| Message ID | 1404905415-9046-21-git-send-email-a.ryabinin@samsung.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, Jul 15, 2014 at 10:12 AM, Joonsoo Kim <iamjoonsoo.kim@lge.com> wrote: > On Wed, Jul 09, 2014 at 03:30:14PM +0400, Andrey Ryabinin wrote: >> We need to manually unpoison rounded up allocation size for dname >> to avoid kasan's reports in __d_lookup_rcu. >> __d_lookup_rcu may validly read a little beyound allocated size. > > If it read a little beyond allocated size, IMHO, it is better to > allocate correct size. > > kmalloc(name->len + 1, GFP_KERNEL); --> > kmalloc(roundup(name->len + 1, sizeof(unsigned long ), GFP_KERNEL); > > Isn't it? I absolutely agree! > Thanks. > >> >> Reported-by: Dmitry Vyukov <dvyukov@google.com> >> Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> >> --- >> fs/dcache.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/fs/dcache.c b/fs/dcache.c >> index b7e8b20..dff64f2 100644 >> --- a/fs/dcache.c >> +++ b/fs/dcache.c >> @@ -38,6 +38,7 @@ >> #include <linux/prefetch.h> >> #include <linux/ratelimit.h> >> #include <linux/list_lru.h> >> +#include <linux/kasan.h> >> #include "internal.h" >> #include "mount.h" >> >> @@ -1412,6 +1413,8 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) >> kmem_cache_free(dentry_cache, dentry); >> return NULL; >> } >> + unpoison_shadow(dname, >> + roundup(name->len + 1, sizeof(unsigned long))); >> } else { >> dname = dentry->d_iname; >> } >> -- >> 1.8.5.5 >> >> -- >> To unsubscribe, send a message with 'unsubscribe linux-mm' in >> the body to majordomo@kvack.org. For more info on Linux MM, >> see: http://www.linux-mm.org/ . >> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
On Wed, Jul 09, 2014 at 03:30:14PM +0400, Andrey Ryabinin wrote: > We need to manually unpoison rounded up allocation size for dname > to avoid kasan's reports in __d_lookup_rcu. > __d_lookup_rcu may validly read a little beyound allocated size. If it read a little beyond allocated size, IMHO, it is better to allocate correct size. kmalloc(name->len + 1, GFP_KERNEL); --> kmalloc(roundup(name->len + 1, sizeof(unsigned long ), GFP_KERNEL); Isn't it? Thanks. > > Reported-by: Dmitry Vyukov <dvyukov@google.com> > Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> > --- > fs/dcache.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/dcache.c b/fs/dcache.c > index b7e8b20..dff64f2 100644 > --- a/fs/dcache.c > +++ b/fs/dcache.c > @@ -38,6 +38,7 @@ > #include <linux/prefetch.h> > #include <linux/ratelimit.h> > #include <linux/list_lru.h> > +#include <linux/kasan.h> > #include "internal.h" > #include "mount.h" > > @@ -1412,6 +1413,8 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) > kmem_cache_free(dentry_cache, dentry); > return NULL; > } > + unpoison_shadow(dname, > + roundup(name->len + 1, sizeof(unsigned long))); > } else { > dname = dentry->d_iname; > } > -- > 1.8.5.5 > > -- > To unsubscribe, send a message with 'unsubscribe linux-mm' in > the body to majordomo@kvack.org. For more info on Linux MM, > see: http://www.linux-mm.org/ . > Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
On 07/15/14 10:12, Joonsoo Kim wrote: > On Wed, Jul 09, 2014 at 03:30:14PM +0400, Andrey Ryabinin wrote: >> We need to manually unpoison rounded up allocation size for dname >> to avoid kasan's reports in __d_lookup_rcu. >> __d_lookup_rcu may validly read a little beyound allocated size. > > If it read a little beyond allocated size, IMHO, it is better to > allocate correct size. > > kmalloc(name->len + 1, GFP_KERNEL); --> > kmalloc(roundup(name->len + 1, sizeof(unsigned long ), GFP_KERNEL); > > Isn't it? > It's not needed here because kmalloc always roundup allocation size. This out of bound access happens in dentry_string_cmp() if CONFIG_DCACHE_WORD_ACCESS=y. dentry_string_cmp() relays on fact that kmalloc always round up allocation size, in other words it's by design. That was discussed some time ago here - https://lkml.org/lkml/2013/10/3/493. Since filesystem's maintainer don't want to add needless round up here, I'm not going to do it. I think this patch needs only more detailed description why we not simply allocate more. Also I think it would be better to rename unpoisoin_shadow to something like kasan_mark_allocated(). > Thanks. > >> >> Reported-by: Dmitry Vyukov <dvyukov@google.com> >> Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> >> --- >> fs/dcache.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/fs/dcache.c b/fs/dcache.c >> index b7e8b20..dff64f2 100644 >> --- a/fs/dcache.c >> +++ b/fs/dcache.c >> @@ -38,6 +38,7 @@ >> #include <linux/prefetch.h> >> #include <linux/ratelimit.h> >> #include <linux/list_lru.h> >> +#include <linux/kasan.h> >> #include "internal.h" >> #include "mount.h" >> >> @@ -1412,6 +1413,8 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) >> kmem_cache_free(dentry_cache, dentry); >> return NULL; >> } >> + unpoison_shadow(dname, >> + roundup(name->len + 1, sizeof(unsigned long))); >> } else { >> dname = dentry->d_iname; >> } >> -- >> 1.8.5.5 >> >> -- >> To unsubscribe, send a message with 'unsubscribe linux-mm' in >> the body to majordomo@kvack.org. For more info on Linux MM, >> see: http://www.linux-mm.org/ . >> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> >
On Tue, Jul 15, 2014 at 1:34 PM, Andrey Ryabinin <a.ryabinin@samsung.com> wrote: > On 07/15/14 10:12, Joonsoo Kim wrote: >> On Wed, Jul 09, 2014 at 03:30:14PM +0400, Andrey Ryabinin wrote: >>> We need to manually unpoison rounded up allocation size for dname >>> to avoid kasan's reports in __d_lookup_rcu. >>> __d_lookup_rcu may validly read a little beyound allocated size. >> >> If it read a little beyond allocated size, IMHO, it is better to >> allocate correct size. >> >> kmalloc(name->len + 1, GFP_KERNEL); --> >> kmalloc(roundup(name->len + 1, sizeof(unsigned long ), GFP_KERNEL); >> >> Isn't it? >> > > It's not needed here because kmalloc always roundup allocation size. > > This out of bound access happens in dentry_string_cmp() if CONFIG_DCACHE_WORD_ACCESS=y. > dentry_string_cmp() relays on fact that kmalloc always round up allocation size, > in other words it's by design. > > That was discussed some time ago here - https://lkml.org/lkml/2013/10/3/493. > Since filesystem's maintainer don't want to add needless round up here, I'm not going to do it. > > I think this patch needs only more detailed description why we not simply allocate more. > Also I think it would be better to rename unpoisoin_shadow to something like kasan_mark_allocated(). Note that this poison/unpoison functionality can be used in other contexts. E.g. when you allocate a bunch of pages, then at some point poison a part of it to ensure that nobody touches it, then unpoison it back. Allocated/unallocated looks like a bad fit here, because it has nothing to do with allocation state. Poison/unpoison is also what we use in user-space.
diff --git a/fs/dcache.c b/fs/dcache.c index b7e8b20..dff64f2 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -38,6 +38,7 @@ #include <linux/prefetch.h> #include <linux/ratelimit.h> #include <linux/list_lru.h> +#include <linux/kasan.h> #include "internal.h" #include "mount.h" @@ -1412,6 +1413,8 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) kmem_cache_free(dentry_cache, dentry); return NULL; } + unpoison_shadow(dname, + roundup(name->len + 1, sizeof(unsigned long))); } else { dname = dentry->d_iname; }
We need to manually unpoison rounded up allocation size for dname to avoid kasan's reports in __d_lookup_rcu. __d_lookup_rcu may validly read a little beyound allocated size. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> --- fs/dcache.c | 3 +++ 1 file changed, 3 insertions(+)