github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-10 07:32:29 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
bd5c75ce7b
linux/mm
History
Kuan-Ying Lee bd5c75ce7b UPSTREAM: kasan, kmemleak: reset tags when scanning block 
Patch series "kasan, slub: reset tag when printing address", v3.

With hardware tag-based kasan enabled, we reset the tag when we access
metadata to avoid from false alarm.

This patch (of 2):

Kmemleak needs to scan kernel memory to check memory leak.  With hardware
tag-based kasan enabled, when it scans on the invalid slab and
dereference, the issue will occur as below.

Hardware tag-based KASAN doesn't use compiler instrumentation, we can not
use kasan_disable_current() to ignore tag check.

Based on the below report, there are 11 0xf7 granules, which amounts to
176 bytes, and the object is allocated from the kmalloc-256 cache.  So
when kmemleak accesses the last 256-176 bytes, it causes faults, as those
are marked with KASAN_KMALLOC_REDZONE == KASAN_TAG_INVALID == 0xfe.

Thus, we reset tags before accessing metadata to avoid from false positives.

  BUG: KASAN: out-of-bounds in scan_block+0x58/0x170
  Read at addr f7ff0000c0074eb0 by task kmemleak/138
  Pointer tag: [f7], memory tag: [fe]

  CPU: 7 PID: 138 Comm: kmemleak Not tainted 5.14.0-rc2-00001-g8cae8cd89f05-dirty #134
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   dump_backtrace+0x0/0x1b0
   show_stack+0x1c/0x30
   dump_stack_lvl+0x68/0x84
   print_address_description+0x7c/0x2b4
   kasan_report+0x138/0x38c
   __do_kernel_fault+0x190/0x1c4
   do_tag_check_fault+0x78/0x90
   do_mem_abort+0x44/0xb4
   el1_abort+0x40/0x60
   el1h_64_sync_handler+0xb4/0xd0
   el1h_64_sync+0x78/0x7c
   scan_block+0x58/0x170
   scan_gray_list+0xdc/0x1a0
   kmemleak_scan+0x2ac/0x560
   kmemleak_scan_thread+0xb0/0xe0
   kthread+0x154/0x160
   ret_from_fork+0x10/0x18

  Allocated by task 0:
   kasan_save_stack+0x2c/0x60
   __kasan_kmalloc+0xec/0x104
   __kmalloc+0x224/0x3c4
   __register_sysctl_paths+0x200/0x290
   register_sysctl_table+0x2c/0x40
   sysctl_init+0x20/0x34
   proc_sys_init+0x3c/0x48
   proc_root_init+0x80/0x9c
   start_kernel+0x648/0x6a4
   __primary_switched+0xc0/0xc8

  Freed by task 0:
   kasan_save_stack+0x2c/0x60
   kasan_set_track+0x2c/0x40
   kasan_set_free_info+0x44/0x54
   ____kasan_slab_free.constprop.0+0x150/0x1b0
   __kasan_slab_free+0x14/0x20
   slab_free_freelist_hook+0xa4/0x1fc
   kfree+0x1e8/0x30c
   put_fs_context+0x124/0x220
   vfs_kern_mount.part.0+0x60/0xd4
   kern_mount+0x24/0x4c
   bdev_cache_init+0x70/0x9c
   vfs_caches_init+0xdc/0xf4
   start_kernel+0x638/0x6a4
   __primary_switched+0xc0/0xc8

  The buggy address belongs to the object at ffff0000c0074e00
   which belongs to the cache kmalloc-256 of size 256
  The buggy address is located 176 bytes inside of
   256-byte region [ffff0000c0074e00, ffff0000c0074f00)
  The buggy address belongs to the page:
  page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100074
  head:(____ptrval____) order:2 compound_mapcount:0 compound_pincount:0
  flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff|kasantag=0x0)
  raw: 0bfffc0000010200 0000000000000000 dead000000000122 f5ff0000c0002300
  raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
  page dumped because: kasan: bad access detected

  Memory state around the buggy address:
   ffff0000c0074c00: f0 f0 f0 f0 f0 f0 f0 f0 f0 fe fe fe fe fe fe fe
   ffff0000c0074d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  >ffff0000c0074e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fe fe fe fe fe
                                                      ^
   ffff0000c0074f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
   ffff0000c0075000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ==================================================================
  Disabling lock debugging due to kernel taint
  kmemleak: 181 new suspected memory leaks (see /sys/kernel/debug/kmemleak)

Link: https://lkml.kernel.org/r/20210804090957.12393-1-Kuan-Ying.Lee@mediatek.com
Link: https://lkml.kernel.org/r/20210804090957.12393-2-Kuan-Ying.Lee@mediatek.com
Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Marco Elver <elver@google.com>
Cc: Nicholas Tang <nicholas.tang@mediatek.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Chinwen Chang <chinwen.chang@mediatek.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Bug: 197723947
(cherry picked from commit 6c7a00b843 )
Change-Id: I236560a20bafe78643a182fb4c82f0bd7d15ed87
Signed-off-by: Yee Lee <Yee.lee@mediatek.com>
2021-08-30 07:02:08 +00:00
..
kasan BACKPORT: FROMLIST: kasan: add memzero int for unaligned size at DEBUG 2021-07-15 16:49:20 +00:00
kfence UPSTREAM: kfence: use TASK_IDLE when awaiting allocation 2021-08-27 12:26:09 -07:00
backing-dev.c
balloon_compaction.c
cleancache.c
cma_debug.c FROMLIST: mm: cma: introduce gfp flag in cma_alloc instead of no_warn 2021-01-25 12:21:02 -08:00
cma_sysfs.c ANDROID: make cma_sysfs experimental 2021-03-25 19:20:18 +00:00
cma.c ANDROID: mm: cma do not sleep for __GFP_NORETRY 2021-07-14 11:54:49 -07:00
cma.h ANDROID: GKI: add OEM data in cma struct 2021-06-04 11:15:16 -07:00
compaction.c UPSTREAM: mm/compaction: correct deferral logic for proactive compaction 2021-07-21 22:18:24 +00:00
debug_page_ref.c
debug_vm_pgtable.c mm/debug_vm_pgtable: fix alignment for pmd/pud_advanced_tests() 2021-06-10 13:39:26 +02:00
debug.c ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
dmapool.c
early_ioremap.c
fadvise.c
failslab.c
filemap.c ANDROID: mm: Add hooks to filemap_fault for oem's optimization 2021-06-17 14:16:47 -07:00
frame_vector.c
frontswap.c
gup_benchmark.c mm/gup_benchmark: take the mmap lock around GUP 2020-10-18 09:27:09 -07:00
gup.c Merge 5.10.38 into android12-5.10 2021-05-20 15:35:25 +02:00
highmem.c mm/highmem.c: clean up endif comments 2020-10-16 11:11:18 -07:00
hmm.c
huge_memory.c Merge 5.10.27 into android12-5.10 2021-04-02 15:25:50 +02:00
hugetlb_cgroup.c hugetlb_cgroup: fix imbalanced css_get and css_put pair for shared mappings 2021-03-30 14:31:54 +02:00
hugetlb.c Merge 5.10.43 into android12-5.10 2021-06-12 14:48:14 +02:00
hwpoison-inject.c mm,hwpoison-inject: don't pin for hwpoison_filter 2020-10-16 11:11:16 -07:00
init-mm.c FROMLIST: mm: protect mm_rb tree with a rwlock 2021-01-22 18:00:57 +00:00
internal.h FROMLIST: mm: provide speculative fault infrastructure 2021-01-22 18:01:16 +00:00
interval_tree.c
ioremap.c
Kconfig FROMLIST: mm: cma: support sysfs 2021-03-25 19:20:09 +00:00
Kconfig.debug ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
khugepaged.c Merge 5.10.38 into android12-5.10 2021-05-20 15:35:25 +02:00
kmemleak.c UPSTREAM: kasan, kmemleak: reset tags when scanning block 2021-08-30 07:02:08 +00:00
ksm.c Merge 5.10.38 into android12-5.10 2021-05-20 15:35:25 +02:00
list_lru.c mm: list_lru: set shrinker map bit when child nr_items is not zero 2020-12-06 10:19:07 -08:00
maccess.c
madvise.c FROMLIST: mm/madvise: add MADV_WILLNEED to process_madvise() 2021-08-16 15:13:13 +00:00
Makefile ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
mapping_dirty_helpers.c
memblock.c UPSTREAM: mm: memblock: add more debug logs 2021-05-21 09:08:08 +05:30
memcontrol.c FROMLIST: mm, memcg: inline swap-related functions to improve disabled memcg config 2021-07-12 18:34:30 -07:00
memfd.c
memory_hotplug.c ANDROID: mm: cma: skip problematic pageblock 2021-07-14 11:54:49 -07:00
memory-failure.c mm/memory-failure: unnecessary amount of unmapping 2021-05-14 09:50:45 +02:00
memory.c UPSTREAM: mm: fix the deadlock in finish_fault() 2021-08-27 12:26:10 -07:00
mempolicy.c FROMLIST: mm: replace migrate_[prep|finish] with lru_cache_[disable|enable] 2021-03-23 04:05:24 +00:00
mempool.c FROMGIT: kasan: use separate (un)poison implementation for integrated init 2021-06-17 14:39:37 -07:00
memremap.c mm: fix memory_failure() handling of dax-namespace metadata 2021-03-04 11:38:21 +01:00
memtest.c
migrate.c Merge 5.10.38 into android12-5.10 2021-05-20 15:35:25 +02:00
mincore.c
mlock.c ANDROID: mm: page_pinner: unattribute follow_page in munlock_vma_pages_range 2021-04-30 09:13:35 -07:00
mm_init.c
mmap.c ANDROID: android: export kernel function vm_unmapped_area 2021-07-08 22:12:00 +00:00
mmu_gather.c
mmu_notifier.c mm/mmu_notifiers: ensure range_end() is paired with range_start() 2021-03-30 14:32:06 +02:00
mmzone.c ANDROID: mm: export zone_watermark_ok 2021-02-25 19:36:38 +00:00
mprotect.c FROMGIT: mm: improve mprotect(R|W) efficiency on pages referenced once 2021-06-15 19:33:15 +00:00
mremap.c UPSTREAM: mm/mremap: hold the rmap lock in write mode when moving page table entries. 2021-07-15 18:39:14 +00:00
msync.c
nommu.c ANDROID: mm: allow vmas with vm_ops to be speculatively handled 2021-04-23 18:42:39 -07:00
oom_kill.c ANDROID: signal: Add vendor hook for memory reaping 2021-06-03 20:59:15 +00:00
page_alloc.c ANDROID: mm, kasan: fix for "integrate page_alloc init with HW_TAGS" 2021-07-20 00:38:20 +00:00
page_counter.c
page_ext.c ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
page_idle.c
page_io.c UPSTREAM: mm/page_io: use pr_alert_ratelimited for swap read/write errors 2021-03-30 18:44:11 +00:00
page_isolation.c ANDROID: mm: cma: skip problematic pageblock 2021-07-14 11:54:49 -07:00
page_owner.c ANDROID: mm: Make page_owner_enabled global 2021-04-01 00:09:00 +00:00
page_pinner.c ANDROID: mm: page_pinner: use EXPORT_SYMBOL_GPL 2021-07-14 03:38:32 +00:00
page_poison.c UPSTREAM: kasan: fix conflict with page poisoning 2021-07-19 20:39:17 +00:00
page_reporting.c mm: rename page_order() to buddy_order() 2020-10-16 11:11:19 -07:00
page_reporting.h
page_vma_mapped.c
page-writeback.c ANDROID: vendor_hooks: add hook to balance_dirty_pages() 2021-05-20 19:38:42 +00:00
pagewalk.c
percpu-internal.h percpu: make pcpu_nr_empty_pop_pages per chunk type 2021-04-14 08:42:03 +02:00
percpu-km.c
percpu-stats.c percpu: make pcpu_nr_empty_pop_pages per chunk type 2021-04-14 08:42:03 +02:00
percpu-vm.c
percpu.c Merge 5.10.30 into android12-5.10 2021-04-15 14:23:41 +02:00
pgalloc-track.h
pgtable-generic.c
process_vm_access.c mm/process_vm_access.c: include compat.h 2021-01-19 18:27:21 +01:00
ptdump.c This is the 5.10.32 stable release 2021-04-22 11:12:08 +02:00
readahead.c ANDROID: mm: Create vendor hooks to control ZONE_MOVABLE allocations 2020-12-01 18:07:54 +00:00
rmap.c FROMLIST: mm: introduce __page_add_new_anon_rmap() 2021-01-22 18:00:48 +00:00
rodata_test.c
shmem.c ANDROID: mm: provision to add shmem pages to inactive file lru head 2021-07-14 20:52:01 -07:00
shuffle.c mm: rename page_order() to buddy_order() 2020-10-16 11:11:19 -07:00
shuffle.h
slab_common.c FROMGIT: mm: slub: move sysfs slab alloc/free interfaces to debugfs 2021-06-15 18:11:57 +00:00
slab.c Merge 5.10.37 into android12-5.10 2021-05-15 09:28:55 +02:00
slab.h BACKPORT: FROMLIST: mm: move helper to check slub_debug_enabled 2021-07-15 16:49:09 +00:00
slob.c
slub.c UPSTREAM: kasan, slub: reset tag when printing address 2021-08-27 12:26:10 -07:00
sparse-vmemmap.c
sparse.c mm/sparse: add the missing sparse_buffer_fini() in error branch 2021-05-14 09:50:45 +02:00
swap_cgroup.c
swap_slots.c
swap_state.c FROMLIST: mm: protect VMA modifications using VMA sequence count 2021-01-22 17:59:47 +00:00
swap.c ANDROID: mm: provision to add shmem pages to inactive file lru head 2021-07-14 20:52:01 -07:00
swapfile.c FROMLIST: mm, memcg: inline swap-related functions to improve disabled memcg config 2021-07-12 18:34:30 -07:00
truncate.c mm/truncate.c: make __invalidate_mapping_pages() static 2020-11-02 12:14:19 -08:00
usercopy.c
userfaultfd.c FROMGIT: userfaultfd/shmem: modify shmem_mfill_atomic_pte to use install_pte() 2021-06-04 19:13:10 +00:00
util.c ANDROID: android: export kernel function arch_mmap_rnd 2021-07-09 20:51:14 +00:00
vmacache.c
vmalloc.c ANDROID: GKI: Export two more mm symbols for GKI 2021-07-19 17:15:33 +00:00
vmpressure.c FROMLIST: mm, memcg: add mem_cgroup_disabled checks in vmpressure and swap-related functions 2021-07-12 18:26:15 -07:00
vmscan.c ANDROID: Allow vendor module to reclaim a memcg 2021-07-12 18:54:56 +00:00
vmstat.c ANDROID: mm: allow vmas with vm_ops to be speculatively handled 2021-04-23 18:42:39 -07:00
workingset.c XArray updates for 5.9 2020-10-20 14:39:37 -07:00
z3fold.c z3fold: prevent reclaim/free race for headless pages 2021-03-30 14:31:54 +02:00
zbud.c mm/zbud: remove redundant initialization 2020-10-13 18:38:34 -07:00
zpool.c
zsmalloc.c This is the 5.10.21 stable release 2021-03-07 12:53:30 +01:00
zswap.c