Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2710777ybl; Mon, 19 Aug 2019 06:26:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqzESKHHHhOVKmfRwjEM1mJXpbrhiH0IbF8SXfQTasggBhRXjqRkONvWCjjD+0dz2X3fT2tY X-Received: by 2002:a17:902:be12:: with SMTP id r18mr21499180pls.341.1566221215711; Mon, 19 Aug 2019 06:26:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566221215; cv=none; d=google.com; s=arc-20160816; b=tubG/4rVQa8p1IkZo2Rb6Q3adILPtePariTBW41Nb/CWke/rTe0LI8v7UypL8+7jhl zAzY7GKXThiE9qtkaqjKT4tIv1IH4D/9NKtH9DXszL1aMDxX8GdHSsPV72Zc4B7PoTXf 6scc491+Pu18rT5e7RlU+qGJHsvuDRJh7wYSkNljx4t9nSIdHTFFETJZodj0ot//ue+v 6TJtSa0MlDA7M1jCQoFH8a9dPWZW6Uukj0846aOvY8Ly60AR0E6d9BR+GH+Aqwtc3Zvj ew4ogfNAdTN9p8CyrfgTjAtINQphSbziJXwtQbbXxGK23g3RntvPgV3wK5lGsKwpQldJ V7uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Crw0vQ6IDxNH6aDGB2qTbwU8Ff46hOr5FSxlWZRuy8A=; b=dJ3NU1X493kNUSQAFeyR9iJvBrkxKe1hwiwZ14bFKcIDODKX5l9kG9gLjGWXZckm84 Sz17aE5yKch8O9lVBQGmNixORS+HUA0KzFKCXoBdCsWoTnhW7y0Vq/byJ6F0VpYr6vQD oTZCPWV88ahUDG+82CBvkZ7i7b2GuCd4BUMvhPFLFfX2U7zOVpb1uEznum6EVMrWQitE CuDXm3PaOnvdkgh/6G1M+D1ZHCBBPrHLXQKykvL4hPxual7X1IvOBieiLJH+gpVcyzq5 BzEP/UZQDcqIcFLoIV4EEMaUUDMGTEGJAg9DBPgZKfxnPpIkMB2Ldj5rRhrSQD3qtiEi sVAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n5si9810922pgq.154.2019.08.19.06.26.40; Mon, 19 Aug 2019 06:26:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727907AbfHSNXx (ORCPT + 99 others); Mon, 19 Aug 2019 09:23:53 -0400 Received: from foss.arm.com ([217.140.110.172]:54310 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727628AbfHSNXw (ORCPT ); Mon, 19 Aug 2019 09:23:52 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0A3FD28; Mon, 19 Aug 2019 06:23:52 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 22D863F777; Mon, 19 Aug 2019 06:23:50 -0700 (PDT) Date: Mon, 19 Aug 2019 14:23:48 +0100 From: Mark Rutland To: Will Deacon Cc: Walter Wu , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Catalin Marinas , Will Deacon , Matthias Brugger , Andrew Morton , Andrey Konovalov , wsd_upstream@mediatek.com, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mediatek@lists.infradead.org, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH] arm64: kasan: fix phys_to_virt() false positive on tag-based kasan Message-ID: <20190819132347.GB9927@lakrids.cambridge.arm.com> References: <20190819114420.2535-1-walter-zh.wu@mediatek.com> <20190819125625.bu3nbrldg7te5kwc@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190819125625.bu3nbrldg7te5kwc@willie-the-truck> User-Agent: Mutt/1.11.1+11 (2f07cb52) (2018-12-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 19, 2019 at 01:56:26PM +0100, Will Deacon wrote: > On Mon, Aug 19, 2019 at 07:44:20PM +0800, Walter Wu wrote: > > __arm_v7s_unmap() call iopte_deref() to translate pyh_to_virt address, > > but it will modify pointer tag into 0xff, so there is a false positive. > > > > When enable tag-based kasan, phys_to_virt() function need to rewrite > > its original pointer tag in order to avoid kasan report an incorrect > > memory corruption. > > Hmm. Which tree did you see this on? We've recently queued a load of fixes > in this area, but I /thought/ they were only needed after the support for > 52-bit virtual addressing in the kernel. I'm seeing similar issues in the virtio blk code (splat below), atop of the arm64 for-next/core branch. I think this is a latent issue, and people are only just starting to test with KASAN_SW_TAGS. It looks like the virtio blk code will round-trip a SLUB-allocated pointer from virt->page->virt, losing the per-object tag in the process. Our page_to_virt() seems to get a per-page tag, but this only makes sense if you're dealing with the page allocator, rather than something like SLUB which carves a page into smaller objects giving each object a distinct tag. Any round-trip of a pointer from SLUB is going to lose the per-object tag. Thanks, Mark. ================================================================== BUG: KASAN: double-free or invalid-free in virtblk_request_done+0x128/0x1d8 drivers/block/virtio_blk.c:215 Pointer tag: [ff], memory tag: [a8] CPU: 0 PID: 19116 Comm: syz-executor.0 Not tainted 5.3.0-rc3-00075-gcb38552 #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x3c0 arch/arm64/include/asm/stacktrace.h:166 show_stack+0x24/0x30 arch/arm64/kernel/traps.c:138 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x138/0x1f4 lib/dump_stack.c:113 print_address_description+0x7c/0x328 mm/kasan/report.c:351 kasan_report_invalid_free+0x80/0xe0 mm/kasan/report.c:444 __kasan_slab_free+0x1a8/0x208 mm/kasan/common.c:56 kasan_slab_free+0xc/0x18 mm/kasan/common.c:457 slab_free_hook mm/slub.c:1423 [inline] slab_free_freelist_hook mm/slub.c:1474 [inline] slab_free mm/slub.c:3016 [inline] kfree+0x254/0x9dc mm/slub.c:3957 virtblk_request_done+0x128/0x1d8 drivers/block/virtio_blk.c:215 blk_done_softirq+0x3dc/0x49c block/blk-softirq.c:37 __do_softirq+0xa90/0x1504 kernel/softirq.c:292 do_softirq_own_stack include/linux/interrupt.h:549 [inline] invoke_softirq kernel/softirq.c:380 [inline] irq_exit+0x3b0/0x4f8 kernel/softirq.c:413 __handle_domain_irq+0x150/0x250 kernel/irq/irqdesc.c:671 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] static_key_count include/linux/jump_label.h:254 [inline] cpus_have_const_cap arch/arm64/include/asm/cpufeature.h:410 [inline] gic_read_iar drivers/irqchip/irq-gic-v3.c:152 [inline] gic_handle_irq+0x244/0x4ac drivers/irqchip/irq-gic-v3.c:490 el1_irq+0xbc/0x140 arch/arm64/kernel/entry.S:670 ktime_add_safe kernel/time/hrtimer.c:321 [inline] hrtimer_set_expires_range_ns include/linux/hrtimer.h:235 [inline] hrtimer_nanosleep kernel/time/hrtimer.c:1732 [inline] __do_sys_nanosleep kernel/time/hrtimer.c:1767 [inline] __se_sys_nanosleep kernel/time/hrtimer.c:1754 [inline] __arm64_sys_nanosleep+0x344/0x554 kernel/time/hrtimer.c:1754 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:114 [inline] el0_svc_handler+0x300/0x540 arch/arm64/kernel/syscall.c:160 el0_svc+0x8/0xc arch/arm64/kernel/entry.S:1006 Allocated by task 170: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x114/0x1d0 mm/kasan/common.c:487 kasan_kmalloc+0x10/0x18 mm/kasan/common.c:501 __kmalloc+0x1f0/0x48c mm/slub.c:3811 kmalloc_array include/linux/slab.h:676 [inline] virtblk_setup_discard_write_zeroes drivers/block/virtio_blk.c:188 [inline] virtio_queue_rq+0x948/0xe48 drivers/block/virtio_blk.c:322 blk_mq_dispatch_rq_list+0x914/0x16fc block/blk-mq.c:1257 blk_mq_do_dispatch_sched+0x374/0x4d8 block/blk-mq-sched.c:115 blk_mq_sched_dispatch_requests+0x4d0/0x68c block/blk-mq-sched.c:216 __blk_mq_run_hw_queue+0x22c/0x35c block/blk-mq.c:1387 blk_mq_run_work_fn+0x64/0x78 block/blk-mq.c:1620 process_one_work+0x10bc/0x1df0 kernel/workqueue.c:2269 worker_thread+0x1124/0x17bc kernel/workqueue.c:2415 kthread+0x3c0/0x3d0 kernel/kthread.c:255 ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1164 Freed by task 17121: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x138/0x208 mm/kasan/common.c:449 kasan_slab_free+0xc/0x18 mm/kasan/common.c:457 slab_free_hook mm/slub.c:1423 [inline] slab_free_freelist_hook mm/slub.c:1474 [inline] slab_free mm/slub.c:3016 [inline] kfree+0x254/0x9dc mm/slub.c:3957 kvfree+0x54/0x60 mm/util.c:488 __vunmap+0xa3c/0xafc mm/vmalloc.c:2255 __vfree mm/vmalloc.c:2299 [inline] vfree+0xe4/0x1c4 mm/vmalloc.c:2329 copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:883 [inline] get_entries net/ipv6/netfilter/ip6_tables.c:1041 [inline] do_ip6t_get_ctl+0xf78/0x1804 net/ipv6/netfilter/ip6_tables.c:1709 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] nf_getsockopt+0x238/0x258 net/netfilter/nf_sockopt.c:122 ipv6_getsockopt+0x3374/0x40c4 net/ipv6/ipv6_sockglue.c:1400 tcp_getsockopt+0x214/0x54e0 net/ipv4/tcp.c:3662 sock_common_getsockopt+0xc8/0xf4 net/core/sock.c:3089 __sys_getsockopt net/socket.c:2129 [inline] __do_sys_getsockopt net/socket.c:2144 [inline] __se_sys_getsockopt net/socket.c:2141 [inline] __arm64_sys_getsockopt+0x240/0x308 net/socket.c:2141 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:114 [inline] el0_svc_handler+0x300/0x540 arch/arm64/kernel/syscall.c:160 el0_svc+0x8/0xc arch/arm64/kernel/entry.S:1006 The buggy address belongs to the object at ffff00005338eb80 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 0 bytes inside of 128-byte region [ffff00005338eb80, ffff00005338ec00) The buggy address belongs to the page: page:ffffffdffff4ce00 refcount:1 mapcount:0 mapping:e5ff0000576b0480 index:0x29ff000053388f00 flags: 0xffffff000000200(slab) raw: 0ffffff000000200 ffffffdffff00108 5eff0000576afd40 e5ff0000576b0480 raw: 29ff000053388f00 000000000066005d 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00005338e900: 34 34 34 34 34 34 34 34 fe fe fe fe fe fe fe fe ffff00005338ea00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe >ffff00005338eb00: fe fe fe fe fe fe fe fe a8 fe fe fe fe fe fe fe ^ ffff00005338ec00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ffff00005338ed00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ==================================================================