Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2596848ybl; Mon, 19 Aug 2019 04:46:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqww+At0cryMvjwjuf4vmpqE7OmQaqOhgAVkFSN5f244IkbpSg+2kyoy6M7/h4aBtsuf/bpi X-Received: by 2002:a17:90a:a897:: with SMTP id h23mr20515393pjq.44.1566215184926; Mon, 19 Aug 2019 04:46:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566215184; cv=none; d=google.com; s=arc-20160816; b=qbIAxaHuZRXv57eAWOx1ueCgk7sv0Cb3WJomPPbC9zYR6Nt/Vba7dYgFQjt0963iCd I8q+0SjB32azgHcHC3MPk/s6soS0K4JFqnAjJK+rsNEBOYjv5wFXVCpggCSDHRG1OAru z6eBj3jMasExWDuhZkkwQKzqgx4RHC+oRwuhbrzjlwxKnCUL+LgucfStcrEi77suFgNx ztoyKc7bobWFGd4FVJCSUr2Tdk0YDafAI/DNi1qlKt5Vm5xKgImCMJJNFYqKfSLzkPyT 0P72lUWjqfGoBf6Hict9kFlf66WRbqXeK5/2SryBFuT54IeMcYN2c0/zebt6pI2pp83O yLZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=r+ZYVTBc0GCOEYs5DW8XZF5fLl5SZrJ/bAuhiY6pKME=; b=PuV17UlOMvCTCHf2N3VzCe6LU4olGCmBm2RJX0QxvXzT8UcYD0BAbYhtOc2ePJRFev 23Xg6aR70GsX4Q665efiQMBCUr48vn+TJTKfzDd1CW5YCvFDcsRKbfcDCMN5AIB4LscH CdeWDLx6FjOqT3tU1tRBhsCy/8sCaT9LBX+4qgM4OLufQw31Uc/B2QrYV9hSydFIlbOq dKPy1sh8QPdvYbNYORrBxGvdV7yCQtHmJBWR0Rher3NAVqaTSYonrBSurjJfz3IguKpr A7v0iGQnM1FYJeJYwsWJFNq0lPJJanOn29FCW8z8URHWSQ4gMmhzt+F8fOwI2IKHWjGI j+DQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q24si9582882pls.7.2019.08.19.04.46.09; Mon, 19 Aug 2019 04:46:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727339AbfHSLox (ORCPT + 99 others); Mon, 19 Aug 2019 07:44:53 -0400 Received: from mailgw01.mediatek.com ([210.61.82.183]:17463 "EHLO mailgw01.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726703AbfHSLox (ORCPT ); Mon, 19 Aug 2019 07:44:53 -0400 X-UUID: 5c5b18c1eaff4ff3965997d79be92ffe-20190819 X-UUID: 5c5b18c1eaff4ff3965997d79be92ffe-20190819 Received: from mtkcas07.mediatek.inc [(172.21.101.84)] by mailgw01.mediatek.com (envelope-from ) (Cellopoint E-mail Firewall v4.1.10 Build 0707 with TLS) with ESMTP id 1040434438; Mon, 19 Aug 2019 19:44:45 +0800 Received: from mtkcas07.mediatek.inc (172.21.101.84) by mtkmbs07n2.mediatek.inc (172.21.101.141) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 19 Aug 2019 19:44:46 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas07.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1395.4 via Frontend Transport; Mon, 19 Aug 2019 19:44:47 +0800 From: Walter Wu To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Catalin Marinas , Will Deacon , Matthias Brugger , Andrew Morton , Andrey Konovalov CC: , , , , , Walter Wu Subject: [PATCH] arm64: kasan: fix phys_to_virt() false positive on tag-based kasan Date: Mon, 19 Aug 2019 19:44:20 +0800 Message-ID: <20190819114420.2535-1-walter-zh.wu@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 Content-Type: text/plain X-MTK: N Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org __arm_v7s_unmap() call iopte_deref() to translate pyh_to_virt address, but it will modify pointer tag into 0xff, so there is a false positive. When enable tag-based kasan, phys_to_virt() function need to rewrite its original pointer tag in order to avoid kasan report an incorrect memory corruption. BUG: KASAN: double-free or invalid-free in __arm_v7s_unmap+0x720/0xda4 Pointer tag: [ff], memory tag: [c1] Call trace: dump_backtrace+0x0/0x1d4 show_stack+0x14/0x1c dump_stack+0xe8/0x140 print_address_description+0x80/0x2f0 kasan_report_invalid_free+0x58/0x74 __kasan_slab_free+0x1e4/0x220 kasan_slab_free+0xc/0x18 kmem_cache_free+0xfc/0x884 __arm_v7s_unmap+0x720/0xda4 __arm_v7s_map+0xc8/0x774 arm_v7s_map+0x80/0x158 mtk_iommu_map+0xb4/0xe0 iommu_map+0x154/0x450 iommu_map_sg+0xe4/0x150 iommu_dma_map_sg+0x214/0x4ec __iommu_map_sg_attrs+0xf0/0x110 ion_map_dma_buf+0xe8/0x114 dma_buf_map_attachment+0x4c/0x80 disp_sync_prepare_buf+0x378/0x820 _ioctl_prepare_buffer+0x130/0x870 mtk_disp_mgr_ioctl+0x5c4/0xab0 do_vfs_ioctl+0x8e0/0x15a4 __arm64_sys_ioctl+0x8c/0xb4 el0_svc_common+0xe4/0x1e0 el0_svc_handler+0x30/0x3c el0_svc+0x8/0xc Signed-off-by: Walter Wu --- arch/arm64/include/asm/kasan.h | 1 - arch/arm64/include/asm/memory.h | 10 ++++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/kasan.h b/arch/arm64/include/asm/kasan.h index b52aacd2c526..59894cafad60 100644 --- a/arch/arm64/include/asm/kasan.h +++ b/arch/arm64/include/asm/kasan.h @@ -5,7 +5,6 @@ #ifndef __ASSEMBLY__ #include -#include #include #define arch_kasan_set_tag(addr, tag) __tag_set(addr, tag) diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h index 8ffcf5a512bb..75af5ba9ff22 100644 --- a/arch/arm64/include/asm/memory.h +++ b/arch/arm64/include/asm/memory.h @@ -171,6 +171,7 @@ #include #include +#include extern s64 memstart_addr; /* PHYS_OFFSET - the physical address of the start of memory. */ @@ -282,7 +283,16 @@ static inline phys_addr_t virt_to_phys(const volatile void *x) #define phys_to_virt phys_to_virt static inline void *phys_to_virt(phys_addr_t x) { +#ifdef CONFIG_KASAN_SW_TAGS + unsigned long addr = __phys_to_virt(x); + u8 *tag = (void *)(addr >> KASAN_SHADOW_SCALE_SHIFT) + + KASAN_SHADOW_OFFSET; + + addr = __tag_set(addr, *tag); + return (void *)addr; +#else return (void *)(__phys_to_virt(x)); +#endif } /* -- 2.18.0