From patchwork Mon Jan  7 22:36:36 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Qian Cai <cai@lca.pw>
X-Patchwork-Id: 10751269
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7C134746
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Mon,  7 Jan 2019 22:36:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6BC9328A95
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Mon,  7 Jan 2019 22:36:51 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5FD3628ABC; Mon,  7 Jan 2019 22:36:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham
	version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CEC5E28A95
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Mon,  7 Jan 2019 22:36:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id CF6468E003E; Mon,  7 Jan 2019 17:36:49 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C7E018E0038; Mon,  7 Jan 2019 17:36:49 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B45978E003E; Mon,  7 Jan 2019 17:36:49 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com
 [209.85.222.198])
	by kanga.kvack.org (Postfix) with ESMTP id 842568E0038
	for <linux-mm@kvack.org>; Mon,  7 Jan 2019 17:36:49 -0500 (EST)
Received: by mail-qk1-f198.google.com with SMTP id b185so1614178qkc.3
        for <linux-mm@kvack.org>; Mon, 07 Jan 2019 14:36:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:dkim-signature:from:to:cc:subject:date
         :message-id;
        bh=8jfjinw++IFIMmRHPaT37Ermd7hK2DH7YkMhFayk7vY=;
        b=OZQPoL5G0PI5BU8fARbPbZlSGnkgkgF8yIji+UZ8wVtEcAwxHCVyv7ry/4Ohc8Jk3a
         AMjJkaCcBD7LZoXyPvXyBycKgBRuJgRTbuPEQQ0xc6Xs2Skx0GPdN6bcbjpaQJXjNXZP
         xY8/AZXukmzAC0zPQAfSi1pfj3xC/Uw4mSMvwKlb2UQGnP1shydyyozN6R4CzMVU7ZZS
         ZPhn+JDEtbc6qMli93/khAVZqspCxDcHBW1OYhSIjM7h8pwtqfxRNGcqGRV4aeOktcvG
         U/AUYxNrQla3nlBi7sCo9MvAo7hotaYev335/ZXsqD4/RQvf/xRWzDXfO42Mubr3JI+9
         yvJA==
X-Gm-Message-State: AJcUukfmS9aUa0E8vePYw4I+lojlGGRjIA2zgM/72DKum2sSL4X3cbIu
	+idTb+yX+Mqy4LlxnNeeALJP0DenQV3dpfq6Yvk7KzBuLg4+sjXi9VgBICLLLZT39PqE7V7TPue
	rOD58BOk9saFEqnHer+McPGcJ0/bw+4UNxLMeGNp23QbpGC+j4ZcdXCi56iRI7I7Mn9jh8HPCA5
	ohJIkvmNDVNCQup+UWX2qVtPT3TSzyYZ2tU1FMKzRfIpeucCBbWo+xPcY6fbjUWfdEfuZbMqZY1
	VVvgop4ZNpt26PtZMeAlzBZ3GltXs2+BZmsv1IpHu9c1Lde0p+ogFqde50bvJE4zbDYSbKDaVsH
	84JVopWtRhPamntJTgBrOZhV8xMM5nJ/H3jCMFhXnaM1Nr8sSffry6aDLSqa3eluIhjriaLyyeE
	n
X-Received: by 2002:a37:3008:: with SMTP id w8mr58275395qkw.75.1546900609235;
        Mon, 07 Jan 2019 14:36:49 -0800 (PST)
X-Received: by 2002:a37:3008:: with SMTP id w8mr58275361qkw.75.1546900608552;
        Mon, 07 Jan 2019 14:36:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546900608; cv=none;
        d=google.com; s=arc-20160816;
        b=GHgTT4seHQxzO/0LRPSmrbpQz8ilTwJh1HD7gklfIBDI2qs5KekZ5PK5d+mn+B9wwC
         enik249zSTmsWwbeFlJvsq05SCkCZYhpEcT816RD+ljTx0PWpl8pj8gXBkqObckkUpyi
         HomQplGBgja4r7YWAKGbRorZ/LX42C6BzSm6wuOkE5imuUCVQcC3NvLtJ7zi+0DJhqoj
         gZgqXxLTQ3eMCTdWZ2e04CJMWgnJin9d1WFK6BzKzo5eH9fTU3NuUSO6OVWN0n1qTQ1s
         vZVFmpgrY999E/bHvDbL2CF8dD2YcTDjqVkrUZhyoXJAXAbqMIUEyxfjUgxgEiknmRCk
         cJgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=message-id:date:subject:cc:to:from:dkim-signature;
        bh=8jfjinw++IFIMmRHPaT37Ermd7hK2DH7YkMhFayk7vY=;
        b=SsPzVkHAPB2iiXsEw0cFMx5C8GFwil5gcMvO+tZZzzXGjsJCuXaqUN8Eh53XwMGtxG
         AQmQ/3556i/pfRO9/OwKwSswSvV4I1GXeec5ER/VH7OnOBkpq3VoUIi2Xm9AHY9KG7Ji
         VWluXH2TxPglCLG1YWiaHYs4+SPevpZfns0Jzra2peE7CpzSR6vZJTCN+U82b8+cLbzh
         frfXwdRCFHpeNdeDt+lDOnCW81+RXNsHF2VGOsJBlrWhw4fOjp5lSAjkmtYZ42/HXL91
         F7wZT/if/JUv8ex+0T7SVrT5f/2Md4XJgUhRgfTNT8NEEo+7etduVtxYpOMMaPHuxer0
         +KpA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=bJMinMIo;
       spf=pass (google.com: domain of cai@lca.pw designates 209.85.220.65 as
 permitted sender) smtp.mailfrom=cai@lca.pw
Received: from mail-sor-f65.google.com (mail-sor-f65.google.com.
 [209.85.220.65])
        by mx.google.com with SMTPS id v5sor62475101qto.3.2019.01.07.14.36.48
        for <linux-mm@kvack.org>
        (Google Transport Security);
        Mon, 07 Jan 2019 14:36:48 -0800 (PST)
Received-SPF: pass (google.com: domain of cai@lca.pw designates 209.85.220.65
 as permitted sender) client-ip=209.85.220.65;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=bJMinMIo;
       spf=pass (google.com: domain of cai@lca.pw designates 209.85.220.65 as
 permitted sender) smtp.mailfrom=cai@lca.pw
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=from:to:cc:subject:date:message-id;
        bh=8jfjinw++IFIMmRHPaT37Ermd7hK2DH7YkMhFayk7vY=;
        b=bJMinMIo6kSd7skgNNDHtlQPXsyoJ/eSP5RWYsFNFOyFlwVuoBQLg4wGt8t/KUAErn
         UVnHVWMg5FXpbYA7Agh30CQklqW3iueNOlVSTFM8OlvxSR+R5GpG/KY01qMYpg7uZ4QC
         yWiOd6sH6zkk+/4YOUWicMBpirX+E0ItyZ2CByIgeQn1EZrydaS//oWS3HcDxGqw7ZGJ
         fhITloxdx2p29dOe1MgwUcsxpSjyLIwSW2UcIWJl5tffbqFjk1RzC2wnW6FCpJXO8RRy
         nBEcme7ylS9gu8KkMsVU0cmVF5B9UO3xF9FXvX6CZlr+he8Iveq6hskXJ1ZIh13GwO4c
         zmPw==
X-Google-Smtp-Source: 
 ALg8bN4DYlUupxi9QG/Y1uD5XxzuQ/fHsI8byQNM7PdVDFy7ZVaZGl5msl0hwNqRl5hDC8/4nbLWCQ==
X-Received: by 2002:aed:2249:: with SMTP id o9mr62630513qtc.13.1546900608296;
        Mon, 07 Jan 2019 14:36:48 -0800 (PST)
Received: from ovpn-120-55.rdu2.redhat.com
 (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43])
        by smtp.gmail.com with ESMTPSA id
 b6sm27936850qtq.29.2019.01.07.14.36.47
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 07 Jan 2019 14:36:47 -0800 (PST)
From: Qian Cai <cai@lca.pw>
To: akpm@linux-foundation.org
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Qian Cai <cai@lca.pw>
Subject: [PATCH] page_poison: plays nicely with KASAN
Date: Mon,  7 Jan 2019 17:36:36 -0500
Message-Id: <20190107223636.80593-1-cai@lca.pw>
X-Mailer: git-send-email 2.17.2 (Apple Git-113)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

KASAN does not play well with the page poisoning
(CONFIG_PAGE_POISONING). It triggers false positives in the allocation
path,

BUG: KASAN: use-after-free in memchr_inv+0x2ea/0x330
Read of size 8 at addr ffff88881f800000 by task swapper/0
CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc1+ #54
Call Trace:
 dump_stack+0xe0/0x19a
 print_address_description.cold.2+0x9/0x28b
 kasan_report.cold.3+0x7a/0xb5
 __asan_report_load8_noabort+0x19/0x20
 memchr_inv+0x2ea/0x330
 kernel_poison_pages+0x103/0x3d5
 get_page_from_freelist+0x15e7/0x4d90

because KASAN has not yet unpoisoned the shadow page for allocation
before it checks memchr_inv() but only found a stale poison pattern.

Also, false positives in free path,

BUG: KASAN: slab-out-of-bounds in kernel_poison_pages+0x29e/0x3d5
Write of size 4096 at addr ffff8888112cc000 by task swapper/0/1
CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc1+ #55
Call Trace:
 dump_stack+0xe0/0x19a
 print_address_description.cold.2+0x9/0x28b
 kasan_report.cold.3+0x7a/0xb5
 check_memory_region+0x22d/0x250
 memset+0x28/0x40
 kernel_poison_pages+0x29e/0x3d5
 __free_pages_ok+0x75f/0x13e0

due to KASAN adds poisoned redzones around slab objects, but the page
poisoning needs to poison the whole page, so simply unpoision the shadow
page before running the page poison's memset.

Signed-off-by: Qian Cai <cai@lca.pw>
---
 mm/page_alloc.c  | 2 +-
 mm/page_poison.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index d295c9bc01a8..906250a9b89c 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1945,8 +1945,8 @@ inline void post_alloc_hook(struct page *page, unsigned int order,
 
 	arch_alloc_page(page, order);
 	kernel_map_pages(page, 1 << order, 1);
-	kernel_poison_pages(page, 1 << order, 1);
 	kasan_alloc_pages(page, order);
+	kernel_poison_pages(page, 1 << order, 1);
 	set_page_owner(page, order, gfp_flags);
 }
 
diff --git a/mm/page_poison.c b/mm/page_poison.c
index f0c15e9017c0..e546b70e592a 100644
--- a/mm/page_poison.c
+++ b/mm/page_poison.c
@@ -6,6 +6,7 @@
 #include <linux/page_ext.h>
 #include <linux/poison.h>
 #include <linux/ratelimit.h>
+#include <linux/kasan.h>
 
 static bool want_page_poisoning __read_mostly;
 
@@ -40,6 +41,7 @@ static void poison_page(struct page *page)
 {
 	void *addr = kmap_atomic(page);
 
+	kasan_unpoison_shadow(addr, PAGE_SIZE);
 	memset(addr, PAGE_POISON, PAGE_SIZE);
 	kunmap_atomic(addr);
 }