From: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
To: nathan@kernel.org, arnd@arndb.de, broonie@kernel.org,
Liam.Howlett@oracle.com, urezki@gmail.com, will@kernel.org,
kaleshsingh@google.com, rppt@kernel.org, leitao@debian.org,
coxu@redhat.com, surenb@google.com, akpm@linux-foundation.org,
luto@kernel.org, jpoimboe@kernel.org, changyuanl@google.com,
hpa@zytor.com, dvyukov@google.com, kas@kernel.org,
corbet@lwn.net, vincenzo.frascino@arm.com, smostafa@google.com,
nick.desaulniers+lkml@gmail.com, morbo@google.com,
andreyknvl@gmail.com, alexander.shishkin@linux.intel.com,
thiago.bauermann@linaro.org, catalin.marinas@arm.com,
ryabinin.a.a@gmail.com, jan.kiszka@siemens.com, jbohac@suse.cz,
dan.j.williams@intel.com, joel.granados@kernel.org,
baohua@kernel.org, kevin.brodsky@arm.com,
nicolas.schier@linux.dev, pcc@google.com,
andriy.shevchenko@linux.intel.com, wei.liu@kernel.org,
bp@alien8.de, ada.coupriediaz@arm.com, xin@zytor.com,
pankaj.gupta@amd.com, vbabka@suse.cz, glider@google.com,
jgross@suse.com, kees@kernel.org, jhubbard@nvidia.com,
joey.gouly@arm.com, ardb@kernel.org, thuth@redhat.com,
pasha.tatashin@soleen.com, kristina.martsenko@arm.com,
bigeasy@linutronix.de, maciej.wieczor-retman@intel.com,
lorenzo.stoakes@oracle.com, jason.andryuk@amd.com,
david@redhat.com, graf@amazon.com, wangkefeng.wang@huawei.com,
ziy@nvidia.com, mark.rutland@arm.com,
dave.hansen@linux.intel.com, samuel.holland@sifive.com,
kbingham@kernel.org, trintaeoitogc@gmail.com,
scott@os.amperecomputing.com, justinstitt@google.com,
kuan-ying.lee@canonical.com, maz@kernel.org, tglx@linutronix.de,
samitolvanen@google.com, mhocko@suse.com,
nunodasneves@linux.microsoft.com, brgerst@gmail.com,
willy@infradead.org, ubizjak@gmail.com, peterz@infradead.org,
mingo@redhat.com, sohil.mehta@intel.com
Cc: linux-mm@kvack.org, linux-kbuild@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, x86@kernel.org,
llvm@lists.linux.dev, kasan-dev@googlegroups.com,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v4 07/18] mm: x86: Untag addresses in EXECMEM_ROX related pointer arithmetic
Date: Tue, 12 Aug 2025 15:23:43 +0200 [thread overview]
Message-ID: <aa501a8133ee0f336dc9f905fdc3453d964109ed.1755004923.git.maciej.wieczor-retman@intel.com> (raw)
In-Reply-To: <cover.1755004923.git.maciej.wieczor-retman@intel.com>
ARCH_HAS_EXECMEM_ROX was re-enabled in x86 at Linux 6.14 release.
Related code has multiple spots where page virtual addresses end up used
as arguments in arithmetic operations. Combined with enabled tag-based
KASAN it can result in pointers that don't point where they should or
logical operations not giving expected results.
vm_reset_perms() calculates range's start and end addresses using min()
and max() functions. To do that it compares pointers but some are not
tagged - addr variable is, start and end variables aren't.
within() and within_range() can receive tagged addresses which get
compared to untagged start and end variables.
Reset tags in addresses used as function arguments in min(), max(),
within() and within_range().
execmem_cache_add() adds tagged pointers to a maple tree structure,
which then are incorrectly compared when walking the tree. That results
in different pointers being returned later and page permission violation
errors panicking the kernel.
Reset tag of the address range inserted into the maple tree inside
execmem_cache_add().
Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
---
Changelog v4:
- Add patch to the series.
arch/x86/mm/pat/set_memory.c | 1 +
mm/execmem.c | 4 +++-
mm/vmalloc.c | 4 ++--
3 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c
index 8834c76f91c9..1f14a1297db0 100644
--- a/arch/x86/mm/pat/set_memory.c
+++ b/arch/x86/mm/pat/set_memory.c
@@ -222,6 +222,7 @@ static inline void cpa_inc_lp_preserved(int level) { }
static inline int
within(unsigned long addr, unsigned long start, unsigned long end)
{
+ addr = (unsigned long)kasan_reset_tag((void *)addr);
return addr >= start && addr < end;
}
diff --git a/mm/execmem.c b/mm/execmem.c
index 0822305413ec..743fa4a8c069 100644
--- a/mm/execmem.c
+++ b/mm/execmem.c
@@ -191,6 +191,8 @@ static int execmem_cache_add_locked(void *ptr, size_t size, gfp_t gfp_mask)
unsigned long lower, upper;
void *area = NULL;
+ addr = arch_kasan_reset_tag(addr);
+
lower = addr;
upper = addr + size - 1;
@@ -216,7 +218,7 @@ static int execmem_cache_add(void *ptr, size_t size, gfp_t gfp_mask)
static bool within_range(struct execmem_range *range, struct ma_state *mas,
size_t size)
{
- unsigned long addr = mas->index;
+ unsigned long addr = arch_kasan_reset_tag(mas->index);
if (addr >= range->start && addr + size < range->end)
return true;
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 6dbcdceecae1..83d666e4837a 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -3328,8 +3328,8 @@ static void vm_reset_perms(struct vm_struct *area)
unsigned long page_size;
page_size = PAGE_SIZE << page_order;
- start = min(addr, start);
- end = max(addr + page_size, end);
+ start = min((unsigned long)arch_kasan_reset_tag(addr), start);
+ end = max((unsigned long)arch_kasan_reset_tag(addr) + page_size, end);
flush_dmap = 1;
}
}
--
2.50.1
next prev parent reply other threads:[~2025-08-12 13:27 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-12 13:23 [PATCH v4 00/18] kasan: x86: arm64: KASAN tag-based mode for x86 Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 01/18] kasan: sw_tags: Use arithmetic shift for shadow computation Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 02/18] kasan: sw_tags: Support tag widths less than 8 bits Maciej Wieczor-Retman
2025-08-13 14:48 ` Ada Couprie Diaz
2025-08-18 4:24 ` Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 03/18] kasan: Fix inline mode for x86 tag-based mode Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 04/18] x86: Add arch specific kasan functions Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 05/18] kasan: arm64: x86: Make special tags arch specific Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 06/18] x86: Reset tag for virtual to physical address conversions Maciej Wieczor-Retman
2025-08-14 7:15 ` Mike Rapoport
2025-08-18 5:29 ` Maciej Wieczor-Retman
2025-08-12 13:23 ` Maciej Wieczor-Retman [this message]
2025-08-14 7:26 ` [PATCH v4 07/18] mm: x86: Untag addresses in EXECMEM_ROX related pointer arithmetic Mike Rapoport
2025-08-18 5:47 ` Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 08/18] x86: Physical address comparisons in fill_p*d/pte Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 09/18] x86: KASAN raw shadow memory PTE init Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 10/18] x86: LAM compatible non-canonical definition Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 11/18] x86: LAM initialization Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 12/18] x86: Minimal SLAB alignment Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 13/18] kasan: arm64: x86: Handle int3 for inline KASAN reports Maciej Wieczor-Retman
2025-08-13 14:49 ` Ada Couprie Diaz
2025-08-18 5:57 ` Maciej Wieczor-Retman
2025-08-13 15:17 ` Peter Zijlstra
2025-08-18 6:26 ` Maciej Wieczor-Retman
2025-09-08 15:40 ` Peter Zijlstra
2025-09-09 8:47 ` Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 14/18] kasan: x86: Apply multishot to the inline report handler Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 15/18] kasan: x86: Logical bit shift for kasan_mem_to_shadow Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 16/18] mm: Unpoison pcpu chunks with base address tag Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 17/18] mm: Unpoison vms[area] addresses with a common tag Maciej Wieczor-Retman
2025-08-12 13:23 ` [PATCH v4 18/18] x86: Make software tag-based kasan available Maciej Wieczor-Retman
2025-08-13 8:16 ` [PATCH v4 00/18] kasan: x86: arm64: KASAN tag-based mode for x86 Kiryl Shutsemau
2025-08-13 10:39 ` Maciej Wieczor-Retman
2025-08-13 11:05 ` Kiryl Shutsemau
2025-08-13 11:44 ` Maciej Wieczor-Retman
2025-08-21 12:30 ` Ada Couprie Diaz
2025-08-22 7:36 ` Maciej Wieczor-Retman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa501a8133ee0f336dc9f905fdc3453d964109ed.1755004923.git.maciej.wieczor-retman@intel.com \
--to=maciej.wieczor-retman@intel.com \
--cc=Liam.Howlett@oracle.com \
--cc=ada.coupriediaz@arm.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=andreyknvl@gmail.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=baohua@kernel.org \
--cc=bigeasy@linutronix.de \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=changyuanl@google.com \
--cc=corbet@lwn.net \
--cc=coxu@redhat.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=david@redhat.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=jan.kiszka@siemens.com \
--cc=jason.andryuk@amd.com \
--cc=jbohac@suse.cz \
--cc=jgross@suse.com \
--cc=jhubbard@nvidia.com \
--cc=joel.granados@kernel.org \
--cc=joey.gouly@arm.com \
--cc=jpoimboe@kernel.org \
--cc=justinstitt@google.com \
--cc=kaleshsingh@google.com \
--cc=kas@kernel.org \
--cc=kasan-dev@googlegroups.com \
--cc=kbingham@kernel.org \
--cc=kees@kernel.org \
--cc=kevin.brodsky@arm.com \
--cc=kristina.martsenko@arm.com \
--cc=kuan-ying.lee@canonical.com \
--cc=leitao@debian.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=llvm@lists.linux.dev \
--cc=lorenzo.stoakes@oracle.com \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas.schier@linux.dev \
--cc=nunodasneves@linux.microsoft.com \
--cc=pankaj.gupta@amd.com \
--cc=pasha.tatashin@soleen.com \
--cc=pcc@google.com \
--cc=peterz@infradead.org \
--cc=rppt@kernel.org \
--cc=ryabinin.a.a@gmail.com \
--cc=samitolvanen@google.com \
--cc=samuel.holland@sifive.com \
--cc=scott@os.amperecomputing.com \
--cc=smostafa@google.com \
--cc=sohil.mehta@intel.com \
--cc=surenb@google.com \
--cc=tglx@linutronix.de \
--cc=thiago.bauermann@linaro.org \
--cc=thuth@redhat.com \
--cc=trintaeoitogc@gmail.com \
--cc=ubizjak@gmail.com \
--cc=urezki@gmail.com \
--cc=vbabka@suse.cz \
--cc=vincenzo.frascino@arm.com \
--cc=wangkefeng.wang@huawei.com \
--cc=wei.liu@kernel.org \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=xin@zytor.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox