From patchwork Thu Mar 11 15:11:41 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrey Konovalov <andreyknvl@google.com>
X-Patchwork-Id: 12131705
Return-Path: <SRS0=r8za=IJ=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-26.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E2B8EC433DB
	for <linux-mm@archiver.kernel.org>; Thu, 11 Mar 2021 15:11:48 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 33ED564FA6
	for <linux-mm@archiver.kernel.org>; Thu, 11 Mar 2021 15:11:48 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 33ED564FA6
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 8868D8D02C2; Thu, 11 Mar 2021 10:11:47 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 812908D02B2; Thu, 11 Mar 2021 10:11:47 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 63DFA8D02C2; Thu, 11 Mar 2021 10:11:47 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0232.hostedemail.com
 [216.40.44.232])
	by kanga.kvack.org (Postfix) with ESMTP id 099008D02B2
	for <linux-mm@kvack.org>; Thu, 11 Mar 2021 10:11:47 -0500 (EST)
Received: from smtpin19.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id BCA99181AF5CA
	for <linux-mm@kvack.org>; Thu, 11 Mar 2021 15:11:46 +0000 (UTC)
X-FDA: 77907933012.19.5AF3AC6
Received: from mail-qt1-f202.google.com (mail-qt1-f202.google.com
 [209.85.160.202])
	by imf04.hostedemail.com (Postfix) with ESMTP id E78293EA
	for <linux-mm@kvack.org>; Thu, 11 Mar 2021 15:11:44 +0000 (UTC)
Received: by mail-qt1-f202.google.com with SMTP id o7so15715273qtw.7
        for <linux-mm@kvack.org>; Thu, 11 Mar 2021 07:11:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=AApTWOpa7ui0/YyXhD3tUhfEI1bu0UZzTT8+Disz7/w=;
        b=RHJUA4xfDCj19gTdtnLY8BzgPsWIGu8LEWnYDr9Cy8aPAwzNTdDYRRyoUzwo4cMqf2
         cD+acaWmz4tmGDVlM/dpk6biRUtSAz1iamX8bvSb9rgtMOT0xgC9ncWfL+3gIKfUyw5B
         25QGtk8QUVqrC/5dYGGc+fEWyIF4a1xA3wyatNUUfdmHKyZq/i7PQjBYQ/CvKw5ktLPV
         JHtnJdjr89mu/LZViYGBGXneDSr16+n4cqPZokACKXYN8aK5tVBxsCwEgTPZ7aU3UiA2
         U8fJXmmFRZxkhqprV5YAMsysgeEgVNbcfMG8UoH6C31MW27OuBHQ6VgJFgHlgSljozH2
         DMwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=AApTWOpa7ui0/YyXhD3tUhfEI1bu0UZzTT8+Disz7/w=;
        b=Ic3VCW0SEhAABQMQUPDjgg2p7V5Y4rD0OfbzEiclLI2+1paZyy/cvydS7IMoqQSrl7
         C8CAcfiMd/Gm0hgqMEz43XBdn5JgsWHOCjH+sUeYviXJpZJpAZCS3SFDYeL5DD/waKqb
         tVVAW1sqTSbYoly+wYDYWIcu+CLzMXnHMsJoY8E6HzRwpNdbfL9VqYSlmnRYl7p2/E7K
         +j6JE1x/rN3rO6fNI0ioLDBzSwXQxmu7HjxP4F/3GP86bDtlwNfBHjMUi6gXFNXxtbS+
         dtJHZMgXhFCsoynUhxyuGO2rZFK5ElFP1XcpQ+Hr7OR27zzNq2xO1xuSbDrtZzFedyqT
         Whjw==
X-Gm-Message-State: AOAM530/ZjfO9KJ4m07miAGK9eFB1RKaxlM3190VyQlhKarRqcm9CFMN
	jNiq662CIdHzUJKn2F3gp+3/Alf2x11XhVdc
X-Google-Smtp-Source: 
 ABdhPJw/9WyeAXPJh+ppicdtiNcPiRyV/8swmShG4RkM2/ZfaIcVwbL+Oyqk4hDD0utK59rhqPheAfu7VAe8mIQc
X-Received: from andreyknvl3.muc.corp.google.com
 ([2a00:79e0:15:13:95a:d8a8:4925:42be])
 (user=andreyknvl job=sendgmr) by 2002:a0c:ea4b:: with SMTP id
 u11mr7819047qvp.43.1615475504801; Thu, 11 Mar 2021 07:11:44 -0800 (PST)
Date: Thu, 11 Mar 2021 16:11:41 +0100
Message-Id: 
 <1a41abb11c51b264511d9e71c303bb16d5cb367b.1615475452.git.andreyknvl@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.31.0.rc2.261.g7f71774620-goog
Subject: [PATCH] kasan: fix per-page tags for non-page_alloc pages
From: Andrey Konovalov <andreyknvl@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
 Will Deacon <will.deacon@arm.com>,
	Vincenzo Frascino <vincenzo.frascino@arm.com>,
 Dmitry Vyukov <dvyukov@google.com>,
	Andrey Ryabinin <aryabinin@virtuozzo.com>,
 Alexander Potapenko <glider@google.com>,
	Marco Elver <elver@google.com>, Peter Collingbourne <pcc@google.com>,
 Evgenii Stepanov <eugenis@google.com>,
	Branislav Rankov <Branislav.Rankov@arm.com>,
 Kevin Brodsky <kevin.brodsky@arm.com>,
	kasan-dev@googlegroups.com, linux-arm-kernel@lists.infradead.org,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	Andrey Konovalov <andreyknvl@google.com>, stable@vger.kernel.org
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: E78293EA
X-Stat-Signature: ofcytpz5y4d4gr94gk1mwesbpqmtjhyo
Received-SPF: none (flex--andreyknvl.bounces.google.com>: No applicable sender
 policy available) receiver=imf04; identity=mailfrom;
 envelope-from="<3MDNKYAoKCMcn0q4rBx08yt11tyr.p1zyv07A-zzx8npx.14t@flex--andreyknvl.bounces.google.com>";
 helo=mail-qt1-f202.google.com; client-ip=209.85.160.202
X-HE-DKIM-Result: pass/pass
X-HE-Tag: 1615475504-464016
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

To allow performing tag checks on page_alloc addresses obtained via
page_address(), tag-based KASAN modes store tags for page_alloc
allocations in page->flags.

Currently, the default tag value stored in page->flags is 0x00.
Therefore, page_address() returns a 0x00ffff... address for pages
that were not allocated via page_alloc.

This might cause problems. A particular case we encountered is a conflict
with KFENCE. If a KFENCE-allocated slab object is being freed via
kfree(page_address(page) + offset), the address passed to kfree() will
get tagged with 0x00 (as slab pages keep the default per-page tags).
This leads to is_kfence_address() check failing, and a KFENCE object
ending up in normal slab freelist, which causes memory corruptions.

This patch changes the way KASAN stores tag in page-flags: they are now
stored xor'ed with 0xff. This way, KASAN doesn't need to initialize
per-page flags for every created page, which might be slow.

With this change, page_address() returns natively-tagged (with 0xff)
pointers for pages that didn't have tags set explicitly.

This patch fixes the encountered conflict with KFENCE and prevents more
similar issues that can occur in the future.

Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc")
Cc: stable@vger.kernel.org
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Marco Elver <elver@google.com>
---
 include/linux/mm.h | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h
index 77e64e3eac80..c45c28f094a7 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1440,16 +1440,28 @@ static inline bool cpupid_match_pid(struct task_struct *task, int cpupid)
 
 #if defined(CONFIG_KASAN_SW_TAGS) || defined(CONFIG_KASAN_HW_TAGS)
 
+/*
+ * KASAN per-page tags are stored xor'ed with 0xff. This allows to avoid
+ * setting tags for all pages to native kernel tag value 0xff, as the default
+ * value 0x00 maps to 0xff.
+ */
+
 static inline u8 page_kasan_tag(const struct page *page)
 {
-	if (kasan_enabled())
-		return (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK;
-	return 0xff;
+	u8 tag = 0xff;
+
+	if (kasan_enabled()) {
+		tag = (page->flags >> KASAN_TAG_PGSHIFT) & KASAN_TAG_MASK;
+		tag ^= 0xff;
+	}
+
+	return tag;
 }
 
 static inline void page_kasan_tag_set(struct page *page, u8 tag)
 {
 	if (kasan_enabled()) {
+		tag ^= 0xff;
 		page->flags &= ~(KASAN_TAG_MASK << KASAN_TAG_PGSHIFT);
 		page->flags |= (tag & KASAN_TAG_MASK) << KASAN_TAG_PGSHIFT;
 	}