From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02103C3DA49 for ; Fri, 12 Jul 2024 02:08:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 38BAD6B0088; Thu, 11 Jul 2024 22:08:30 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 33C1B6B008A; Thu, 11 Jul 2024 22:08:30 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 22A146B008C; Thu, 11 Jul 2024 22:08:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 0AE3C6B0088 for ; Thu, 11 Jul 2024 22:08:30 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id B2C0B120890 for ; Fri, 12 Jul 2024 02:08:29 +0000 (UTC) X-FDA: 82329466338.26.EEA5A21 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by imf27.hostedemail.com (Postfix) with ESMTP id A3E7E40012 for ; Fri, 12 Jul 2024 02:08:26 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=none; spf=pass (imf27.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1720750074; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3TUC2TvXpgK6JLKjFKWIhf/CL7q8Rvz4X6zOLvojveo=; b=0do9G5emfrzcP9x8uldNMxGFWYA/ycpg6t9bOAgHFU2aOj7LTFiEhb7Cg57jXe5kG44/iS 2XDR3tyZMx9mMCSnRgq7XtR7YwaJGw954QAMUovwuZzkP8vxJqhFD32SS1+o/IGX1xckcN 9tmuZVh5ygmyE7kUnLX2hUIcRvF+t7I= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1720750074; a=rsa-sha256; cv=none; b=YX7fnHJBtQxxInAvmtQzv9CxEBzpyyZlB5IBNGiW1+CQlfRGngarMVHlx75rveHhHUvCOu YNMokLpJRPJQl0SVgjaWiaYEaXfk0l2IjfJy2BM+H4vNV7XfREEwm+3ZT0W1vTLehgGeNj JBuBgeqhT3FIdYbJwCf4h1lnuop5gJc= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=none; spf=pass (imf27.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com Received: from mail.maildlp.com (unknown [172.19.88.105]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4WKvyn0Zd3zxWDM; Fri, 12 Jul 2024 10:03:45 +0800 (CST) Received: from dggpemd200001.china.huawei.com (unknown [7.185.36.224]) by mail.maildlp.com (Postfix) with ESMTPS id 15A37140413; Fri, 12 Jul 2024 10:08:22 +0800 (CST) Received: from [10.174.178.120] (10.174.178.120) by dggpemd200001.china.huawei.com (7.185.36.224) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 12 Jul 2024 10:08:21 +0800 Message-ID: Date: Fri, 12 Jul 2024 10:08:21 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird CC: , , , Subject: Re: [Question] race during kasan_populate_vmalloc_pte To: , , , , , References: <20240618064022.1990814-1-mawupeng1@huawei.com> Content-Language: en-US From: mawupeng In-Reply-To: <20240618064022.1990814-1-mawupeng1@huawei.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.178.120] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemd200001.china.huawei.com (7.185.36.224) X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: A3E7E40012 X-Stat-Signature: 7a41bzftim9dma9u4m6n847egyqkzk3n X-HE-Tag: 1720750106-367327 X-HE-Meta: U2FsdGVkX1/tNfo5pdOmjMLSBhTWpqfitCYFDQ9Dg1XMmFszNS2kDuKtLyYyGmJb6yhOxC0O27/ZDW+9w9qtnCDhDYLIXWVqX9fhG4PgTLmKgN2XTzuqzauS06wdM47iutICe2lwH/gfUsWCQEKT8u0L/vcMPKeD/WyZT01N6wPGPgFjyqKS+bHNejCLZjWnW16NTH/+3blsD3siixk6sRcgs3ccevRK/jQxV2qD2kYpNAjDRHfnzJPgokdDhjflACinWTYzBaZp6WUPRQTqfb2NqNn0SfB61erVN8hlyeaIGbErYYLB8YMvlMbMXhVlpjZ317mbBc2MU1jk3++2DMq1+zgtC183NMPd78kd5IuoBBg461oP/7QLFXrT0su0gZ87QDcw2EqD0kpipeoRSMxNaGo0fnUzD9FXrqRhPkcbVHh0VFjVXP3UkiQKftzVauT0Yqgw9Q8eLwdY70I9ake+8p+FH4bkTZGiGIVcxrOe4jDarEYk1VjKTr/r7K5JK772jwgIPsqqzGtRMgsZh2dl4OJmyXATnoKQMpQ+nud5gdF+ZXan1TD0zTsNxuPzXD6c1PKIUs0B3zTDOTUXz5o8Ex+RkLE/GAsyamy/kF4khfqVV0UzQirpFqOkyEu8DEEOXTImxLB/YnrFZRY/pVKIRb35Ur8DGtobZAVWkYsiuW6/gScUy5qfyEzihtdThl6D8FgMENW/UJIhpKwP2sTexhiHxTT3QErl5Hlm2MvKOJ7CezBMhI3SXYRNnm4ydIpKDvfFFplafjO1SQn1RzWpNqjY4anRCPWDzXm3uGB0y0RqPP2j81meX2nUTmEDq/OIDdEodcydpOVNc/iBtkDxgZbmyxeJg2GO7OSRD4JrfppT09afMCaXg6d7dPU8Q1gFaP+g1on6E244H1Rj1IBeoxM34V41tv5kQ6ESAcAP3fUzd+hHrXnaoF+BRw4wmBMQbo7x7Dfmw88qjFT lg85rZJI iE4axGmaZlvW+kDRNk/YJy6HA5mpYxepI9x87DGICOLkGdcxzhU7sHClV52sDAiF1p1u7s879fSimZCZsiwr0TXFXnyyGAwcclwvNakFqh8UbQnQPikVCS8AX0/2dnTzM05mSN39hvXkuk05SpyuRS4IZGyqL4WN6Tp4XOgP94738rkdCQPyfX1Du8r2KsCAXpfHPyL9HHSLM7jXbet0lqQGi3IEITg62Knp0GoP+jz2TlkztZQm4M0J2rXxCq+hvqQp+G2mpe76dfLSCW1ORKtixLg2ShpDFekQb X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi maintainers, kingly ping. On 2024/6/18 14:40, Wupeng Ma wrote: > Hi maintainers, > > During our testing, we discovered that kasan vmalloc may trigger a false > vmalloc-out-of-bounds warning due to a race between kasan_populate_vmalloc_pte > and kasan_depopulate_vmalloc_pte. > > cpu0 cpu1 cpu2 > kasan_populate_vmalloc_pte kasan_populate_vmalloc_pte kasan_depopulate_vmalloc_pte > spin_unlock(&init_mm.page_table_lock); > pte_none(ptep_get(ptep)) > // pte is valid here, return here > pte_clear(&init_mm, addr, ptep); > pte_none(ptep_get(ptep)) > // pte is none here try alloc new pages > spin_lock(&init_mm.page_table_lock); > kasan_poison > // memset kasan shadow region to 0 > page = __get_free_page(GFP_KERNEL); > __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE); > pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL); > spin_lock(&init_mm.page_table_lock); > set_pte_at(&init_mm, addr, ptep, pte); > spin_unlock(&init_mm.page_table_lock); > > > Since kasan shadow memory in cpu0 is set to 0xf0 which means it is not > initialized after the race in cpu1. Consequently, a false vmalloc-out-of-bounds > warning is triggered when a user attempts to access this memory region. > > The root cause of this problem is the pte valid check at the start of > kasan_populate_vmalloc_pte should be removed since it is not protected by > page_table_lock. However, this may result in severe performance degradation > since pages will be frequently allocated and freed. > > Is there have any thoughts on how to solve this issue? > > Thank you.