Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1339614rdb; Mon, 2 Oct 2023 06:50:03 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEJDeiEhXx7ka+hP8ty/RpQb2+s6CvZqy90sUErs+810S7hE88redy9lCJF+2DhGNVfVXCb X-Received: by 2002:a05:6a20:244e:b0:154:a9bc:12d0 with SMTP id t14-20020a056a20244e00b00154a9bc12d0mr13541763pzc.13.1696254603026; Mon, 02 Oct 2023 06:50:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696254603; cv=none; d=google.com; s=arc-20160816; b=YYR3PsfYJt1/ec/Y6xzkRcfuyksogao+KxTxfEpoYunH4sBH11Jq824kucJFIH+bNa hLQNbmlCHy7k+tQB2UqKRDvAD/KuEIjfOjUGrVIldn6zO3R9TIcWJBQ+fCk/YKRIGZmC QxjUi0124d6MRvZewvuCaLfQnEcri8aiWNm3yi4AWDOra2puNPqOnIMEF1AvmuZ1pOGD Wx6qCNhBaxBWGlW75MizZ0/QQUYbw1zX2acDflEz/jiqEYDVARQNrGLEkbmw0RA7zpMf gDMv1sWK7g0MGDHZku8IzJ1TeMvHF/fme+7bALnG7vAL3JxEY+TOjQ7iVrkgbILrvimu 9Dmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=P4gRfl3Fmzk3s49f0u/jtDzyfzLOxm3I0xzPgLtkDE4=; fh=g5s0bTG0tYpYaXxPDPuNiJP4OfWGinh8w8nBvD42VvM=; b=hrSlOi3BNMbFZQfc6E466G0jFqlSHuoDDt6kNVUUAb3w0ZZTEOLJLBAlQ9G0C9WX8E SPmuTAjGLmm1dCEa23oWbBbxlk5gbLW79GBS96SX8/oKOK4VgZ+PcqQKvpw7o7f/BchH dT0HhTqI1AxUZ1I4EBRDQvpr9uu742hbcz2AQ49NMUMnZ1zD9R3CQjJ2/VY6IpA06AgF Lsc7Hr63j/sYyb3kV8CSAL/7f4iwKQpfNLqArwiYBea8DC9091mtDCqrESaAl5+noOy0 s01fHJTuynWrCw4EOmC0MFc6BlXjQzxsoUjOoIgk82GIHc8P1KnXmKuApTunqeWCN3YC xtcg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id k18-20020aa788d2000000b00690d79b95f7si28045742pff.288.2023.10.02.06.50.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 06:50:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 8DE5780425A3; Mon, 2 Oct 2023 06:41:31 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237424AbjJBNlU (ORCPT + 99 others); Mon, 2 Oct 2023 09:41:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236712AbjJBNlT (ORCPT ); Mon, 2 Oct 2023 09:41:19 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B2620B4; Mon, 2 Oct 2023 06:41:15 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B437AC15; Mon, 2 Oct 2023 06:41:53 -0700 (PDT) Received: from FVFF77S0Q05N.cambridge.arm.com (FVFF77S0Q05N.cambridge.arm.com [10.1.28.139]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 279FA3F59C; Mon, 2 Oct 2023 06:41:13 -0700 (PDT) Date: Mon, 2 Oct 2023 14:41:05 +0100 From: Mark Rutland To: Alexandre Ghiti Cc: Edward AD , alex@ghiti.fr, aou@eecs.berkeley.edu, conor@kernel.org, gregkh@linuxfoundation.org, guoren@kernel.org, jirislaby@kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, linux-serial@vger.kernel.org, liushixin2@huawei.com, palmer@dabbelt.com, paul.walmsley@sifive.com, syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] Test for riscv fixes Message-ID: References: <20230929230549.45206-2-twuufnxlz@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Mon, 02 Oct 2023 06:41:31 -0700 (PDT) On Mon, Oct 02, 2023 at 09:13:52AM +0200, Alexandre Ghiti wrote: > Hi Edward, > > On Sat, Sep 30, 2023 at 1:06 AM Edward AD wrote: > > > > Hi Alexandre, > > > > On Fri, 29 Sep 2023 10:25:59 +0200 Alexandre Ghiti wrote: > > > I'm still not convinced this will fix the kasan out-of-bounds > > > accesses, the page can be valid but the read can happen at an offset > > > not initialized and trigger such errors right? I still think there is > > > something weird about the stack frame, as to me this should not happen > > > (but admittedly I don't know much about that). > > The added check can confirm that the physical page is invalid (whether it is a > > vmalloc allocated page or a slab allocated page), and exit the for loop when it is invalid. > > Yes, but to me this is not what happens in the bug report you link: > > | BUG: KASAN: out-of-bounds in walk_stackframe+0x130/0x2f2 > arch/riscv/kernel/stacktrace.c:59 > | Read of size 8 at addr ff20000006d37c38 by task swapper/1/0 > > So the read at address ff20000006d37c38 is not "normal" according to > KASAN (you can see there is no trap, meaning the physical mapping > exists). > > | The buggy address belongs to the virtual mapping at > | [ff20000006d30000, ff20000006d39000) created by: > | kernel_clone+0x118/0x896 kernel/fork.c:2909 > > The virtual address is legitimate since the vma exists ^ > > | The buggy address belongs to the physical page: > | page:ff1c00000250dbc0 refcount:1 mapcount:0 mapping:0000000000000000 > index:0x0 pfn:0x9436f > > And the physical page also exists ^ > > So I insist, checking that a physical mapping exists to exit the loop > is not enough, to me, the error here is that the backtrace goes "too > far" at an address where nothing was written before and then KASAN > complains about that, again, we don't take any page fault here so it's > not a problem of existing physical mapping. Yep! I believe what's happening here is one task unwinding another (starting from whatever gets saved in switch_to()), and there's nothing that prevents that other task from running concurrently and modifying/poisoning its stack. In general trying to unwind a remote stack is racy and broken, but we're stuck with a few bits of the kernel tryingto do that occasionally and so the arch code needs to handle that without blowing up. For KASAN specifically you'll need to access the stack with unchecked accesses (e.g. using READ_ONCE_NOCHECK() to read the struct stackframe), and you'll probably want to add some explicit checks that pointers are within stack bounds since concurrent modification (or corruption) could result in entirely bogus pointers. I *think* that we do the right thing on arm64, so you might want to take a look at arm64's unwinder in arch/arm64/kernel/stacktrace.c, arch/arm64/include/asm/stacktrace.h, and arch/arm64/include/asm/stacktrace/common.h. Mark.