lQ5WXXEG52GcIK8mWpfz
	5kHLOOXFsdh2AgSwDHfAF+YNaGB0XjOZiF0u14a30A==
X-Google-Smtp-Source: ABdhPJw3cPtdxfwVqx28rchxLZPHsrrsv1nJx4iEhEJqGOxeMh88fcv/Af+jTyyEoF4hNTCZ3KkZk1EsrX59z62M+qQ=
X-Received: by 2002:a9d:644a:: with SMTP id m10mr7491620otl.233.1615475875698;
 Thu, 11 Mar 2021 07:17:55 -0800 (PST)
MIME-Version: 1.0
References: <1a41abb11c51b264511d9e71c303bb16d5cb367b.1615475452.git.andreyknvl@google.com>
In-Reply-To: <1a41abb11c51b264511d9e71c303bb16d5cb367b.1615475452.git.andreyknvl@google.com>
From: Marco Elver <elver@google.com>
Date: Thu, 11 Mar 2021 16:17:43 +0100
Message-ID: <CANpmjNP4Uz4Kmr+8KE_reyjRLCTj9q0s3ncQ26Xay+1Xwxvgiw@mail.gmail.com>
Subject: Re: [PATCH] kasan: fix per-page tags for non-page_alloc pages
To: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>, Catalin Marinas <catalin.marinas@arm.com>, 
	Will Deacon <will.deacon@arm.com>, Vincenzo Frascino <vincenzo.frascino@arm.com>, 
	Dmitry Vyukov <dvyukov@google.com>, Andrey Ryabinin <aryabinin@virtuozzo.com>, 
	Alexander Potapenko <glider@google.com>, Peter Collingbourne <pcc@google.com>, 
	Evgenii Stepanov <eugenis@google.com>, Branislav Rankov <Branislav.Rankov@arm.com>, 
	Kevin Brodsky <kevin.brodsky@arm.com>, kasan-dev <kasan-dev@googlegroups.com>, 
	Linux ARM <linux-arm-kernel@lists.infradead.org>, 
	Linux Memory Management List <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, 
	stable <stable@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: 1A46B40B8CDE
X-Stat-Signature: mikhz7dxzaanx55zciw43ondct4yc85r
Received-SPF: none (google.com>: No applicable sender policy available) receiver=imf10; identity=mailfrom; envelope-from="<elver@google.com>"; helo=mail-ot1-f45.google.com; client-ip=209.85.210.45
X-HE-DKIM-Result: pass/pass
X-HE-Tag: 1615475872-272920
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, 11 Mar 2021 at 16:11, Andrey Konovalov <andreyknvl@google.com> wrote:
>
> To allow performing tag checks on page_alloc addresses obtained via
> page_address(), tag-based KASAN modes store tags for page_alloc
> allocations in page->flags.
>
> Currently, the default tag value stored in page->flags is 0x00.
> Therefore, page_address() returns a 0x00ffff... address for pages
> that were not allocated via page_alloc.
>
> This might cause problems. A particular case we encountered is a conflict
> with KFENCE. If a KFENCE-allocated slab object is being freed via
> kfree(page_address(page) + offset), the address passed to kfree() will
> get tagged with 0x00 (as slab pages keep the default per-page tags).
> This leads to is_kfence_address() check failing, and a KFENCE object
> ending up in normal slab freelist, which causes memory corruptions.
>
> This patch changes the way KASAN stores tag in page-flags: they are now
> stored xor'ed with 0xff. This way, KASAN doesn't need to initialize
> per-page flags for every created page, which might be slow.
>
> With this change, page_address() returns natively-tagged (with 0xff)
> pointers for pages that didn't have tags set explicitly.
>
> This patch fixes the encountered conflict with KFENCE and prevents more
> similar issues that can occur in the future.
>
> Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc")
> Cc: stable@vger.kernel.org
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>

Reviewed-by: Marco Elver <elver@google.com>

Thank you!

> ---
>  include/linux/mm.h | 18 +++++++++++++++---
>  1 file changed, 15 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index 77e64e3eac80..c45c28f094a7 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -1440,16 +1440,28 @@ static inline bool cpupid_match_pid(struct task_struct *task, int cpupid)
>
>  #if defined(CONFIG_KASAN_SW_TAGS) || defined(CONFIG_KASAN_HW_TAGS)
>
> +/*
> + * KASAN per-page tags are stored xor'ed with 0xff. This allows to avoid
> + * setting tags for all pages to native kernel tag value 0xff, as the default
> + * value 0x00 maps to 0xff.
> + */
> +
>  static inline u8 page_kasan_tag(const struct page *page)
>  {
> -       if (kasan_enabled())
> -               return (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK;
> -       return 0xff;
> +       u8 tag = 0xff;
> +
> +       if (kasan_enabled()) {
> +               tag = (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK;
> +               tag ^= 0xff;
> +       }
> +
> +       return tag;
>  }
>
>  static inline void page_kasan_tag_set(struct page *page, u8 tag)
>  {
>         if (kasan_enabled()) {
> +               tag ^= 0xff;
>                 page->flags &= ~(KASAN_TAG_MASK << KASAN_TAG_PGSHIFT);
>                 page->flags |= (tag & KASAN_TAG_MASK) << KASAN_TAG_PGSHIFT;
>         }
> --
> 2.31.0.rc2.261.g7f71774620-goog
>