Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp7013193pxv; Fri, 30 Jul 2021 08:02:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLJFTJYGMBRtVetcbdy0YpZKNgOVn1EiMk9bICJmZV+VrzJc6tGLudyIesWG1bjXKnzw7I X-Received: by 2002:a17:906:34cc:: with SMTP id h12mr2958750ejb.25.1627657337734; Fri, 30 Jul 2021 08:02:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627657337; cv=none; d=google.com; s=arc-20160816; b=IKby69w3cC8VTO9EJWFE31+oTJ/FVrr90wwUwiLvEhPQkFbb2yzbRmzZlKen7jVcpj 75HHaYvbQw3Oy5XYEh+GXOlc2HzJX/LP1OYecp+iEnwlTjb0jlFTk8A94Unnf+Yen1ur niYQAJvBr3TRERGWLbznk2+Mn+80blg+I5Y+uZb3Izr5yRsR1VDyRST5PYO9IMrD4Nnj n7m6tDhRsGkssxiT01HtZbTWEdLkW92eXRilIMY64Z2kEHgtfvLIIBj/GFWU+RzdNg4X ORRCXAamhdGGygL4koNqsIev4tG5mzEux8qEL/wttfDtyuR0L25ZXtZcYB9kJK239VDo RZww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=/FskvzB/Uu7kITCTpEs9Kzb0h3ZTsKYWrhXodwFjiIk=; b=oz0xJoG6zTfR4wJc24d/QBD4CPIuol02iOUSxjV6flXS7x5dq78gThsquMrQVP/nic Mxy3tfPYyVscAqqR7h0VI4bCyif9yi9FpW+G/Y9W/qO9NqNX11PEultkI17OFx4zYShN pKFvdGdiC3W79Pfm9R75trE8I4zPTN/gMi3YJlfIgl4X91POW450e5NRfCLVo6YyystA dMdApiPGnyfLnC3HHopxCasYpAp5Geubr7q5uyQxrIl/fgB40xFuiYYG1op1/8vVSbQK Ame+NBLzmNm9i+FBbUvCUhpcVmuwZd0SEPIVGmPlnf7CEZnmB+vyfvnv8g4ugrKEEm7y +5Jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qdwGk32T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bz23si1742320ejc.155.2021.07.30.08.01.54; Fri, 30 Jul 2021 08:02:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qdwGk32T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239609AbhG3O67 (ORCPT + 99 others); Fri, 30 Jul 2021 10:58:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48760 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239558AbhG3O6W (ORCPT ); Fri, 30 Jul 2021 10:58:22 -0400 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4687C0617BF for ; Fri, 30 Jul 2021 07:57:32 -0700 (PDT) Received: by mail-ed1-x532.google.com with SMTP id y7so11340749eda.5 for ; Fri, 30 Jul 2021 07:57:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/FskvzB/Uu7kITCTpEs9Kzb0h3ZTsKYWrhXodwFjiIk=; b=qdwGk32T8LIniVGMFzFAJe6RX68qQNMkrxYLkZOSF0T3vabQA/oH99TgvDLAWpUnVw EMBEBrTyyu0bszCCLjMP+rMRob7mlE+AovtCZo27qSMkPTfe3g4yfg3QDpcCqjJ89AuG 5iZit8yuHeSIYaG0jTc9sVQLYXBZw3Oj72RnERwCr0dEmHLBHAXxmyrR6JdjEoMnNvM2 oy8pFEKMaJ0In9p6GeDe3RQvqg0ySFCkiFuMb0Me2Voz97GzdR0EOgdUS19VKNUiQBYH 8vYVD3AOWJfaGfatwjNQbmUH4uofJCPG5u97wjWpuM3UV+70caNlBUULFH5JOjXfwi1q iRbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/FskvzB/Uu7kITCTpEs9Kzb0h3ZTsKYWrhXodwFjiIk=; b=TXuR8BHwgPaK2NfTtZ4Ja4/V3GSF2MSJRvCcpjp6wSO67KBpCWIR1Y6Tz9hHR8Oe05 S/nOWMb/mekFxwOcI4gJoJA0AxRd/rhaE61FUHWTaIw6nvUYPNnOrZUde/840dVEYobX S4XUjsf6JDbmbaoZzDTtg1v+Aszj09w28kWhJ5nB9si3sgaQPQmo76c2cPM1mxqk/Mz9 jWugPl1bH4sFNnhqEwHxXEp/QIToxafXFfEB691n9iPWr0N0UYA/Ak8JFZ6xeQ4wNzNk sKzRnAnprM8PqkORxSHKmuaxtmjZ8ORwlz24NoVOWSAcVmFONM+BH/y100VyzqJ6G7Ot 9rXg== X-Gm-Message-State: AOAM531Pd9+D8lxUYVU+7F2qUgo5C+KQ397pBY28hJDxOwCCVNWhO9HH dgFOCLAu6ss5QKeikWmpJ97dhGCZI0SOa4OjvBFVS7hd5BQ= X-Received: by 2002:a50:eb88:: with SMTP id y8mr3436558edr.70.1627657051382; Fri, 30 Jul 2021 07:57:31 -0700 (PDT) MIME-Version: 1.0 References: <20210727040021.21371-1-Kuan-Ying.Lee@mediatek.com> <20210727040021.21371-2-Kuan-Ying.Lee@mediatek.com> <20210727192217.GV13920@arm.com> In-Reply-To: <20210727192217.GV13920@arm.com> From: Andrey Konovalov Date: Fri, 30 Jul 2021 16:57:20 +0200 Message-ID: Subject: Re: [PATCH 1/2] kasan, mm: reset tag when access metadata To: Catalin Marinas , Kuan-Ying Lee Cc: Marco Elver , Nicholas Tang , Andrew Yang , Andrey Ryabinin , Alexander Potapenko , Chinwen Chang , Andrew Morton , kasan-dev , Linux Memory Management List , LKML , Linux ARM , "moderated list:ARM/Mediatek SoC support" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 27, 2021 at 9:22 PM Catalin Marinas wrote: > > On Tue, Jul 27, 2021 at 04:32:02PM +0800, Kuan-Ying Lee wrote: > > On Tue, 2021-07-27 at 09:10 +0200, Marco Elver wrote: > > > +Cc Catalin > > > > > > On Tue, 27 Jul 2021 at 06:00, Kuan-Ying Lee < > > > Kuan-Ying.Lee@mediatek.com> wrote: > > > > > > > > Hardware tag-based KASAN doesn't use compiler instrumentation, we > > > > can not use kasan_disable_current() to ignore tag check. > > > > > > > > Thus, we need to reset tags when accessing metadata. > > > > > > > > Signed-off-by: Kuan-Ying Lee > > > > > > This looks reasonable, but the patch title is not saying this is > > > kmemleak, nor does the description say what the problem is. What > > > problem did you encounter? Was it a false positive? > > > > kmemleak would scan kernel memory to check memory leak. > > When it scans on the invalid slab and dereference, the issue > > will occur like below. > > > > So I think we should reset the tag before scanning. > > > > # echo scan > /sys/kernel/debug/kmemleak > > [ 151.905804] > > ================================================================== > > [ 151.907120] BUG: KASAN: out-of-bounds in scan_block+0x58/0x170 > > [ 151.908773] Read at addr f7ff0000c0074eb0 by task kmemleak/138 > > [ 151.909656] Pointer tag: [f7], memory tag: [fe] > > It would be interesting to find out why the tag doesn't match. Kmemleak > should in principle only scan valid objects that have been allocated and > the pointer can be safely dereferenced. 0xfe is KASAN_TAG_INVALID, so it > either goes past the size of the object (into the red zone) or it still > accesses the object after it was marked as freed but before being > released from kmemleak. > > With slab, looking at __cache_free(), it calls kasan_slab_free() before > ___cache_free() -> kmemleak_free_recursive(), so the second scenario is > possible. With slub, however, slab_free_hook() first releases the object > from kmemleak before poisoning it. Based on the stack dump, you are > using slub, so it may be that kmemleak goes into the object red zones. > > I'd like this clarified before blindly resetting the tag. AFAIK, kmemleak scans the whole object including the leftover redzone for kmalloc-allocated objects. Looking at the report, there are 11 0xf7 granules, which amounts to 176 bytes, and the object is allocated from the kmalloc-256 cache. So when kmemleak accesses the last 256-176 bytes, it causes faults, as those are marked with KASAN_KMALLOC_REDZONE == KASAN_TAG_INVALID == 0xfe. Generally, resetting tags in kasan_disable/enable_current() section should be fine to suppress MTE faults, provided those sections had been added correctly in the first place.