Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2792802ybl; Mon, 19 Aug 2019 07:36:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqyn0nR2R1Q8GSoe/32ToBS9x38RpworNZQfVdaXH+Ed27Dv3PNPH2flHF3f8sANIh0TkAl0 X-Received: by 2002:a17:90a:e2d2:: with SMTP id fr18mr11180310pjb.98.1566225387092; Mon, 19 Aug 2019 07:36:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566225387; cv=none; d=google.com; s=arc-20160816; b=tNPaTwN+aMruzoCg1nlMEFbv+IdRiUBCQknd9TErNLn3YegkSq7hdrtu5RIfVrUu9Z b9nrJQaq14gLaPTJ10/++oWjCGZIYmORvO6SeS5du45u48M5HT1IlZuC/jw6zkiNIDKw UH4ljiCxGjylTvlrc+Q4/CVYlgDOIPDTCheAfpZ8Wb6pexm8UTFMFVDX1yY5uz+xVPVd FdSalpOpN1PwkuKtb9sAjrfS+LwPipQeEWUSdTcVZBQ3y/E2tmLMZZGXG57V72dE9m4X ixSkpNHWalnYK+771rXwSD0+fdFS3a6P1QKsWvV9G7Wz3ZhHGGUhj6PHQWt/lXZLLZWC BOQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=sIFsnVuxBl/y72Zzf4lBC2bCFvP5/kYc9Ub+QPlp2Tg=; b=f+I2dVuKCWdQ0eQ+fhBshSALpJCFpAO/pCunAGnfjCor2lZ+AXFWZyH2An2U/sLG9q 2nggiCHXspXUy8YCxJ/lkTxwxd2F8+6xNaIuz6yNbcmRlWbY7v5G0Cst+r+cnVTDzvl9 P9M1sYiXSsf8hpJNKQlVsV/V3Y92JBX4NTyOOvsAkVM2b3s9fOsxpKOfUi+OriQymsBS 6qOacYLBqu7xC//bahmtdCTE1bxvZFMI9rOw+Km0NooLF8MusTL95tt82kLjx4bmeIF7 eax70B8/D4IYTbJ8dTcWNvbQBkrWnH79MjTWI2mbh1Vzdf0t9qSVliuwzwxR1ku1Epfo xWAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t1si8886817pjy.39.2019.08.19.07.36.11; Mon, 19 Aug 2019 07:36:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726959AbfHSOfV (ORCPT + 99 others); Mon, 19 Aug 2019 10:35:21 -0400 Received: from foss.arm.com ([217.140.110.172]:55622 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726464AbfHSOfU (ORCPT ); Mon, 19 Aug 2019 10:35:20 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A1DDB28; Mon, 19 Aug 2019 07:35:19 -0700 (PDT) Received: from [10.1.197.57] (e110467-lin.cambridge.arm.com [10.1.197.57]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id AC6923F718; Mon, 19 Aug 2019 07:35:17 -0700 (PDT) Subject: Re: [PATCH] arm64: kasan: fix phys_to_virt() false positive on tag-based kasan To: Will Deacon , Andrey Konovalov Cc: Mark Rutland , Walter Wu , wsd_upstream@mediatek.com, Catalin Marinas , Will Deacon , LKML , kasan-dev , linux-mediatek@lists.infradead.org, Alexander Potapenko , Linux ARM , Matthias Brugger , Andrey Ryabinin , Andrew Morton , Dmitry Vyukov References: <20190819114420.2535-1-walter-zh.wu@mediatek.com> <20190819125625.bu3nbrldg7te5kwc@willie-the-truck> <20190819132347.GB9927@lakrids.cambridge.arm.com> <20190819133441.ejomv6cprdcz7hh6@willie-the-truck> <20190819142238.2jobs6vabkp2isg2@willie-the-truck> From: Robin Murphy Message-ID: <1ac7eb3e-156f-218c-8c5a-39a05dd46d55@arm.com> Date: Mon, 19 Aug 2019 15:35:16 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190819142238.2jobs6vabkp2isg2@willie-the-truck> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 19/08/2019 15:22, Will Deacon wrote: > On Mon, Aug 19, 2019 at 04:05:22PM +0200, Andrey Konovalov wrote: >> On Mon, Aug 19, 2019 at 3:34 PM Will Deacon wrote: >>> >>> On Mon, Aug 19, 2019 at 02:23:48PM +0100, Mark Rutland wrote: >>>> On Mon, Aug 19, 2019 at 01:56:26PM +0100, Will Deacon wrote: >>>>> On Mon, Aug 19, 2019 at 07:44:20PM +0800, Walter Wu wrote: >>>>>> __arm_v7s_unmap() call iopte_deref() to translate pyh_to_virt address, >>>>>> but it will modify pointer tag into 0xff, so there is a false positive. >>>>>> >>>>>> When enable tag-based kasan, phys_to_virt() function need to rewrite >>>>>> its original pointer tag in order to avoid kasan report an incorrect >>>>>> memory corruption. >>>>> >>>>> Hmm. Which tree did you see this on? We've recently queued a load of fixes >>>>> in this area, but I /thought/ they were only needed after the support for >>>>> 52-bit virtual addressing in the kernel. >>>> >>>> I'm seeing similar issues in the virtio blk code (splat below), atop of >>>> the arm64 for-next/core branch. I think this is a latent issue, and >>>> people are only just starting to test with KASAN_SW_TAGS. >>>> >>>> It looks like the virtio blk code will round-trip a SLUB-allocated pointer from >>>> virt->page->virt, losing the per-object tag in the process. >>>> >>>> Our page_to_virt() seems to get a per-page tag, but this only makes >>>> sense if you're dealing with the page allocator, rather than something >>>> like SLUB which carves a page into smaller objects giving each object a >>>> distinct tag. >>>> >>>> Any round-trip of a pointer from SLUB is going to lose the per-object >>>> tag. >>> >>> Urgh, I wonder how this is supposed to work? >>> >>> If we end up having to check the KASAN shadow for *_to_virt(), then why >>> do we need to store anything in the page flags at all? Andrey? >> >> As per 2813b9c0 ("kasan, mm, arm64: tag non slab memory allocated via >> pagealloc") we should only save a non-0xff tag in page flags for non >> slab pages. > > Thanks, that makes sense. Hopefully the patch from Andrey R will solve > both of the reported splats, since I'd not realised they were both on the > kfree() path. > >> Could you share your .config so I can reproduce this? > > This is in the iopgtable code, so it's probably pretty tricky to trigger > at runtime unless you have the write IOMMU hardware, unfortunately. If simply freeing any entry from the l2_tables cache is sufficient, then the short-descriptor selftest should do the job, and that ought to run on anything (modulo insane RAM layouts). Robin.