Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp435655pxf; Thu, 11 Mar 2021 07:13:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJwxFU3Xb4UrhEsbzGabTQTHpCvtXGkqn1fgOSkrEURGI5OOkKn/gK+9ewWDKHt05CLWDq42 X-Received: by 2002:a17:906:1956:: with SMTP id b22mr3691315eje.114.1615475624965; Thu, 11 Mar 2021 07:13:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615475624; cv=none; d=google.com; s=arc-20160816; b=ZpPM+NsZIbFD3iAUvnjLEwsu82kY4z5d7CUO8BPOxFuj8fhqORn5uy0EVIeyw27FXt o7YB/LrXPkVR3+ZxyBDiV4t8Y7eYoh7yI0+Ps+WZ/U3yVC4CK28JdslCGUrQNPFv4rlH c4fAl5aqEre35MF0XhYqaZRTckXl7z2sixFBVRNMsB48metw3aPmCq9KIi7kweXyH3DD Pi1It/JswMu+pYzw/hxDpQx/jIx3al2PuEqK5YOAH2MR2uTynFw/9sZarm5RzNCfkMAh z/sPx6r9RGtB9etCHEzAfLZZrQ4MsEZhirEdX1Yhg60FcEZxvmD7W8sOjLO/69DuSV8z KvJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=AApTWOpa7ui0/YyXhD3tUhfEI1bu0UZzTT8+Disz7/w=; b=Xpk9TdDg+vJ2OJQotb6VK5+UCW2GwnsGT+r7hFeKh3iptIooW7F+pRuZ7Za6uI5XTC mzLR2hr7uiLyOTg8QHowz6CdeT9ncfzjGk2N0Teul/W8b5Nky3+ssbre2urzzv8PkBov mQPpmmriJ4iZD2N2PjK/vyPTcrPFygKL1C95Cvl1g3kBYIGFXufSdjWg3WMzucmrK9DE QKxNNXCgybJaJBk/ltPeK3suDik7QfaCTGBeFkAW8uSH+Z3C7oP1sNgdzA56+gOiZ5jW eBC9v8lLPWHWhsGzN1zWH9yhQp4vDJfMXWUOl1ZteesTFHw4kdwrdE6S/A9QxFcU+jm2 TMSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RHJUA4xf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r24si2020417ejs.40.2021.03.11.07.13.21; Thu, 11 Mar 2021 07:13:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=RHJUA4xf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233972AbhCKPMC (ORCPT + 99 others); Thu, 11 Mar 2021 10:12:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233978AbhCKPLq (ORCPT ); Thu, 11 Mar 2021 10:11:46 -0500 Received: from mail-qt1-x849.google.com (mail-qt1-x849.google.com [IPv6:2607:f8b0:4864:20::849]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2568C061760 for ; Thu, 11 Mar 2021 07:11:45 -0800 (PST) Received: by mail-qt1-x849.google.com with SMTP id k4so15742586qtd.20 for ; Thu, 11 Mar 2021 07:11:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=AApTWOpa7ui0/YyXhD3tUhfEI1bu0UZzTT8+Disz7/w=; b=RHJUA4xfDCj19gTdtnLY8BzgPsWIGu8LEWnYDr9Cy8aPAwzNTdDYRRyoUzwo4cMqf2 cD+acaWmz4tmGDVlM/dpk6biRUtSAz1iamX8bvSb9rgtMOT0xgC9ncWfL+3gIKfUyw5B 25QGtk8QUVqrC/5dYGGc+fEWyIF4a1xA3wyatNUUfdmHKyZq/i7PQjBYQ/CvKw5ktLPV JHtnJdjr89mu/LZViYGBGXneDSr16+n4cqPZokACKXYN8aK5tVBxsCwEgTPZ7aU3UiA2 U8fJXmmFRZxkhqprV5YAMsysgeEgVNbcfMG8UoH6C31MW27OuBHQ6VgJFgHlgSljozH2 DMwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=AApTWOpa7ui0/YyXhD3tUhfEI1bu0UZzTT8+Disz7/w=; b=d2Y8n9MIA3E3ekAzXPYu1Bzd/DVf0cPsK3OKSEoSXXlCzCboYvOfllfqgmFtevLuhW StkNOBOZIf6wkwYFVEea0PRu2yqw6OvgGXhZ9ppJrs2Zm0K2/5tRiGZ4yIf+JTKym314 4BaqIi/BPA/z7nCqAohELo+5M7kLeDlT3mnh3NTbQmpx3ZvLiXbzW5aNV482FYJHbbAt XfmZw9c8mZACL5zTnYC/WsRFIXMukleDEI9Qh4Gm6G2lHD/kTmSmZjo4JgDlcZBfTv7s EVqC8Qwtbr/gm0Em1R4Gy0rR9uDIAwb6U02GJhJySLLNRxYoUp+zySL3o0S/tKOppbY6 +yuQ== X-Gm-Message-State: AOAM531zwsjBZx/C7DZSf4iA7FaKRyCcNltHFnzRhn02n6mYEyDMGLX7 tZ0l80NPVCQHJ9088C35DjPUSpvbpqYlhBu4 X-Received: from andreyknvl3.muc.corp.google.com ([2a00:79e0:15:13:95a:d8a8:4925:42be]) (user=andreyknvl job=sendgmr) by 2002:a0c:ea4b:: with SMTP id u11mr7819047qvp.43.1615475504801; Thu, 11 Mar 2021 07:11:44 -0800 (PST) Date: Thu, 11 Mar 2021 16:11:41 +0100 Message-Id: <1a41abb11c51b264511d9e71c303bb16d5cb367b.1615475452.git.andreyknvl@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.0.rc2.261.g7f71774620-goog Subject: [PATCH] kasan: fix per-page tags for non-page_alloc pages From: Andrey Konovalov To: Andrew Morton Cc: Catalin Marinas , Will Deacon , Vincenzo Frascino , Dmitry Vyukov , Andrey Ryabinin , Alexander Potapenko , Marco Elver , Peter Collingbourne , Evgenii Stepanov , Branislav Rankov , Kevin Brodsky , kasan-dev@googlegroups.com, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org To allow performing tag checks on page_alloc addresses obtained via page_address(), tag-based KASAN modes store tags for page_alloc allocations in page->flags. Currently, the default tag value stored in page->flags is 0x00. Therefore, page_address() returns a 0x00ffff... address for pages that were not allocated via page_alloc. This might cause problems. A particular case we encountered is a conflict with KFENCE. If a KFENCE-allocated slab object is being freed via kfree(page_address(page) + offset), the address passed to kfree() will get tagged with 0x00 (as slab pages keep the default per-page tags). This leads to is_kfence_address() check failing, and a KFENCE object ending up in normal slab freelist, which causes memory corruptions. This patch changes the way KASAN stores tag in page-flags: they are now stored xor'ed with 0xff. This way, KASAN doesn't need to initialize per-page flags for every created page, which might be slow. With this change, page_address() returns natively-tagged (with 0xff) pointers for pages that didn't have tags set explicitly. This patch fixes the encountered conflict with KFENCE and prevents more similar issues that can occur in the future. Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc") Cc: stable@vger.kernel.org Signed-off-by: Andrey Konovalov --- include/linux/mm.h | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 77e64e3eac80..c45c28f094a7 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1440,16 +1440,28 @@ static inline bool cpupid_match_pid(struct task_struct *task, int cpupid) #if defined(CONFIG_KASAN_SW_TAGS) || defined(CONFIG_KASAN_HW_TAGS) +/* + * KASAN per-page tags are stored xor'ed with 0xff. This allows to avoid + * setting tags for all pages to native kernel tag value 0xff, as the default + * value 0x00 maps to 0xff. + */ + static inline u8 page_kasan_tag(const struct page *page) { - if (kasan_enabled()) - return (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK; - return 0xff; + u8 tag = 0xff; + + if (kasan_enabled()) { + tag = (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK; + tag ^= 0xff; + } + + return tag; } static inline void page_kasan_tag_set(struct page *page, u8 tag) { if (kasan_enabled()) { + tag ^= 0xff; page->flags &= ~(KASAN_TAG_MASK << KASAN_TAG_PGSHIFT); page->flags |= (tag & KASAN_TAG_MASK) << KASAN_TAG_PGSHIFT; } -- 2.31.0.rc2.261.g7f71774620-goog