Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4051793imu;
        Mon, 7 Jan 2019 14:40:09 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6IfJZtsMdtP3rNp6vRDUFFvXmH0iyGXHC/EdIfIE3oVWhHs0qnXsnURfoJjAdUu4YG6TGs
X-Received: by 2002:a65:4904:: with SMTP id p4mr12544457pgs.384.1546900809751;
        Mon, 07 Jan 2019 14:40:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546900809; cv=none;
        d=google.com; s=arc-20160816;
        b=CDtqjAwYyK+gjMH9rHSNY2Mlh1X4JJTDtUbp1g93gi9jAas/kf74D78PWpH2sFonQD
         +1Up2+sf9zmcRUadxArvw6pC9JO6GWiRGdcONfAzwEOjGmT7OSdGKfImvYJhnAuEsODk
         eBnRzXGu7fCuwsjmFhA6Qr7MBOiLm9gRnEv89GbrzG9vkA9NiKvpA+uTSCPJpOQ9bIL6
         S7/HC749AQI6JHZIU1/juDkBoCVoY+We01BanAqfoJtLBnq6fkzDiwriqtYQp3FBWr3g
         iJ+YAjgBzSMhTwEOxcVLAXDHtQuqt/0mGXSI7x5v5u9pUD85+srz0WrqJ2mCvbgo3QjT
         5aVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=8jfjinw++IFIMmRHPaT37Ermd7hK2DH7YkMhFayk7vY=;
        b=eojhQyn5Z0X1sMt2EtuEojKz/7q5AD9+ovDQGJ4N3qc94GQap6Sew4gOWYVMPMvw0R
         Eo/zsygeW8TweDXnWfprYY0nUG6Y24ajAgPpgLAw7hfFgeJ9d5mmRxmlWMKzaTH8gpEg
         nqvmC12eASaY9jGz9RKaket5+++eij+uM0Tb4ZqDkymTMhyt9W2Pq2CTyn7cWO1EdMEE
         1apN61gPkc59KY4LhXsWOhMVlcA55/1ZgbaYkVX9Trf2v4ia7z6mZS+IkwH12lq+201G
         jepbSdSmRJKpRHU+DyK/eI7/kVih2woDcWnKIveM48EShisV1tf39nKaMXfWKPIFldid
         1Gwg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=bJMinMIo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l8si64937352pgr.345.2019.01.07.14.39.54;
        Mon, 07 Jan 2019 14:40:09 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=bJMinMIo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727052AbfAGWgt (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Mon, 7 Jan 2019 17:36:49 -0500
Received: from mail-qt1-f195.google.com ([209.85.160.195]:42233 "EHLO
        mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726841AbfAGWgt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 Jan 2019 17:36:49 -0500
Received: by mail-qt1-f195.google.com with SMTP id d19so2350148qtq.9
        for <linux-kernel@vger.kernel.org>; Mon, 07 Jan 2019 14:36:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=from:to:cc:subject:date:message-id;
        bh=8jfjinw++IFIMmRHPaT37Ermd7hK2DH7YkMhFayk7vY=;
        b=bJMinMIo6kSd7skgNNDHtlQPXsyoJ/eSP5RWYsFNFOyFlwVuoBQLg4wGt8t/KUAErn
         UVnHVWMg5FXpbYA7Agh30CQklqW3iueNOlVSTFM8OlvxSR+R5GpG/KY01qMYpg7uZ4QC
         yWiOd6sH6zkk+/4YOUWicMBpirX+E0ItyZ2CByIgeQn1EZrydaS//oWS3HcDxGqw7ZGJ
         fhITloxdx2p29dOe1MgwUcsxpSjyLIwSW2UcIWJl5tffbqFjk1RzC2wnW6FCpJXO8RRy
         nBEcme7ylS9gu8KkMsVU0cmVF5B9UO3xF9FXvX6CZlr+he8Iveq6hskXJ1ZIh13GwO4c
         zmPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=8jfjinw++IFIMmRHPaT37Ermd7hK2DH7YkMhFayk7vY=;
        b=aW232TQCHWlbSajSgdj499r+DQ8cp2bQlE8981o/ubuQG2NwRWuBGW8QK+N3vLVvmx
         TYBtxx6CiIwOQ1BR5x7X7weprfHLrSAMBhcXblghldcEUsYMjZUGlf+0/JY8iFORE/yV
         XPRfb0u6ld1WLgmwW2zyr3KczfpjZzDukLrD2PiHrQ/a9iiDekFPHn+boo5ABQ/2FD4f
         XRaoG3zhc3+wG/4Egg48SBvBudLiv/EsXk7MpL3ibuee3Dz2KAFHhSU0mndtb1qOlSGq
         ThXj+z/3jtAnwTpl31PCOgiNKcvGAXyxCwNKRnDn1Tw4XFqtJY2LeNb99r89JmqeRusd
         OP6w==
X-Gm-Message-State: AA+aEWY0POETECR3QEty8ar08kplTIvrs2xjQlifY+vtkSSh2zVW1v5L
        W3Z2aD5df2sQ2kmDrRrBl7QkU2B356GH6Q==
X-Received: by 2002:aed:2249:: with SMTP id o9mr62630513qtc.13.1546900608296;
        Mon, 07 Jan 2019 14:36:48 -0800 (PST)
Received: from ovpn-120-55.rdu2.redhat.com (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43])
        by smtp.gmail.com with ESMTPSA id b6sm27936850qtq.29.2019.01.07.14.36.47
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 07 Jan 2019 14:36:47 -0800 (PST)
From:   Qian Cai <cai@lca.pw>
To:     akpm@linux-foundation.org
Cc:     linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        Qian Cai <cai@lca.pw>
Subject: [PATCH] page_poison: plays nicely with KASAN
Date:   Mon,  7 Jan 2019 17:36:36 -0500
Message-Id: <20190107223636.80593-1-cai@lca.pw>
X-Mailer: git-send-email 2.17.2 (Apple Git-113)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

KASAN does not play well with the page poisoning
(CONFIG_PAGE_POISONING). It triggers false positives in the allocation
path,

BUG: KASAN: use-after-free in memchr_inv+0x2ea/0x330
Read of size 8 at addr ffff88881f800000 by task swapper/0
CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc1+ #54
Call Trace:
 dump_stack+0xe0/0x19a
 print_address_description.cold.2+0x9/0x28b
 kasan_report.cold.3+0x7a/0xb5
 __asan_report_load8_noabort+0x19/0x20
 memchr_inv+0x2ea/0x330
 kernel_poison_pages+0x103/0x3d5
 get_page_from_freelist+0x15e7/0x4d90

because KASAN has not yet unpoisoned the shadow page for allocation
before it checks memchr_inv() but only found a stale poison pattern.

Also, false positives in free path,

BUG: KASAN: slab-out-of-bounds in kernel_poison_pages+0x29e/0x3d5
Write of size 4096 at addr ffff8888112cc000 by task swapper/0/1
CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc1+ #55
Call Trace:
 dump_stack+0xe0/0x19a
 print_address_description.cold.2+0x9/0x28b
 kasan_report.cold.3+0x7a/0xb5
 check_memory_region+0x22d/0x250
 memset+0x28/0x40
 kernel_poison_pages+0x29e/0x3d5
 __free_pages_ok+0x75f/0x13e0

due to KASAN adds poisoned redzones around slab objects, but the page
poisoning needs to poison the whole page, so simply unpoision the shadow
page before running the page poison's memset.

Signed-off-by: Qian Cai <cai@lca.pw>
---
 mm/page_alloc.c  | 2 +-
 mm/page_poison.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index d295c9bc01a8..906250a9b89c 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1945,8 +1945,8 @@ inline void post_alloc_hook(struct page *page, unsigned int order,
 
 	arch_alloc_page(page, order);
 	kernel_map_pages(page, 1 << order, 1);
-	kernel_poison_pages(page, 1 << order, 1);
 	kasan_alloc_pages(page, order);
+	kernel_poison_pages(page, 1 << order, 1);
 	set_page_owner(page, order, gfp_flags);
 }
 
diff --git a/mm/page_poison.c b/mm/page_poison.c
index f0c15e9017c0..e546b70e592a 100644
--- a/mm/page_poison.c
+++ b/mm/page_poison.c
@@ -6,6 +6,7 @@
 #include <linux/page_ext.h>
 #include <linux/poison.h>
 #include <linux/ratelimit.h>
+#include <linux/kasan.h>
 
 static bool want_page_poisoning __read_mostly;
 
@@ -40,6 +41,7 @@ static void poison_page(struct page *page)
 {
 	void *addr = kmap_atomic(page);
 
+	kasan_unpoison_shadow(addr, PAGE_SIZE);
 	memset(addr, PAGE_POISON, PAGE_SIZE);
 	kunmap_atomic(addr);
 }
-- 
2.17.2 (Apple Git-113)