On Mon, Apr 5, 2021 at 6:46 PM <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: > > > The patch titled > Subject: kasan: fix kasan_byte_accessible() to be consistent with actual checks > has been added to the -mm tree. Its filename is > kasan-fix-kasan_byte_accessible-to-be-consistent-with-actual-checks.patch > > This patch should soon appear at > https://ozlabs.org/~akpm/mmots/broken-out/kasan-fix-kasan_byte_accessible-to-be-consistent-with-actual-checks.patch > and later at > https://ozlabs.org/~akpm/mmotm/broken-out/kasan-fix-kasan_byte_accessible-to-be-consistent-with-actual-checks.patch > > Before you just go and hit "reply", please: > a) Consider who else should be cc'ed > b) Prefer to cc a suitable mailing list as well > c) Ideally: find the original patch on the mailing list and do a > reply-to-all to that, adding suitable additional cc's > > *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** > > The -mm tree is included into linux-next and is updated > there every 3-4 working days Hi Andrew, Thanks for picking up this patch. It looks like you added it after the "kasan: initialize shadow to TAG_INVALID for SW_TAGS" patch in your series, but I think it would make more sense for it to appear before that one, i.e. apply something like this patch to https://www.ozlabs.org/~akpm/mmotm/series : --- series.old 2021-04-15 11:07:39.998177270 -0700 +++ series 2021-04-15 11:08:15.765868715 -0700 @@ -565,6 +565,7 @@ #mm/kasan mm-kasan-switch-from-strlcpy-to-strscpy.patch # +kasan-fix-kasan_byte_accessible-to-be-consistent-with-actual-checks.patch kasan-initialize-shadow-to-tag_invalid-for-sw_tags.patch mm-kasan-dont-poison-boot-memory-with-tag-based-modes.patch # @@ -594,7 +595,6 @@ # irq_work-record-irq_work_queue-call-stack.patch # -kasan-fix-kasan_byte_accessible-to-be-consistent-with-actual-checks.patch # #mm/initialization mm-move-mem_init_print_info-into-mm_init.patch > > ------------------------------------------------------ > From: Peter Collingbourne <pcc@xxxxxxxxxx> > Subject: kasan: fix kasan_byte_accessible() to be consistent with actual checks > > We can sometimes end up with kasan_byte_accessible() being called on > non-slab memory. For example ksize() and krealloc() may end up calling it > on KFENCE allocated memory. In this case the memory will be tagged with > KASAN_SHADOW_INIT, which a subsequent patch ("kasan: initialize shadow to > TAG_INVALID for SW_TAGS") will set to the same value as KASAN_TAG_INVALID, > causing kasan_byte_accessible() to fail when called on non-slab memory. > > This highlighted the fact that the check in kasan_byte_accessible() was > inconsistent with checks as implemented for loads and stores > (kasan_check_range() in SW tags mode and hardware-implemented checks in HW > tags mode). kasan_check_range() does not have a check for > KASAN_TAG_INVALID, and instead has a comparison against > KASAN_SHADOW_START. In HW tags mode, we do not have either, but we do set > TCR_EL1.TCMA which corresponds with the comparison against > KASAN_TAG_KERNEL. > > Therefore, update kasan_byte_accessible() for both SW and HW tags modes to > correspond with the respective checks on loads and stores. > > Link: https://linux-review.googlesource.com/id/Ic6d40803c57dcc6331bd97fbb9a60b0d38a65a36 > Link: https://lkml.kernel.org/r/20210405220647.1965262-1-pcc@xxxxxxxxxx > Signed-off-by: Peter Collingbourne <pcc@xxxxxxxxxx> > Reviewed-by: Andrey Konovalov <andreyknvl@xxxxxxxxx> > Reviewed-by: Marco Elver <elver@xxxxxxxxxx> > Cc: Dmitry Vyukov <dvyukov@xxxxxxxxxx> > Cc: Alexander Potapenko <glider@xxxxxxxxxx> > Cc: Peter Collingbourne <pcc@xxxxxxxxxx> > Cc: Evgenii Stepanov <eugenis@xxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > --- > > mm/kasan/kasan.h | 3 +-- > mm/kasan/sw_tags.c | 10 +++++++--- > 2 files changed, 8 insertions(+), 5 deletions(-) > > --- a/mm/kasan/kasan.h~kasan-fix-kasan_byte_accessible-to-be-consistent-with-actual-checks > +++ a/mm/kasan/kasan.h > @@ -369,8 +369,7 @@ static inline bool kasan_byte_accessible > u8 ptr_tag = get_tag(addr); > u8 mem_tag = hw_get_mem_tag((void *)addr); > > - return (mem_tag != KASAN_TAG_INVALID) && > - (ptr_tag == KASAN_TAG_KERNEL || ptr_tag == mem_tag); > + return ptr_tag == KASAN_TAG_KERNEL || ptr_tag == mem_tag; > } > > #else /* CONFIG_KASAN_HW_TAGS */ > --- a/mm/kasan/sw_tags.c~kasan-fix-kasan_byte_accessible-to-be-consistent-with-actual-checks > +++ a/mm/kasan/sw_tags.c > @@ -121,10 +121,14 @@ bool kasan_check_range(unsigned long add > bool kasan_byte_accessible(const void *addr) > { > u8 tag = get_tag(addr); > - u8 shadow_byte = READ_ONCE(*(u8 *)kasan_mem_to_shadow(kasan_reset_tag(addr))); > + void *untagged_addr = kasan_reset_tag(addr); > + u8 shadow_byte; > > - return (shadow_byte != KASAN_TAG_INVALID) && > - (tag == KASAN_TAG_KERNEL || tag == shadow_byte); > + if (untagged_addr < kasan_shadow_to_mem((void *)KASAN_SHADOW_START)) > + return false; > + > + shadow_byte = READ_ONCE(*(u8 *)kasan_mem_to_shadow(untagged_addr)); > + return tag == KASAN_TAG_KERNEL || tag == shadow_byte; > } > > #define DEFINE_HWASAN_LOAD_STORE(size) \ > _ > > Patches currently in -mm which might be from pcc@xxxxxxxxxx are > > kasan-fix-kasan_byte_accessible-to-be-consistent-with-actual-checks.patch >
