diff mbox series

[mm] kasan: reset page tags properly with sampling

Message ID 24ea20c1b19c2b4b56cf9f5b354915f8dbccfc77.1674592496.git.andreyknvl@google.com (mailing list archive)
State New
Headers show
Series [mm] kasan: reset page tags properly with sampling | expand

Commit Message

andrey.konovalov@linux.dev Jan. 24, 2023, 8:35 p.m. UTC 
From: Andrey Konovalov <andreyknvl@google.com>

The implementation of page_alloc poisoning sampling assumed that
tag_clear_highpage resets page tags for __GFP_ZEROTAGS allocations.
However, this is no longer the case since commit 70c248aca9e7
("mm: kasan: Skip unpoisoning of user pages").

This leads to kernel crashes when MTE-enabled userspace mappings are
used with Hardware Tag-Based KASAN enabled.

Reset page tags for __GFP_ZEROTAGS allocations in post_alloc_hook().

Also clarify and fix related comments.

Reported-by: Peter Collingbourne <pcc@google.com>
Tested-by: Peter Collingbourne <pcc@google.com>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 mm/page_alloc.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

Comments

Andrew Morton Jan. 24, 2023, 8:45 p.m. UTC | #1 
On Tue, 24 Jan 2023 21:35:26 +0100 andrey.konovalov@linux.dev wrote:

> The implementation of page_alloc poisoning sampling assumed that
> tag_clear_highpage resets page tags for __GFP_ZEROTAGS allocations.
> However, this is no longer the case since commit 70c248aca9e7
> ("mm: kasan: Skip unpoisoning of user pages").
> 
> This leads to kernel crashes when MTE-enabled userspace mappings are
> used with Hardware Tag-Based KASAN enabled.
> 
> Reset page tags for __GFP_ZEROTAGS allocations in post_alloc_hook().
> 
> Also clarify and fix related comments.

I assume this is a fix against 44383cef54c0 ("kasan: allow sampling
page_alloc allocations for HW_TAGS") which is presently in mm-stable,
yes?
Andrey Konovalov Jan. 24, 2023, 8:46 p.m. UTC | #2 
On Tue, Jan 24, 2023 at 9:45 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Tue, 24 Jan 2023 21:35:26 +0100 andrey.konovalov@linux.dev wrote:
>
> > The implementation of page_alloc poisoning sampling assumed that
> > tag_clear_highpage resets page tags for __GFP_ZEROTAGS allocations.
> > However, this is no longer the case since commit 70c248aca9e7
> > ("mm: kasan: Skip unpoisoning of user pages").
> >
> > This leads to kernel crashes when MTE-enabled userspace mappings are
> > used with Hardware Tag-Based KASAN enabled.
> >
> > Reset page tags for __GFP_ZEROTAGS allocations in post_alloc_hook().
> >
> > Also clarify and fix related comments.
>
> I assume this is a fix against 44383cef54c0 ("kasan: allow sampling
> page_alloc allocations for HW_TAGS") which is presently in mm-stable,
> yes?

Correct. I assumed I shouldn't include a Fixes tag, as the patch is
not in the mainline.
Andrew Morton Jan. 24, 2023, 9:11 p.m. UTC | #3 
On Tue, 24 Jan 2023 21:46:51 +0100 Andrey Konovalov <andreyknvl@gmail.com> wrote:

> On Tue, Jan 24, 2023 at 9:45 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >
> > On Tue, 24 Jan 2023 21:35:26 +0100 andrey.konovalov@linux.dev wrote:
> >
> > > The implementation of page_alloc poisoning sampling assumed that
> > > tag_clear_highpage resets page tags for __GFP_ZEROTAGS allocations.
> > > However, this is no longer the case since commit 70c248aca9e7
> > > ("mm: kasan: Skip unpoisoning of user pages").
> > >
> > > This leads to kernel crashes when MTE-enabled userspace mappings are
> > > used with Hardware Tag-Based KASAN enabled.
> > >
> > > Reset page tags for __GFP_ZEROTAGS allocations in post_alloc_hook().
> > >
> > > Also clarify and fix related comments.
> >
> > I assume this is a fix against 44383cef54c0 ("kasan: allow sampling
> > page_alloc allocations for HW_TAGS") which is presently in mm-stable,
> > yes?
> 
> Correct. I assumed I shouldn't include a Fixes tag, as the patch is
> not in the mainline.

I think it's best to add the Fixes: if it's known.  If the patch was in
mm-unstable then I'd just fold the fix into the base patch, but a
Fixes: is still helpful because it tells people (especially me) which
patch needs the fix.

If the patch is in mm-stable then the SHA is stable and the Fixes: is
desirable for people who are backporting the base patch into earlier
kernels - hopefully when doing this they know to search the tree for
other patches which fix the patch which they are backporting.
diff mbox series

Patch

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 5514d84cc712..370d4f2c0276 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2471,7 +2471,7 @@  inline void post_alloc_hook(struct page *page, unsigned int order,
 	bool init = !want_init_on_free() && want_init_on_alloc(gfp_flags) &&
 			!should_skip_init(gfp_flags);
 	bool zero_tags = init && (gfp_flags & __GFP_ZEROTAGS);
-	bool reset_tags = !zero_tags;
+	bool reset_tags = true;
 	int i;
 
 	set_page_private(page, 0);
@@ -2498,7 +2498,7 @@  inline void post_alloc_hook(struct page *page, unsigned int order,
 	 * (which happens only when memory should be initialized as well).
 	 */
 	if (zero_tags) {
-		/* Initialize both memory and tags. */
+		/* Initialize both memory and memory tags. */
 		for (i = 0; i != 1 << order; ++i)
 			tag_clear_highpage(page + i);
 
@@ -2516,14 +2516,14 @@  inline void post_alloc_hook(struct page *page, unsigned int order,
 		} else {
 			/*
 			 * KASAN decided to exclude this allocation from being
-			 * poisoned due to sampling. Skip poisoning as well.
+			 * unpoisoned due to sampling. Skip poisoning as well.
 			 */
 			SetPageSkipKASanPoison(page);
 		}
 	}
 	/*
-	 * If memory tags have not been set, reset the page tags to ensure
-	 * page_address() dereferencing does not fault.
+	 * If memory tags have not been set by KASAN, reset the page tags to
+	 * ensure page_address() dereferencing does not fault.
 	 */
 	if (reset_tags) {
 		for (i = 0; i != 1 << order; ++i)