diff options
Diffstat (limited to 'mm/kasan')
| -rw-r--r-- | mm/kasan/hw_tags.c | 18 | ||||
| -rw-r--r-- | mm/kasan/kasan.h | 38 | ||||
| -rw-r--r-- | mm/kasan/kasan_test.c | 24 | ||||
| -rw-r--r-- | mm/kasan/quarantine.c | 34 | ||||
| -rw-r--r-- | mm/kasan/report.c | 59 |
5 files changed, 75 insertions, 98 deletions
diff --git a/mm/kasan/hw_tags.c b/mm/kasan/hw_tags.c index d1bcb0205327..06141bbc1e51 100644 --- a/mm/kasan/hw_tags.c +++ b/mm/kasan/hw_tags.c @@ -205,7 +205,7 @@ void kasan_init_hw_tags_cpu(void) * Enable async or asymm modes only when explicitly requested * through the command line. */ - kasan_enable_tagging(); + kasan_enable_hw_tags(); } /* kasan_init_hw_tags() is called once on boot CPU. */ @@ -285,7 +285,7 @@ static void init_vmalloc_pages(const void *start, unsigned long size) const void *addr; for (addr = start; addr < start + size; addr += PAGE_SIZE) { - struct page *page = virt_to_page(addr); + struct page *page = vmalloc_to_page(addr); clear_highpage_kasan_tagged(page); } @@ -297,7 +297,7 @@ void *__kasan_unpoison_vmalloc(const void *start, unsigned long size, u8 tag; unsigned long redzone_start, redzone_size; - if (!kasan_vmalloc_enabled() || !is_vmalloc_or_module_addr(start)) { + if (!kasan_vmalloc_enabled()) { if (flags & KASAN_VMALLOC_INIT) init_vmalloc_pages(start, size); return (void *)start; @@ -318,7 +318,7 @@ void *__kasan_unpoison_vmalloc(const void *start, unsigned long size, * Thus, for VM_ALLOC mappings, hardware tag-based KASAN only tags * the first virtual mapping, which is created by vmalloc(). * Tagging the page_alloc memory backing that vmalloc() allocation is - * skipped, see ___GFP_SKIP_KASAN_UNPOISON. + * skipped, see ___GFP_SKIP_KASAN. * * For non-VM_ALLOC allocations, page_alloc memory is tagged as usual. */ @@ -373,19 +373,19 @@ void __kasan_poison_vmalloc(const void *start, unsigned long size) #endif -void kasan_enable_tagging(void) +void kasan_enable_hw_tags(void) { if (kasan_arg_mode == KASAN_ARG_MODE_ASYNC) - hw_enable_tagging_async(); + hw_enable_tag_checks_async(); else if (kasan_arg_mode == KASAN_ARG_MODE_ASYMM) - hw_enable_tagging_asymm(); + hw_enable_tag_checks_asymm(); else - hw_enable_tagging_sync(); + hw_enable_tag_checks_sync(); } #if IS_ENABLED(CONFIG_KASAN_KUNIT_TEST) -EXPORT_SYMBOL_GPL(kasan_enable_tagging); +EXPORT_SYMBOL_GPL(kasan_enable_hw_tags); void kasan_force_async_fault(void) { diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index a61eeee3095a..f5e4f5f2ba20 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -395,46 +395,22 @@ static inline const void *arch_kasan_set_tag(const void *addr, u8 tag) #ifdef CONFIG_KASAN_HW_TAGS -#ifndef arch_enable_tagging_sync -#define arch_enable_tagging_sync() -#endif -#ifndef arch_enable_tagging_async -#define arch_enable_tagging_async() -#endif -#ifndef arch_enable_tagging_asymm -#define arch_enable_tagging_asymm() -#endif -#ifndef arch_force_async_tag_fault -#define arch_force_async_tag_fault() -#endif -#ifndef arch_get_random_tag -#define arch_get_random_tag() (0xFF) -#endif -#ifndef arch_get_mem_tag -#define arch_get_mem_tag(addr) (0xFF) -#endif -#ifndef arch_set_mem_tag_range -#define arch_set_mem_tag_range(addr, size, tag, init) ((void *)(addr)) -#endif - -#define hw_enable_tagging_sync() arch_enable_tagging_sync() -#define hw_enable_tagging_async() arch_enable_tagging_async() -#define hw_enable_tagging_asymm() arch_enable_tagging_asymm() +#define hw_enable_tag_checks_sync() arch_enable_tag_checks_sync() +#define hw_enable_tag_checks_async() arch_enable_tag_checks_async() +#define hw_enable_tag_checks_asymm() arch_enable_tag_checks_asymm() +#define hw_suppress_tag_checks_start() arch_suppress_tag_checks_start() +#define hw_suppress_tag_checks_stop() arch_suppress_tag_checks_stop() #define hw_force_async_tag_fault() arch_force_async_tag_fault() #define hw_get_random_tag() arch_get_random_tag() #define hw_get_mem_tag(addr) arch_get_mem_tag(addr) #define hw_set_mem_tag_range(addr, size, tag, init) \ arch_set_mem_tag_range((addr), (size), (tag), (init)) -void kasan_enable_tagging(void); +void kasan_enable_hw_tags(void); #else /* CONFIG_KASAN_HW_TAGS */ -#define hw_enable_tagging_sync() -#define hw_enable_tagging_async() -#define hw_enable_tagging_asymm() - -static inline void kasan_enable_tagging(void) { } +static inline void kasan_enable_hw_tags(void) { } #endif /* CONFIG_KASAN_HW_TAGS */ diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c index 627eaf1ee1db..b61cc6a42541 100644 --- a/mm/kasan/kasan_test.c +++ b/mm/kasan/kasan_test.c @@ -56,19 +56,6 @@ static void probe_console(void *ignore, const char *buf, size_t len) WRITE_ONCE(test_status.async_fault, true); } -static void register_tracepoints(struct tracepoint *tp, void *ignore) -{ - check_trace_callback_type_console(probe_console); - if (!strcmp(tp->name, "console")) - WARN_ON(tracepoint_probe_register(tp, probe_console, NULL)); -} - -static void unregister_tracepoints(struct tracepoint *tp, void *ignore) -{ - if (!strcmp(tp->name, "console")) - tracepoint_probe_unregister(tp, probe_console, NULL); -} - static int kasan_suite_init(struct kunit_suite *suite) { if (!kasan_enabled()) { @@ -86,12 +73,7 @@ static int kasan_suite_init(struct kunit_suite *suite) */ multishot = kasan_save_enable_multi_shot(); - /* - * Because we want to be able to build the test as a module, we need to - * iterate through all known tracepoints, since the static registration - * won't work here. - */ - for_each_kernel_tracepoint(register_tracepoints, NULL); + register_trace_console(probe_console, NULL); return 0; } @@ -99,7 +81,7 @@ static void kasan_suite_exit(struct kunit_suite *suite) { kasan_kunit_test_suite_end(); kasan_restore_multi_shot(multishot); - for_each_kernel_tracepoint(unregister_tracepoints, NULL); + unregister_trace_console(probe_console, NULL); tracepoint_synchronize_unregister(); } @@ -148,7 +130,7 @@ static void kasan_test_exit(struct kunit *test) kasan_sync_fault_possible()) { \ if (READ_ONCE(test_status.report_found) && \ !READ_ONCE(test_status.async_fault)) \ - kasan_enable_tagging(); \ + kasan_enable_hw_tags(); \ migrate_enable(); \ } \ WRITE_ONCE(test_status.report_found, false); \ diff --git a/mm/kasan/quarantine.c b/mm/kasan/quarantine.c index 75585077eb6d..152dca73f398 100644 --- a/mm/kasan/quarantine.c +++ b/mm/kasan/quarantine.c @@ -99,7 +99,6 @@ static unsigned long quarantine_size; static DEFINE_RAW_SPINLOCK(quarantine_lock); DEFINE_STATIC_SRCU(remove_cache_srcu); -#ifdef CONFIG_PREEMPT_RT struct cpu_shrink_qlist { raw_spinlock_t lock; struct qlist_head qlist; @@ -108,7 +107,6 @@ struct cpu_shrink_qlist { static DEFINE_PER_CPU(struct cpu_shrink_qlist, shrink_qlist) = { .lock = __RAW_SPIN_LOCK_UNLOCKED(shrink_qlist.lock), }; -#endif /* Maximum size of the global queue. */ static unsigned long quarantine_max_size; @@ -319,16 +317,6 @@ static void qlist_move_cache(struct qlist_head *from, } } -#ifndef CONFIG_PREEMPT_RT -static void __per_cpu_remove_cache(struct qlist_head *q, void *arg) -{ - struct kmem_cache *cache = arg; - struct qlist_head to_free = QLIST_INIT; - - qlist_move_cache(q, &to_free, cache); - qlist_free_all(&to_free, cache); -} -#else static void __per_cpu_remove_cache(struct qlist_head *q, void *arg) { struct kmem_cache *cache = arg; @@ -340,7 +328,6 @@ static void __per_cpu_remove_cache(struct qlist_head *q, void *arg) qlist_move_cache(q, &sq->qlist, cache); raw_spin_unlock_irqrestore(&sq->lock, flags); } -#endif static void per_cpu_remove_cache(void *arg) { @@ -362,6 +349,8 @@ void kasan_quarantine_remove_cache(struct kmem_cache *cache) { unsigned long flags, i; struct qlist_head to_free = QLIST_INIT; + int cpu; + struct cpu_shrink_qlist *sq; /* * Must be careful to not miss any objects that are being moved from @@ -372,20 +361,13 @@ void kasan_quarantine_remove_cache(struct kmem_cache *cache) */ on_each_cpu(per_cpu_remove_cache, cache, 1); -#ifdef CONFIG_PREEMPT_RT - { - int cpu; - struct cpu_shrink_qlist *sq; - - for_each_online_cpu(cpu) { - sq = per_cpu_ptr(&shrink_qlist, cpu); - raw_spin_lock_irqsave(&sq->lock, flags); - qlist_move_cache(&sq->qlist, &to_free, cache); - raw_spin_unlock_irqrestore(&sq->lock, flags); - } - qlist_free_all(&to_free, cache); + for_each_online_cpu(cpu) { + sq = per_cpu_ptr(&shrink_qlist, cpu); + raw_spin_lock_irqsave(&sq->lock, flags); + qlist_move_cache(&sq->qlist, &to_free, cache); + raw_spin_unlock_irqrestore(&sq->lock, flags); } -#endif + qlist_free_all(&to_free, cache); raw_spin_lock_irqsave(&quarantine_lock, flags); for (i = 0; i < QUARANTINE_BATCHES; i++) { diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 89078f912827..892a9dc9d4d3 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -72,10 +72,18 @@ static int __init kasan_set_multi_shot(char *str) __setup("kasan_multi_shot", kasan_set_multi_shot); /* - * Used to suppress reports within kasan_disable/enable_current() critical - * sections, which are used for marking accesses to slab metadata. + * This function is used to check whether KASAN reports are suppressed for + * software KASAN modes via kasan_disable/enable_current() critical sections. + * + * This is done to avoid: + * 1. False-positive reports when accessing slab metadata, + * 2. Deadlocking when poisoned memory is accessed by the reporting code. + * + * Hardware Tag-Based KASAN instead relies on: + * For #1: Resetting tags via kasan_reset_tag(). + * For #2: Suppression of tag checks via CPU, see report_suppress_start/end(). */ -static bool report_suppressed(void) +static bool report_suppressed_sw(void) { #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) if (current->kasan_depth) @@ -84,6 +92,30 @@ static bool report_suppressed(void) return false; } +static void report_suppress_start(void) +{ +#ifdef CONFIG_KASAN_HW_TAGS + /* + * Disable preemption for the duration of printing a KASAN report, as + * hw_suppress_tag_checks_start() disables checks on the current CPU. + */ + preempt_disable(); + hw_suppress_tag_checks_start(); +#else + kasan_disable_current(); +#endif +} + +static void report_suppress_stop(void) +{ +#ifdef CONFIG_KASAN_HW_TAGS + hw_suppress_tag_checks_stop(); + preempt_enable(); +#else + kasan_enable_current(); +#endif +} + /* * Used to avoid reporting more than one KASAN bug unless kasan_multi_shot * is enabled. Note that KASAN tests effectively enable kasan_multi_shot @@ -174,7 +206,7 @@ static void start_report(unsigned long *flags, bool sync) /* Do not allow LOCKDEP mangling KASAN reports. */ lockdep_off(); /* Make sure we don't end up in loop. */ - kasan_disable_current(); + report_suppress_start(); spin_lock_irqsave(&report_lock, *flags); pr_err("==================================================================\n"); } @@ -192,7 +224,7 @@ static void end_report(unsigned long *flags, void *addr) panic("kasan.fault=panic set ...\n"); add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); lockdep_on(); - kasan_enable_current(); + report_suppress_stop(); } static void print_error_description(struct kasan_report_info *info) @@ -480,9 +512,13 @@ void kasan_report_invalid_free(void *ptr, unsigned long ip, enum kasan_report_ty struct kasan_report_info info; /* - * Do not check report_suppressed(), as an invalid-free cannot be - * caused by accessing slab metadata and thus should not be - * suppressed by kasan_disable/enable_current() critical sections. + * Do not check report_suppressed_sw(), as an invalid-free cannot be + * caused by accessing poisoned memory and thus should not be suppressed + * by kasan_disable/enable_current() critical sections. + * + * Note that for Hardware Tag-Based KASAN, kasan_report_invalid_free() + * is triggered by explicit tag checks and not by the ones performed by + * the CPU. Thus, reporting invalid-free is not suppressed as well. */ if (unlikely(!report_enabled())) return; @@ -517,7 +553,7 @@ bool kasan_report(unsigned long addr, size_t size, bool is_write, unsigned long irq_flags; struct kasan_report_info info; - if (unlikely(report_suppressed()) || unlikely(!report_enabled())) { + if (unlikely(report_suppressed_sw()) || unlikely(!report_enabled())) { ret = false; goto out; } @@ -549,8 +585,9 @@ void kasan_report_async(void) unsigned long flags; /* - * Do not check report_suppressed(), as kasan_disable/enable_current() - * critical sections do not affect Hardware Tag-Based KASAN. + * Do not check report_suppressed_sw(), as + * kasan_disable/enable_current() critical sections do not affect + * Hardware Tag-Based KASAN. */ if (unlikely(!report_enabled())) return; |