Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp172340ybi; Wed, 29 May 2019 19:00:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqyD02ebdz4Fz5QXB4/HFOagmbG8E6pe7MvnhCkhKJUD3ZxPzkQALSTmTXYUWLj7DPHdgtqT X-Received: by 2002:aa7:87d7:: with SMTP id i23mr909422pfo.211.1559181645370; Wed, 29 May 2019 19:00:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559181645; cv=none; d=google.com; s=arc-20160816; b=QA25dtguKR5vH/J7Nr6+P23UTB/LDmabvP88XmypszBtQ8WGoXSk0pRggaasvGRh1B iJzLAen/Dn3ov7ejverG3CdWzwfZip0ok/4FVG2IXyfM77iETEosXc57/R4G6KvtdMbi 21FzwiIpESwyE45QGGPmsX468qhP/SMKo9nyPSUZLhtYGdpjHPbz2sGWUDbE9btARodY aDSJ4khwKp7eMReV4lErlDSrEkbUWj4kdmh3p/IOfmU9z4TClSOEmqbSpYTPvmUhLshc tqzyPY1yR1zrtg1/IoJlMmAc3X1/uoEc1L4ib3aI3RdkMLGUL6ij5mPPkfugMaXHH7/J U4pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :references:in-reply-to:date:cc:to:from:subject:message-id; bh=XXsLOZQadxBhSzd1txFxmx/ksVLxTCP4p3VJFs76yBk=; b=agB4lX8sm4VFs3rg4MJV5mY50ulBhGbdfaBk2CGLvpijJD5ICa3Z/jxb8vvmKpUr9B tPd5USDZOxG1yt6FsI2owPSVkVU9ewxdRgE2VBGAPL8iSv5nCG420lzFHPEBkGVLDuK/ /dw88X3NE3eqoKlIUH5sH/iYogwmJ+zL71Rg9KzbvIz+kjvV4/NJk9RHuuoWEO3INWd+ RiGUsyUm4VA9MHSVnPjxQyBN68X295XfvqE4ch0OG5KCuhPaJjW9ppKOP6kGK9HyoOVn xzN43jdOVsSuPPyT+eA8QxuIeRLWHsBD6M9xjGJ11gbWaKd15nmaL3CPnXkkVr6PRUP6 5uag== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e14si1527463pgi.586.2019.05.29.19.00.27; Wed, 29 May 2019 19:00:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727380AbfE3B6M (ORCPT + 99 others); Wed, 29 May 2019 21:58:12 -0400 Received: from mailgw02.mediatek.com ([210.61.82.184]:15272 "EHLO mailgw02.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726527AbfE3B6M (ORCPT ); Wed, 29 May 2019 21:58:12 -0400 X-UUID: 06101ce5e0844a43a15a98856ac9e508-20190530 X-UUID: 06101ce5e0844a43a15a98856ac9e508-20190530 Received: from mtkcas06.mediatek.inc [(172.21.101.30)] by mailgw02.mediatek.com (envelope-from ) (mhqrelay.mediatek.com ESMTP with TLS) with ESMTP id 117967436; Thu, 30 May 2019 09:58:03 +0800 Received: from MTKCAS06.mediatek.inc (172.21.101.30) by mtkmbs07n2.mediatek.inc (172.21.101.141) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 30 May 2019 09:58:02 +0800 Received: from [172.21.84.99] (172.21.84.99) by MTKCAS06.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1395.4 via Frontend Transport; Thu, 30 May 2019 09:58:02 +0800 Message-ID: <1559181482.24427.18.camel@mtksdccf07> Subject: Re: [PATCH] kasan: add memory corruption identification for software tag-based mode From: Walter Wu To: Dmitry Vyukov CC: Andrey Ryabinin , Alexander Potapenko , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Matthias Brugger , "Miles Chen" , kasan-dev , LKML , Linux-MM , "Linux ARM" , , , "Catalin Marinas" Date: Thu, 30 May 2019 09:58:02 +0800 In-Reply-To: References: <1559027797-30303-1-git-send-email-walter-zh.wu@mediatek.com> <1559122529.17186.24.camel@mtksdccf07> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3-0ubuntu6 Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-MTK: N Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2019-05-29 at 12:00 +0200, Dmitry Vyukov wrote: > > > There can be multiple qobjects in the quarantine associated with the > > > address, right? If so, we need to find the last one rather then a > > > random one. > > > > > The qobject includes the address which has tag and range, corruption > > address must be satisfied with the same tag and within object address > > range, then it is found in the quarantine. > > It should not easy to get multiple qobjects have the same tag and within > > object address range. > > Yes, using the tag for matching (which I missed) makes the match less likely. > > But I think we should at least try to find the newest object in > best-effort manner. We hope it, too. > Consider, both slab and slub reallocate objects in LIFO manner and we > don't have a quarantine for objects themselves. So if we have a loop > that allocates and frees an object of same size a dozen of times. > That's enough to get a duplicate pointer+tag qobject. > This includes: > 1. walking the global quarantine from quarantine_tail backwards. It is ok. > 2. walking per-cpu lists in the opposite direction: from tail rather > then from head. I guess we don't have links, so we could change the > order and prepend new objects from head. > This way we significantly increase chances of finding the right > object. This also deserves a comment mentioning that we can find a > wrong objects. > The current walking per-cpu list direction is from head to trail. we will modify the direction and find the newest object. > > > Why don't we allocate qlist_object and qlist_node in a single > > > allocation? Doing 2 allocations is both unnecessary slow and leads to > > > more complex code. We need to allocate them with a single allocations. > > > Also I think they should be allocated from a dedicated cache that opts > > > out of quarantine? > > > > > Single allocation is good suggestion, if we only has one allocation. > > then we need to move all member of qlist_object to qlist_node? > > > > struct qlist_object { > > unsigned long addr; > > unsigned int size; > > struct kasan_alloc_meta free_track; > > }; > > struct qlist_node { > > struct qlist_object *qobject; > > struct qlist_node *next; > > }; > > I see 2 options: > 1. add addr/size/free_track to qlist_node under ifdef CONFIG_KASAN_SW_TAGS > 2. or probably better would be to include qlist_node into qlist_object > as first field, then allocate qlist_object and cast it to qlist_node > when adding to quarantine, and then as we iterate quarantine, we cast > qlist_node back to qlist_object and can access size/addr. > Choice 2 looks better, We first try it. > > > We call call ___cache_free() to free the qobject and qnode, it should be > > out of quarantine? > > This should work. Thanks your good suggestion. We will implement those solution which you suggested to the second edition. Thanks, Walter