From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 112EDC2BA18 for ; Fri, 21 Jun 2024 02:08:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B63688D011B; Thu, 20 Jun 2024 22:08:29 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8EF108D0111; Thu, 20 Jun 2024 22:08:29 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 659E58D011B; Thu, 20 Jun 2024 22:08:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 27FDE8D0111 for ; Thu, 20 Jun 2024 22:08:29 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 9D36A1A07FA for ; Fri, 21 Jun 2024 02:08:28 +0000 (UTC) X-FDA: 82253261496.16.448AD42 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by imf27.hostedemail.com (Postfix) with ESMTP id 9C14540020 for ; Fri, 21 Jun 2024 02:08:25 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=none; spf=pass (imf27.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718935696; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3TUC2TvXpgK6JLKjFKWIhf/CL7q8Rvz4X6zOLvojveo=; b=gUINs7HldYJGU+24wY1VSsZrXlBLtvAKuZkB1vczdJ9H6J0lfkjJqLLL2rQQWkGwGocw9Q gztrrFaTvd9rzvs8SnCtPLJS3YAVlyQa7w6/3CEmBqptEmcuyeA/KYc5p4ce0jQYuB75V+ KjZhaLLeV0wuI2Z+YPKl/PaXpQf8qo0= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718935696; a=rsa-sha256; cv=none; b=65AAUpnnlHyLZPhnvVd01WsqxGQMRXUHgaaR+U4bHeMYwWyrYnT+q0ZWczWXG2shn/G3y+ RUBskCAqZ/KIdyo4Iu68RzbGSw8s4ShgqrYsOfET6ExWORAaLKhGN6GC+adKOiq/aucJDz U7NPzVfaWsk5cSQ/mIHv2KiMRL5UJ5U= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=none; spf=pass (imf27.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com Received: from mail.maildlp.com (unknown [172.19.88.105]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4W50y43BvWzVm4r; Fri, 21 Jun 2024 10:03:24 +0800 (CST) Received: from dggpemd200001.china.huawei.com (unknown [7.185.36.224]) by mail.maildlp.com (Postfix) with ESMTPS id 55A5A14011A; Fri, 21 Jun 2024 10:08:21 +0800 (CST) Received: from [10.174.178.120] (10.174.178.120) by dggpemd200001.china.huawei.com (7.185.36.224) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 21 Jun 2024 10:08:20 +0800 Message-ID: Date: Fri, 21 Jun 2024 10:08:20 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird CC: , , , Subject: Re: [Question] race during kasan_populate_vmalloc_pte To: , , , , , References: <20240618064022.1990814-1-mawupeng1@huawei.com> Content-Language: en-US From: mawupeng In-Reply-To: <20240618064022.1990814-1-mawupeng1@huawei.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.178.120] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpemd200001.china.huawei.com (7.185.36.224) X-Stat-Signature: x6awo7x1h6w8mqqmkiwc9ofiwgz1wi7i X-Rspamd-Queue-Id: 9C14540020 X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1718935705-993114 X-HE-Meta: U2FsdGVkX18tt6txWCtrL51Jqap6UqakDIIV17rTvzqHGqDNFT1Zcb4vnOa+JrOFV2zs/Z8gxZ+3jR5TtEs7p//0x/yV3G/Kl1vDACDzNMSOfuImqaoOtbWwht3lZhsTOZGAzBTW0AkmrneAicGAZJUTYUL2JgVK91yGbjQE5RIGAAmZZUtzRNLGEpuhSxH4Vpd0s1T5hIiCotpUW82ZP3CvaZcOXnkxu/c8lCyQG+Ma/ByKZgSN+DuBZgaEQrdQOa5t99/4Nv9+mtMyTlF8MB7vV+sSN4U+5nR9AtzzE+t2VxdczS8XXU5MRQuyQXM/Rc2OeO7vGr1vtVnTPNTP7xvhpiOuPoARvBf2QMA0MXj3xwu43KqoFveNc1Ppgo8zHCUtwzsOcnn6g9UGnNsTBwcNXkZAckUVVAwbLzFRohLtFPYJQ+fhY4eySc7ftu0pF9BRuJwMR6/TGVQCZBBym4UUFlmaj5mliH3l4WRw7InJs8Wav7iM8GTc6c9F4aZcLg64CLpqrPv3kLOA/0mDSBSgve9zORuSytGjvyyt93C9lqDjY0XjiNUgM8dgTDbGRthwpic6jKF9PcoRSsnSeJ6D4zm0ZDV3xkBfP6U/mn9kGzT3Zw/sGI2wIzW8ZVT+hB38WSZLL4agO6h/DDqGSSjtsUVupLDOtrBG0otttzFt4ooEzXfGlw4cXfGd4DjtCxChFwMxJdjJD5CyyyuK6QFUEDjhR1NfuSIOpR71xbFiBg88aLQ8P5v6Y0jeyGGlvQqsrCQoM5AXMnhyFBhasxQoJlMe7Gox6DDZOQTtQ9/weYlSQkCQlyhUKPAhjZ7UgCWifJzUurOd6Ey2V5LyzFLSqLY/ceR50E1N3Ns4xnQm1b3dgjiPWw00IMRPM9Q++4UU0lhKHFfOrAb+6pdXjhjPPCkEMPgrD5xMoDFuxur1ZT+o4rSLq3sxYW3Fu7PUZiOxJbGLUKNTKR2ciox lnHJUVBw 8GVtO7BLAy1tvWbqjJSen5F7criMv1LHLhfW4dE4ld+mQPwYhonMyeVAXjkGanWav4wtBW/GaccRMsdWh6OQHiY98zQGLVkV70D9LVePK+YlQzUaZWm0utjnxBv9aN7O0YKOayTuXsje/b0kXtaWYm5t/kwXZjDNtrn8C2kT+in6uujyLJvj7uk+TsvhP7B2GFZGsIRJa9n4gfiJQsIH8lJxAud66PO4khmi62sqm2FHtP0q4tc6/Bb18PlM/f55v9I9U79Tt1pX6dz9oYMd5v76oFyY1IQPyBGKw X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi maintainers, kingly ping. On 2024/6/18 14:40, Wupeng Ma wrote: > Hi maintainers, > > During our testing, we discovered that kasan vmalloc may trigger a false > vmalloc-out-of-bounds warning due to a race between kasan_populate_vmalloc_pte > and kasan_depopulate_vmalloc_pte. > > cpu0 cpu1 cpu2 > kasan_populate_vmalloc_pte kasan_populate_vmalloc_pte kasan_depopulate_vmalloc_pte > spin_unlock(&init_mm.page_table_lock); > pte_none(ptep_get(ptep)) > // pte is valid here, return here > pte_clear(&init_mm, addr, ptep); > pte_none(ptep_get(ptep)) > // pte is none here try alloc new pages > spin_lock(&init_mm.page_table_lock); > kasan_poison > // memset kasan shadow region to 0 > page = __get_free_page(GFP_KERNEL); > __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE); > pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL); > spin_lock(&init_mm.page_table_lock); > set_pte_at(&init_mm, addr, ptep, pte); > spin_unlock(&init_mm.page_table_lock); > > > Since kasan shadow memory in cpu0 is set to 0xf0 which means it is not > initialized after the race in cpu1. Consequently, a false vmalloc-out-of-bounds > warning is triggered when a user attempts to access this memory region. > > The root cause of this problem is the pte valid check at the start of > kasan_populate_vmalloc_pte should be removed since it is not protected by > page_table_lock. However, this may result in severe performance degradation > since pages will be frequently allocated and freed. > > Is there have any thoughts on how to solve this issue? > > Thank you.