[Question] race during kasan_populate_vmalloc

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

* [Question] race during kasan_populate_vmalloc_pte
@ 2024-06-18  6:40 Wupeng Ma
  2024-06-21  2:08 ` mawupeng
  2024-07-12  2:08 ` mawupeng
  0 siblings, 2 replies; 5+ messages in thread
From: Wupeng Ma @ 2024-06-18  6:40 UTC (permalink / raw)
  To: akpm, ryabinin.a.a, glider, andreyknvl, dvyukov, vincenzo.frascino
  Cc: mawupeng1, kasan-dev, linux-mm, linux-kernel

Hi maintainers,

During our testing, we discovered that kasan vmalloc may trigger a false
vmalloc-out-of-bounds warning due to a race between kasan_populate_vmalloc_pte
and kasan_depopulate_vmalloc_pte.

cpu0				cpu1				cpu2
  kasan_populate_vmalloc_pte	kasan_populate_vmalloc_pte	kasan_depopulate_vmalloc_pte
								spin_unlock(&init_mm.page_table_lock);
  pte_none(ptep_get(ptep))
  // pte is valid here, return here
								pte_clear(&init_mm, addr, ptep);
				pte_none(ptep_get(ptep))
				// pte is none here try alloc new pages
								spin_lock(&init_mm.page_table_lock);
kasan_poison
// memset kasan shadow region to 0
				page = __get_free_page(GFP_KERNEL);
				__memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
				pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
				spin_lock(&init_mm.page_table_lock);
				set_pte_at(&init_mm, addr, ptep, pte);
				spin_unlock(&init_mm.page_table_lock);

Since kasan shadow memory in cpu0 is set to 0xf0 which means it is not
initialized after the race in cpu1. Consequently, a false vmalloc-out-of-bounds
warning is triggered when a user attempts to access this memory region.

The root cause of this problem is the pte valid check at the start of
kasan_populate_vmalloc_pte should be removed since it is not protected by
page_table_lock. However, this may result in severe performance degradation
since pages will be frequently allocated and freed.

Is there have any thoughts on how to solve this issue?

Thank you.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Question] race during kasan_populate_vmalloc_pte
  2024-06-18  6:40 [Question] race during kasan_populate_vmalloc_pte Wupeng Ma
@ 2024-06-21  2:08 ` mawupeng
  2024-07-12  2:08 ` mawupeng
  1 sibling, 0 replies; 5+ messages in thread
From: mawupeng @ 2024-06-21  2:08 UTC (permalink / raw)
  To: akpm, ryabinin.a.a, glider, andreyknvl, dvyukov, vincenzo.frascino
  Cc: mawupeng1, kasan-dev, linux-mm, linux-kernel

Hi maintainers,

kingly ping.

On 2024/6/18 14:40, Wupeng Ma wrote:
> Hi maintainers,
> 
> During our testing, we discovered that kasan vmalloc may trigger a false
> vmalloc-out-of-bounds warning due to a race between kasan_populate_vmalloc_pte
> and kasan_depopulate_vmalloc_pte.
> 
> cpu0				cpu1				cpu2
>   kasan_populate_vmalloc_pte	kasan_populate_vmalloc_pte	kasan_depopulate_vmalloc_pte
> 								spin_unlock(&init_mm.page_table_lock);
>   pte_none(ptep_get(ptep))
>   // pte is valid here, return here
> 								pte_clear(&init_mm, addr, ptep);
> 				pte_none(ptep_get(ptep))
> 				// pte is none here try alloc new pages
> 								spin_lock(&init_mm.page_table_lock);
> kasan_poison
> // memset kasan shadow region to 0
> 				page = __get_free_page(GFP_KERNEL);
> 				__memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
> 				pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
> 				spin_lock(&init_mm.page_table_lock);
> 				set_pte_at(&init_mm, addr, ptep, pte);
> 				spin_unlock(&init_mm.page_table_lock);
> 
> 
> Since kasan shadow memory in cpu0 is set to 0xf0 which means it is not
> initialized after the race in cpu1. Consequently, a false vmalloc-out-of-bounds
> warning is triggered when a user attempts to access this memory region.
> 
> The root cause of this problem is the pte valid check at the start of
> kasan_populate_vmalloc_pte should be removed since it is not protected by
> page_table_lock. However, this may result in severe performance degradation
> since pages will be frequently allocated and freed.
> 
> Is there have any thoughts on how to solve this issue?
> 
> Thank you.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Question] race during kasan_populate_vmalloc_pte
  2024-06-18  6:40 [Question] race during kasan_populate_vmalloc_pte Wupeng Ma
  2024-06-21  2:08 ` mawupeng
@ 2024-07-12  2:08 ` mawupeng
  2024-07-15 17:19   ` Alexander Potapenko
  1 sibling, 1 reply; 5+ messages in thread
From: mawupeng @ 2024-07-12  2:08 UTC (permalink / raw)
  To: akpm, ryabinin.a.a, glider, andreyknvl, dvyukov, vincenzo.frascino
  Cc: mawupeng1, kasan-dev, linux-mm, linux-kernel

Hi maintainers,

kingly ping.

On 2024/6/18 14:40, Wupeng Ma wrote:
> Hi maintainers,
> 
> During our testing, we discovered that kasan vmalloc may trigger a false
> vmalloc-out-of-bounds warning due to a race between kasan_populate_vmalloc_pte
> and kasan_depopulate_vmalloc_pte.
> 
> cpu0				cpu1				cpu2
>   kasan_populate_vmalloc_pte	kasan_populate_vmalloc_pte	kasan_depopulate_vmalloc_pte
> 								spin_unlock(&init_mm.page_table_lock);
>   pte_none(ptep_get(ptep))
>   // pte is valid here, return here
> 								pte_clear(&init_mm, addr, ptep);
> 				pte_none(ptep_get(ptep))
> 				// pte is none here try alloc new pages
> 								spin_lock(&init_mm.page_table_lock);
> kasan_poison
> // memset kasan shadow region to 0
> 				page = __get_free_page(GFP_KERNEL);
> 				__memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
> 				pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
> 				spin_lock(&init_mm.page_table_lock);
> 				set_pte_at(&init_mm, addr, ptep, pte);
> 				spin_unlock(&init_mm.page_table_lock);
> 
> 
> Since kasan shadow memory in cpu0 is set to 0xf0 which means it is not
> initialized after the race in cpu1. Consequently, a false vmalloc-out-of-bounds
> warning is triggered when a user attempts to access this memory region.
> 
> The root cause of this problem is the pte valid check at the start of
> kasan_populate_vmalloc_pte should be removed since it is not protected by
> page_table_lock. However, this may result in severe performance degradation
> since pages will be frequently allocated and freed.
> 
> Is there have any thoughts on how to solve this issue?
> 
> Thank you.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Question] race during kasan_populate_vmalloc_pte
  2024-07-12  2:08 ` mawupeng
@ 2024-07-15 17:19   ` Alexander Potapenko
  2024-07-16  1:12     ` mawupeng
  0 siblings, 1 reply; 5+ messages in thread
From: Alexander Potapenko @ 2024-07-15 17:19 UTC (permalink / raw)
  To: mawupeng
  Cc: akpm, ryabinin.a.a, andreyknvl, dvyukov, vincenzo.frascino,
	kasan-dev, linux-mm, linux-kernel

On Fri, Jul 12, 2024 at 4:08 AM mawupeng <mawupeng1@huawei.com> wrote:
>
> Hi maintainers,
>
> kingly ping.
>
> On 2024/6/18 14:40, Wupeng Ma wrote:
> > Hi maintainers,
> >
> > During our testing, we discovered that kasan vmalloc may trigger a false
> > vmalloc-out-of-bounds warning due to a race between kasan_populate_vmalloc_pte
> > and kasan_depopulate_vmalloc_pte.
> >
> > cpu0                          cpu1                            cpu2
> >   kasan_populate_vmalloc_pte  kasan_populate_vmalloc_pte      kasan_depopulate_vmalloc_pte
> >                                                               spin_unlock(&init_mm.page_table_lock);
> >   pte_none(ptep_get(ptep))
> >   // pte is valid here, return here
> >                                                               pte_clear(&init_mm, addr, ptep);
> >                               pte_none(ptep_get(ptep))
> >                               // pte is none here try alloc new pages
> >                                                               spin_lock(&init_mm.page_table_lock);
> > kasan_poison
> > // memset kasan shadow region to 0
> >                               page = __get_free_page(GFP_KERNEL);
> >                               __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
> >                               pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
> >                               spin_lock(&init_mm.page_table_lock);
> >                               set_pte_at(&init_mm, addr, ptep, pte);
> >                               spin_unlock(&init_mm.page_table_lock);
> >
> >
> > Since kasan shadow memory in cpu0 is set to 0xf0 which means it is not
> > initialized after the race in cpu1. Consequently, a false vmalloc-out-of-bounds
> > warning is triggered when a user attempts to access this memory region.
> >
> > The root cause of this problem is the pte valid check at the start of
> > kasan_populate_vmalloc_pte should be removed since it is not protected by
> > page_table_lock. However, this may result in severe performance degradation
> > since pages will be frequently allocated and freed.
> >
> > Is there have any thoughts on how to solve this issue?
> >
> > Thank you.

I am going to take a closer look at this issue. Any chance you have a
reproducer for it?


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Question] race during kasan_populate_vmalloc_pte
  2024-07-15 17:19   ` Alexander Potapenko
@ 2024-07-16  1:12     ` mawupeng
  0 siblings, 0 replies; 5+ messages in thread
From: mawupeng @ 2024-07-16  1:12 UTC (permalink / raw)
  To: glider
  Cc: mawupeng1, akpm, ryabinin.a.a, andreyknvl, dvyukov,
	vincenzo.frascino, kasan-dev, linux-mm, linux-kernel



On 2024/7/16 1:19, Alexander Potapenko wrote:
> On Fri, Jul 12, 2024 at 4:08 AM mawupeng <mawupeng1@huawei.com> wrote:
>>
>> Hi maintainers,
>>
>> kingly ping.
>>
>> On 2024/6/18 14:40, Wupeng Ma wrote:
>>> Hi maintainers,
>>>
>>> During our testing, we discovered that kasan vmalloc may trigger a false
>>> vmalloc-out-of-bounds warning due to a race between kasan_populate_vmalloc_pte
>>> and kasan_depopulate_vmalloc_pte.
>>>
>>> cpu0                          cpu1                            cpu2
>>>   kasan_populate_vmalloc_pte  kasan_populate_vmalloc_pte      kasan_depopulate_vmalloc_pte
>>>                                                               spin_unlock(&init_mm.page_table_lock);
>>>   pte_none(ptep_get(ptep))
>>>   // pte is valid here, return here
>>>                                                               pte_clear(&init_mm, addr, ptep);
>>>                               pte_none(ptep_get(ptep))
>>>                               // pte is none here try alloc new pages
>>>                                                               spin_lock(&init_mm.page_table_lock);
>>> kasan_poison
>>> // memset kasan shadow region to 0
>>>                               page = __get_free_page(GFP_KERNEL);
>>>                               __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
>>>                               pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
>>>                               spin_lock(&init_mm.page_table_lock);
>>>                               set_pte_at(&init_mm, addr, ptep, pte);
>>>                               spin_unlock(&init_mm.page_table_lock);
>>>
>>>
>>> Since kasan shadow memory in cpu0 is set to 0xf0 which means it is not
>>> initialized after the race in cpu1. Consequently, a false vmalloc-out-of-bounds
>>> warning is triggered when a user attempts to access this memory region.
>>>
>>> The root cause of this problem is the pte valid check at the start of
>>> kasan_populate_vmalloc_pte should be removed since it is not protected by
>>> page_table_lock. However, this may result in severe performance degradation
>>> since pages will be frequently allocated and freed.
>>>
>>> Is there have any thoughts on how to solve this issue?
>>>
>>> Thank you.
> 
> I am going to take a closer look at this issue. Any chance you have a
> reproducer for it?

So far not good. I am trying to get a reproducer, but there is little progress in it.

> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-07-16  1:12 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-18  6:40 [Question] race during kasan_populate_vmalloc_pte Wupeng Ma
2024-06-21  2:08 ` mawupeng
2024-07-12  2:08 ` mawupeng
2024-07-15 17:19   ` Alexander Potapenko
2024-07-16  1:12     ` mawupeng

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox