2022-10-26 00:19:57

by Kees Cook

[permalink] [raw]
Subject: [PATCH v3] mempool: Do not use ksize() for poisoning

Nothing appears to be using ksize() within the kmalloc-backed mempools
except the mempool poisoning logic. Use the actual pool size instead
of the ksize() to avoid needing any special handling of the memory as
needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE.

Suggested-by: Vlastimil Babka <[email protected]>
Link: https://lore.kernel.org/lkml/[email protected]/
Cc: Andrey Konovalov <[email protected]>
Cc: David Rientjes <[email protected]>
Cc: Marco Elver <[email protected]>
Cc: Vincenzo Frascino <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
---
v3: remove ksize() calls instead of adding kmalloc_roundup_size() calls (vbabka)
v2: https://lore.kernel.org/lkml/[email protected]/
v1: https://lore.kernel.org/lkml/[email protected]/
---
mm/mempool.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mm/mempool.c b/mm/mempool.c
index 96488b13a1ef..54204065037d 100644
--- a/mm/mempool.c
+++ b/mm/mempool.c
@@ -58,7 +58,7 @@ static void check_element(mempool_t *pool, void *element)
{
/* Mempools backed by slab allocator */
if (pool->free == mempool_free_slab || pool->free == mempool_kfree) {
- __check_element(pool, element, ksize(element));
+ __check_element(pool, element, (size_t)pool->pool_data);
} else if (pool->free == mempool_free_pages) {
/* Mempools backed by page allocator */
int order = (int)(long)pool->pool_data;
@@ -81,7 +81,7 @@ static void poison_element(mempool_t *pool, void *element)
{
/* Mempools backed by slab allocator */
if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc) {
- __poison_element(element, ksize(element));
+ __poison_element(element, (size_t)pool->pool_data);
} else if (pool->alloc == mempool_alloc_pages) {
/* Mempools backed by page allocator */
int order = (int)(long)pool->pool_data;
@@ -112,7 +112,7 @@ static __always_inline void kasan_poison_element(mempool_t *pool, void *element)
static void kasan_unpoison_element(mempool_t *pool, void *element)
{
if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc)
- kasan_unpoison_range(element, __ksize(element));
+ kasan_unpoison_range(element, (size_t)pool->pool_data);
else if (pool->alloc == mempool_alloc_pages)
kasan_unpoison_pages(element, (unsigned long)pool->pool_data,
false);
--
2.34.1



2022-10-26 10:30:34

by Vlastimil Babka

[permalink] [raw]
Subject: Re: [PATCH v3] mempool: Do not use ksize() for poisoning

On 10/26/22 01:36, Kees Cook wrote:
> Nothing appears to be using ksize() within the kmalloc-backed mempools
> except the mempool poisoning logic. Use the actual pool size instead
> of the ksize() to avoid needing any special handling of the memory as
> needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE.
>
> Suggested-by: Vlastimil Babka <[email protected]>
> Link: https://lore.kernel.org/lkml/[email protected]/
> Cc: Andrey Konovalov <[email protected]>
> Cc: David Rientjes <[email protected]>
> Cc: Marco Elver <[email protected]>
> Cc: Vincenzo Frascino <[email protected]>
> Cc: Andrew Morton <[email protected]>
> Cc: [email protected]
> Signed-off-by: Kees Cook <[email protected]>

Acked-by: Vlastimil Babka <[email protected]>

> ---
> v3: remove ksize() calls instead of adding kmalloc_roundup_size() calls (vbabka)
> v2: https://lore.kernel.org/lkml/[email protected]/
> v1: https://lore.kernel.org/lkml/[email protected]/
> ---
> mm/mempool.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/mm/mempool.c b/mm/mempool.c
> index 96488b13a1ef..54204065037d 100644
> --- a/mm/mempool.c
> +++ b/mm/mempool.c
> @@ -58,7 +58,7 @@ static void check_element(mempool_t *pool, void *element)
> {
> /* Mempools backed by slab allocator */
> if (pool->free == mempool_free_slab || pool->free == mempool_kfree) {
> - __check_element(pool, element, ksize(element));
> + __check_element(pool, element, (size_t)pool->pool_data);
> } else if (pool->free == mempool_free_pages) {
> /* Mempools backed by page allocator */
> int order = (int)(long)pool->pool_data;
> @@ -81,7 +81,7 @@ static void poison_element(mempool_t *pool, void *element)
> {
> /* Mempools backed by slab allocator */
> if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc) {
> - __poison_element(element, ksize(element));
> + __poison_element(element, (size_t)pool->pool_data);
> } else if (pool->alloc == mempool_alloc_pages) {
> /* Mempools backed by page allocator */
> int order = (int)(long)pool->pool_data;
> @@ -112,7 +112,7 @@ static __always_inline void kasan_poison_element(mempool_t *pool, void *element)
> static void kasan_unpoison_element(mempool_t *pool, void *element)
> {
> if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc)
> - kasan_unpoison_range(element, __ksize(element));
> + kasan_unpoison_range(element, (size_t)pool->pool_data);
> else if (pool->alloc == mempool_alloc_pages)
> kasan_unpoison_pages(element, (unsigned long)pool->pool_data,
> false);


2022-10-26 10:36:12

by Vlastimil Babka

[permalink] [raw]
Subject: Re: [PATCH v3] mempool: Do not use ksize() for poisoning

On 10/26/22 12:02, Vlastimil Babka wrote:
> On 10/26/22 01:36, Kees Cook wrote:
>> Nothing appears to be using ksize() within the kmalloc-backed mempools
>> except the mempool poisoning logic. Use the actual pool size instead
>> of the ksize() to avoid needing any special handling of the memory as
>> needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE.
>>
>> Suggested-by: Vlastimil Babka <[email protected]>
>> Link: https://lore.kernel.org/lkml/[email protected]/
>> Cc: Andrey Konovalov <[email protected]>
>> Cc: David Rientjes <[email protected]>
>> Cc: Marco Elver <[email protected]>
>> Cc: Vincenzo Frascino <[email protected]>
>> Cc: Andrew Morton <[email protected]>
>> Cc: [email protected]
>> Signed-off-by: Kees Cook <[email protected]>
>
> Acked-by: Vlastimil Babka <[email protected]>

Ah and since the subject was updated too, note this is supposed to
replace/fixup the patch in mm-unstable:

mempool-use-kmalloc_size_roundup-to-match-ksize-usage.patch

>> ---
>> v3: remove ksize() calls instead of adding kmalloc_roundup_size() calls (vbabka)
>> v2: https://lore.kernel.org/lkml/[email protected]/
>> v1: https://lore.kernel.org/lkml/[email protected]/
>> ---
>> mm/mempool.c | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/mm/mempool.c b/mm/mempool.c
>> index 96488b13a1ef..54204065037d 100644
>> --- a/mm/mempool.c
>> +++ b/mm/mempool.c
>> @@ -58,7 +58,7 @@ static void check_element(mempool_t *pool, void *element)
>> {
>> /* Mempools backed by slab allocator */
>> if (pool->free == mempool_free_slab || pool->free == mempool_kfree) {
>> - __check_element(pool, element, ksize(element));
>> + __check_element(pool, element, (size_t)pool->pool_data);
>> } else if (pool->free == mempool_free_pages) {
>> /* Mempools backed by page allocator */
>> int order = (int)(long)pool->pool_data;
>> @@ -81,7 +81,7 @@ static void poison_element(mempool_t *pool, void *element)
>> {
>> /* Mempools backed by slab allocator */
>> if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc) {
>> - __poison_element(element, ksize(element));
>> + __poison_element(element, (size_t)pool->pool_data);
>> } else if (pool->alloc == mempool_alloc_pages) {
>> /* Mempools backed by page allocator */
>> int order = (int)(long)pool->pool_data;
>> @@ -112,7 +112,7 @@ static __always_inline void kasan_poison_element(mempool_t *pool, void *element)
>> static void kasan_unpoison_element(mempool_t *pool, void *element)
>> {
>> if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc)
>> - kasan_unpoison_range(element, __ksize(element));
>> + kasan_unpoison_range(element, (size_t)pool->pool_data);
>> else if (pool->alloc == mempool_alloc_pages)
>> kasan_unpoison_pages(element, (unsigned long)pool->pool_data,
>> false);
>


2022-10-27 08:47:14

by kernel test robot

[permalink] [raw]
Subject: Re: [PATCH v3] mempool: Do not use ksize() for poisoning


Greeting,

FYI, we noticed WARNING:at_kernel/locking/lockdep.c:#__lock_acquire due to commit (built with clang-14):

commit: 216fd003b5aca1c27d62df679cd722730b886919 ("[PATCH v3] mempool: Do not use ksize() for poisoning")
url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/mempool-Do-not-use-ksize-for-poisoning/20221026-073834
base: https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/pstore
patch link: https://lore.kernel.org/linux-mm/[email protected]
patch subject: [PATCH v3] mempool: Do not use ksize() for poisoning

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <[email protected]>
| Link: https://lore.kernel.org/oe-lkp/[email protected]


[ 4.181184][ T1] ------------[ cut here ]------------
[ 4.181613][ T1] DEBUG_LOCKS_WARN_ON(1)
[ 4.181613][ T1] WARNING: CPU: 1 PID: 1 at kernel/locking/lockdep.c:231 __lock_acquire (lockdep.c:?)
[ 4.181613][ T1] Modules linked in:
[ 4.181613][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc1-00012-g216fd003b5ac #1
[ 4.181613][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 4.181613][ T1] EIP: __lock_acquire (lockdep.c:?)
[ 4.181613][ T1] Code: bd 96 00 85 c0 0f 84 b4 02 00 00 83 3d b8 c0 4c 45 00 0f 85 a7 02 00 00 68 c3 07 29 44 68 44 7b 13 44 e8 a7 53 f8 ff 83 c4 08 <0f> 0b 8b 4d f0 eb 09 6b c0 64 8d b0 10 38 71 45 8a 5e 60 b8 ff 1f
All code
========
0: bd 96 00 85 c0 mov $0xc0850096,%ebp
5: 0f 84 b4 02 00 00 je 0x2bf
b: 83 3d b8 c0 4c 45 00 cmpl $0x0,0x454cc0b8(%rip) # 0x454cc0ca
12: 0f 85 a7 02 00 00 jne 0x2bf
18: 68 c3 07 29 44 pushq $0x442907c3
1d: 68 44 7b 13 44 pushq $0x44137b44
22: e8 a7 53 f8 ff callq 0xfffffffffff853ce
27: 83 c4 08 add $0x8,%esp
2a:* 0f 0b ud2 <-- trapping instruction
2c: 8b 4d f0 mov -0x10(%rbp),%ecx
2f: eb 09 jmp 0x3a
31: 6b c0 64 imul $0x64,%eax,%eax
34: 8d b0 10 38 71 45 lea 0x45713810(%rax),%esi
3a: 8a 5e 60 mov 0x60(%rsi),%bl
3d: b8 .byte 0xb8
3e: ff 1f lcall *(%rdi)

Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 8b 4d f0 mov -0x10(%rbp),%ecx
5: eb 09 jmp 0x10
7: 6b c0 64 imul $0x64,%eax,%eax
a: 8d b0 10 38 71 45 lea 0x45713810(%rax),%esi
10: 8a 5e 60 mov 0x60(%rsi),%bl
13: b8 .byte 0xb8
14: ff 1f lcall *(%rdi)
[ 4.181613][ T1] EAX: 00000016 EBX: 00080000 ECX: 00000000 EDX: 00000000
[ 4.181613][ T1] ESI: 00000000 EDI: 403e0610 EBP: 40397ad0 ESP: 40397a30
[ 4.181613][ T1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010016
[ 4.181613][ T1] CR0: 80050033 CR2: 00000000 CR3: 05654000 CR4: 00000690
[ 4.181613][ T1] Call Trace:
[ 4.181613][ T1] ? __lock_acquire (lockdep.c:?)
[ 4.181613][ T1] ? update_cfs_rq_load_avg (fair.c:?)
[ 4.181613][ T1] ? lock_acquire (??:?)
[ 4.181613][ T1] ? ___slab_alloc (slub.c:?)
[ 4.181613][ T1] ? _raw_spin_lock_irqsave (??:?)
[ 4.181613][ T1] ? ___slab_alloc (slub.c:?)
[ 4.181613][ T1] ? __cond_resched (??:?)
[ 4.181613][ T1] ? slab_pre_alloc_hook (slub.c:?)
[ 4.181613][ T1] ? kmem_cache_alloc (??:?)
[ 4.181613][ T1] ? mempool_alloc_slab (??:?)
[ 4.181613][ T1] ? mempool_init_node (??:?)
[ 4.181613][ T1] ? mempool_init (??:?)
[ 4.181613][ T1] ? mempool_alloc_slab (??:?)
[ 4.181613][ T1] ? bioset_init (??:?)
[ 4.181613][ T1] ? mempool_alloc_slab (??:?)
[ 4.181613][ T1] ? init_bio (bio.c:?)
[ 4.181613][ T1] ? blkdev_init (bio.c:?)
[ 4.181613][ T1] ? do_one_initcall (??:?)
[ 4.181613][ T1] ? blkdev_init (bio.c:?)
[ 4.181613][ T1] ? do_initcall_level (main.c:?)
[ 4.181613][ T1] ? do_initcalls (main.c:?)
[ 4.181613][ T1] ? do_basic_setup (main.c:?)
[ 4.181613][ T1] ? kernel_init_freeable (main.c:?)
[ 4.181613][ T1] ? rest_init (main.c:?)
[ 4.181613][ T1] ? kernel_init (main.c:?)
[ 4.181613][ T1] ? rest_init (main.c:?)
[ 4.181613][ T1] ? ret_from_fork (??:?)
[ 4.181613][ T1] irq event stamp: 52976
[ 4.181613][ T1] hardirqs last enabled at (52975): __schedule (core.c:?)
[ 4.181613][ T1] hardirqs last disabled at (52976): _raw_spin_lock_irqsave (??:?)
[ 4.181613][ T1] softirqs last enabled at (52954): __do_softirq (??:?)
[ 4.181613][ T1] softirqs last disabled at (52949): do_softirq_own_stack (??:?)
[ 4.181613][ T1] ---[ end trace 0000000000000000 ]---


To reproduce:

# build kernel
cd linux
cp config-6.1.0-rc1-00012-g216fd003b5ac .config
make HOSTCC=clang-14 CC=clang-14 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=clang-14 CC=clang-14 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



--
0-DAY CI Kernel Test Service
https://01.org/lkp



Attachments:
(No filename) (5.66 kB)
config-6.1.0-rc1-00012-g216fd003b5ac (161.93 kB)
job-script (4.91 kB)
dmesg.xz (11.25 kB)
Download all attachments

2022-10-27 19:31:04

by Andrey Konovalov

[permalink] [raw]
Subject: Re: [PATCH v3] mempool: Do not use ksize() for poisoning

On Wed, Oct 26, 2022 at 1:36 AM Kees Cook <[email protected]> wrote:
>
> Nothing appears to be using ksize() within the kmalloc-backed mempools
> except the mempool poisoning logic. Use the actual pool size instead
> of the ksize() to avoid needing any special handling of the memory as
> needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE.
>
> Suggested-by: Vlastimil Babka <[email protected]>
> Link: https://lore.kernel.org/lkml/[email protected]/
> Cc: Andrey Konovalov <[email protected]>
> Cc: David Rientjes <[email protected]>
> Cc: Marco Elver <[email protected]>
> Cc: Vincenzo Frascino <[email protected]>
> Cc: Andrew Morton <[email protected]>
> Cc: [email protected]
> Signed-off-by: Kees Cook <[email protected]>
> ---
> v3: remove ksize() calls instead of adding kmalloc_roundup_size() calls (vbabka)
> v2: https://lore.kernel.org/lkml/[email protected]/
> v1: https://lore.kernel.org/lkml/[email protected]/
> ---
> mm/mempool.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/mm/mempool.c b/mm/mempool.c
> index 96488b13a1ef..54204065037d 100644
> --- a/mm/mempool.c
> +++ b/mm/mempool.c
> @@ -58,7 +58,7 @@ static void check_element(mempool_t *pool, void *element)
> {
> /* Mempools backed by slab allocator */
> if (pool->free == mempool_free_slab || pool->free == mempool_kfree) {
> - __check_element(pool, element, ksize(element));
> + __check_element(pool, element, (size_t)pool->pool_data);
> } else if (pool->free == mempool_free_pages) {
> /* Mempools backed by page allocator */
> int order = (int)(long)pool->pool_data;
> @@ -81,7 +81,7 @@ static void poison_element(mempool_t *pool, void *element)
> {
> /* Mempools backed by slab allocator */
> if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc) {
> - __poison_element(element, ksize(element));
> + __poison_element(element, (size_t)pool->pool_data);
> } else if (pool->alloc == mempool_alloc_pages) {
> /* Mempools backed by page allocator */
> int order = (int)(long)pool->pool_data;
> @@ -112,7 +112,7 @@ static __always_inline void kasan_poison_element(mempool_t *pool, void *element)
> static void kasan_unpoison_element(mempool_t *pool, void *element)
> {
> if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc)
> - kasan_unpoison_range(element, __ksize(element));
> + kasan_unpoison_range(element, (size_t)pool->pool_data);
> else if (pool->alloc == mempool_alloc_pages)
> kasan_unpoison_pages(element, (unsigned long)pool->pool_data,
> false);
> --
> 2.34.1
>

For the KASAN change:

Reviewed-by: Andrey Konovalov <[email protected]>

Thanks!