There is litte we can do in software if a DMA master decides to corrupt
memory that is owned by the CPU. What we could do, however, is to ensure
that code doesn't access memory while not owned by the CPU.
This is done by recording ownership information into the KASAN shadow memory.
That way accessing a device mapped buffer before sync'ing it to the CPU is
detected like KASAN would detect a use-after-free. Below is the output
after adding a (void)readl(packet) into the network device send routing just
after mapping it to the device:
BUG: KASAN: dma-mapped-to-device in eqos_send+0xdc/0x1a8
Read of size 4 at addr 0000000040419f00
Call trace:
[<7fbd4980>] (unwind_backtrace+0x0/0xb0) from [<7fbd4a40>] (dump_stack+0x10/0x18)
[<7fbd4a40>] (dump_stack+0x10/0x18) from [<7fba2360>] (kasan_report+0x11c/0x290)
[<7fba2360>] (kasan_report+0x11c/0x290) from [<7fba1f44>] (__asan_load4+0x54/0xb8)
[<7fba1f44>] (__asan_load4+0x54/0xb8) from [<7fb2e52c>] (eqos_send+0xdc/0x1a8)
[<7fb2e52c>] (eqos_send+0xdc/0x1a8) from [<7fbb6544>] (eth_send+0x154/0x16c)
[<7fbb6544>] (eth_send+0x154/0x16c) from [<7fbb7114>] (net_ip_send+0xe8/0xf8)
[<7fbb7114>] (net_ip_send+0xe8/0xf8) from [<7fbb7d10>] (net_udp_send+0x68/0x78)
[<7fbb7d10>] (net_udp_send+0x68/0x78) from [<7fbb9b50>] (bootp_request+0x174/0x188)
[<7fbb9b50>] (bootp_request+0x174/0x188) from [<7fbb9ce8>] (dhcp_request+0x184/0x274)
[<7fbb9ce8>] (dhcp_request+0x184/0x274) from [<7fbb9fd0>] (dhcp+0x34/0x80)
[<7fbb9fd0>] (dhcp+0x34/0x80) from [<7fb9df64>] (do_dhcp+0x1cc/0x1d0)
[<7fb9df64>] (do_dhcp+0x1cc/0x1d0) from [<7fb097d8>] (execute_command+0x54/0xa8)
[<7fb097d8>] (execute_command+0x54/0xa8) from [<7fb0584c>] (execute_binfmt+0x80/0xc0)
[<7fb0584c>] (execute_binfmt+0x80/0xc0) from [<7fb1522c>] (run_list_real+0xc2c/0xcdc)
[<7fb1522c>] (run_list_real+0xc2c/0xcdc) from [<7fb1441c>] (parse_stream_outer+0x154/0x220)
[<7fb1441c>] (parse_stream_outer+0x154/0x220) from [<7fb15554>] (run_shell+0x64/0xac)
[<7fb15554>] (run_shell+0x64/0xac) from [<7fb01fa4>] (run_init+0x100/0x26c)
[<7fb01fa4>] (run_init+0x100/0x26c) from [<7fb0217c>] (start_barebox+0x6c/0xd0)
[<7fb0217c>] (start_barebox+0x6c/0xd0) from [<7fbd2864>] (psci_driver_register+0x0/0x1c)
[<7fbd2864>] (psci_driver_register+0x0/0x1c) from [<7fb0000c>] (__bare_init_start+0x0/0x14)
[<7fb0000c>] (__bare_init_start+0x0/0x14) from [<00a01ae0>] (0xa01ae0)
[<00a01ae0>] (0xa01ae0) from [<00a01360>] (0xa01360)
Memory state around the buggy address:
0000000040419e00: 00 00 00 00 00 00 00 00 02 fc ff ff ff ff fc 00
0000000040419e80: 00 00 00 fc 00 00 00 00 04 fc ff ff ff ff fc fc
>0000000040419f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
0000000040419f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
000000004041a000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 00 00 00 00 00
==================================================================
Cheers,
Ahmad Fatoum (4):
Revert "dma: debug: detect repeated DMA sync"
KASan: implement non-warning kasan_is_poisoned_shadow
dma: debug: poison DMA buffers with KASAN while owned by device
dma: debug: detect repeated DMA sync using KASAN
drivers/dma/debug.c | 74 ++++++++++++++++++++++++++++++++------
include/linux/kasan.h | 4 ++-
lib/kasan/generic.c | 37 +++++++++++++++++++
lib/kasan/generic_report.c | 4 +--
4 files changed, 106 insertions(+), 13 deletions(-)
--
2.39.2
