diff mbox series

[v3] mempool: Do not use ksize() for poisoning

Message ID 20221025233421.you.825-kees@kernel.org
State New
Headers
Series [v3] mempool: Do not use ksize() for poisoning |

Commit Message

Kees Cook Oct. 25, 2022, 11:36 p.m. UTC 
  Nothing appears to be using ksize() within the kmalloc-backed mempools
except the mempool poisoning logic. Use the actual pool size instead
of the ksize() to avoid needing any special handling of the memory as
needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE.

Suggested-by: Vlastimil Babka <vbabka@suse.cz>
Link: https://lore.kernel.org/lkml/f4fc52c4-7c18-1d76-0c7a-4058ea2486b9@suse.cz/
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Marco Elver <elver@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v3: remove ksize() calls instead of adding kmalloc_roundup_size() calls (vbabka)
v2: https://lore.kernel.org/lkml/20221018090323.never.897-kees@kernel.org/
v1: https://lore.kernel.org/lkml/20220923202822.2667581-14-keescook@chromium.org/
---
 mm/mempool.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Vlastimil Babka Oct. 26, 2022, 10:02 a.m. UTC | #1 
On 10/26/22 01:36, Kees Cook wrote:
> Nothing appears to be using ksize() within the kmalloc-backed mempools
> except the mempool poisoning logic. Use the actual pool size instead
> of the ksize() to avoid needing any special handling of the memory as
> needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE.
> 
> Suggested-by: Vlastimil Babka <vbabka@suse.cz>
> Link: https://lore.kernel.org/lkml/f4fc52c4-7c18-1d76-0c7a-4058ea2486b9@suse.cz/
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Cc: David Rientjes <rientjes@google.com>
> Cc: Marco Elver <elver@google.com>
> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: linux-mm@kvack.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Acked-by: Vlastimil Babka <vbabka@suse.cz>

> ---
> v3: remove ksize() calls instead of adding kmalloc_roundup_size() calls (vbabka)
> v2: https://lore.kernel.org/lkml/20221018090323.never.897-kees@kernel.org/
> v1: https://lore.kernel.org/lkml/20220923202822.2667581-14-keescook@chromium.org/
> ---
>  mm/mempool.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/mm/mempool.c b/mm/mempool.c
> index 96488b13a1ef..54204065037d 100644
> --- a/mm/mempool.c
> +++ b/mm/mempool.c
> @@ -58,7 +58,7 @@ static void check_element(mempool_t *pool, void *element)
>  {
>  	/* Mempools backed by slab allocator */
>  	if (pool->free == mempool_free_slab || pool->free == mempool_kfree) {
> -		__check_element(pool, element, ksize(element));
> +		__check_element(pool, element, (size_t)pool->pool_data);
>  	} else if (pool->free == mempool_free_pages) {
>  		/* Mempools backed by page allocator */
>  		int order = (int)(long)pool->pool_data;
> @@ -81,7 +81,7 @@ static void poison_element(mempool_t *pool, void *element)
>  {
>  	/* Mempools backed by slab allocator */
>  	if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc) {
> -		__poison_element(element, ksize(element));
> +		__poison_element(element, (size_t)pool->pool_data);
>  	} else if (pool->alloc == mempool_alloc_pages) {
>  		/* Mempools backed by page allocator */
>  		int order = (int)(long)pool->pool_data;
> @@ -112,7 +112,7 @@ static __always_inline void kasan_poison_element(mempool_t *pool, void *element)
>  static void kasan_unpoison_element(mempool_t *pool, void *element)
>  {
>  	if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc)
> -		kasan_unpoison_range(element, __ksize(element));
> +		kasan_unpoison_range(element, (size_t)pool->pool_data);
>  	else if (pool->alloc == mempool_alloc_pages)
>  		kasan_unpoison_pages(element, (unsigned long)pool->pool_data,
>  				     false);
Vlastimil Babka Oct. 26, 2022, 10:08 a.m. UTC | #2 
On 10/26/22 12:02, Vlastimil Babka wrote:
> On 10/26/22 01:36, Kees Cook wrote:
>> Nothing appears to be using ksize() within the kmalloc-backed mempools
>> except the mempool poisoning logic. Use the actual pool size instead
>> of the ksize() to avoid needing any special handling of the memory as
>> needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE.
>> 
>> Suggested-by: Vlastimil Babka <vbabka@suse.cz>
>> Link: https://lore.kernel.org/lkml/f4fc52c4-7c18-1d76-0c7a-4058ea2486b9@suse.cz/
>> Cc: Andrey Konovalov <andreyknvl@gmail.com>
>> Cc: David Rientjes <rientjes@google.com>
>> Cc: Marco Elver <elver@google.com>
>> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: linux-mm@kvack.org
>> Signed-off-by: Kees Cook <keescook@chromium.org>
> 
> Acked-by: Vlastimil Babka <vbabka@suse.cz>

Ah and since the subject was updated too, note this is supposed to
replace/fixup the patch in mm-unstable:

mempool-use-kmalloc_size_roundup-to-match-ksize-usage.patch

>> ---
>> v3: remove ksize() calls instead of adding kmalloc_roundup_size() calls (vbabka)
>> v2: https://lore.kernel.org/lkml/20221018090323.never.897-kees@kernel.org/
>> v1: https://lore.kernel.org/lkml/20220923202822.2667581-14-keescook@chromium.org/
>> ---
>>  mm/mempool.c | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>> 
>> diff --git a/mm/mempool.c b/mm/mempool.c
>> index 96488b13a1ef..54204065037d 100644
>> --- a/mm/mempool.c
>> +++ b/mm/mempool.c
>> @@ -58,7 +58,7 @@ static void check_element(mempool_t *pool, void *element)
>>  {
>>  	/* Mempools backed by slab allocator */
>>  	if (pool->free == mempool_free_slab || pool->free == mempool_kfree) {
>> -		__check_element(pool, element, ksize(element));
>> +		__check_element(pool, element, (size_t)pool->pool_data);
>>  	} else if (pool->free == mempool_free_pages) {
>>  		/* Mempools backed by page allocator */
>>  		int order = (int)(long)pool->pool_data;
>> @@ -81,7 +81,7 @@ static void poison_element(mempool_t *pool, void *element)
>>  {
>>  	/* Mempools backed by slab allocator */
>>  	if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc) {
>> -		__poison_element(element, ksize(element));
>> +		__poison_element(element, (size_t)pool->pool_data);
>>  	} else if (pool->alloc == mempool_alloc_pages) {
>>  		/* Mempools backed by page allocator */
>>  		int order = (int)(long)pool->pool_data;
>> @@ -112,7 +112,7 @@ static __always_inline void kasan_poison_element(mempool_t *pool, void *element)
>>  static void kasan_unpoison_element(mempool_t *pool, void *element)
>>  {
>>  	if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc)
>> -		kasan_unpoison_range(element, __ksize(element));
>> +		kasan_unpoison_range(element, (size_t)pool->pool_data);
>>  	else if (pool->alloc == mempool_alloc_pages)
>>  		kasan_unpoison_pages(element, (unsigned long)pool->pool_data,
>>  				     false);
>
kernel test robot Oct. 27, 2022, 8:03 a.m. UTC | #3 
Greeting,

FYI, we noticed WARNING:at_kernel/locking/lockdep.c:#__lock_acquire due to commit (built with clang-14):

commit: 216fd003b5aca1c27d62df679cd722730b886919 ("[PATCH v3] mempool: Do not use ksize() for poisoning")
url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/mempool-Do-not-use-ksize-for-poisoning/20221026-073834
base: https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/pstore
patch link: https://lore.kernel.org/linux-mm/20221025233421.you.825-kees@kernel.org
patch subject: [PATCH v3] mempool: Do not use ksize() for poisoning

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Link: https://lore.kernel.org/oe-lkp/202210271449.445fce6-oliver.sang@intel.com


[    4.181184][    T1] ------------[ cut here ]------------
[    4.181613][    T1] DEBUG_LOCKS_WARN_ON(1)
[ 4.181613][ T1] WARNING: CPU: 1 PID: 1 at kernel/locking/lockdep.c:231 __lock_acquire (lockdep.c:?) 
[    4.181613][    T1] Modules linked in:
[    4.181613][    T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc1-00012-g216fd003b5ac #1
[    4.181613][    T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 4.181613][ T1] EIP: __lock_acquire (lockdep.c:?) 
[ 4.181613][ T1] Code: bd 96 00 85 c0 0f 84 b4 02 00 00 83 3d b8 c0 4c 45 00 0f 85 a7 02 00 00 68 c3 07 29 44 68 44 7b 13 44 e8 a7 53 f8 ff 83 c4 08 <0f> 0b 8b 4d f0 eb 09 6b c0 64 8d b0 10 38 71 45 8a 5e 60 b8 ff 1f
All code
========
   0:	bd 96 00 85 c0       	mov    $0xc0850096,%ebp
   5:	0f 84 b4 02 00 00    	je     0x2bf
   b:	83 3d b8 c0 4c 45 00 	cmpl   $0x0,0x454cc0b8(%rip)        # 0x454cc0ca
  12:	0f 85 a7 02 00 00    	jne    0x2bf
  18:	68 c3 07 29 44       	pushq  $0x442907c3
  1d:	68 44 7b 13 44       	pushq  $0x44137b44
  22:	e8 a7 53 f8 ff       	callq  0xfffffffffff853ce
  27:	83 c4 08             	add    $0x8,%esp
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	8b 4d f0             	mov    -0x10(%rbp),%ecx
  2f:	eb 09                	jmp    0x3a
  31:	6b c0 64             	imul   $0x64,%eax,%eax
  34:	8d b0 10 38 71 45    	lea    0x45713810(%rax),%esi
  3a:	8a 5e 60             	mov    0x60(%rsi),%bl
  3d:	b8                   	.byte 0xb8
  3e:	ff 1f                	lcall  *(%rdi)

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	8b 4d f0             	mov    -0x10(%rbp),%ecx
   5:	eb 09                	jmp    0x10
   7:	6b c0 64             	imul   $0x64,%eax,%eax
   a:	8d b0 10 38 71 45    	lea    0x45713810(%rax),%esi
  10:	8a 5e 60             	mov    0x60(%rsi),%bl
  13:	b8                   	.byte 0xb8
  14:	ff 1f                	lcall  *(%rdi)
[    4.181613][    T1] EAX: 00000016 EBX: 00080000 ECX: 00000000 EDX: 00000000
[    4.181613][    T1] ESI: 00000000 EDI: 403e0610 EBP: 40397ad0 ESP: 40397a30
[    4.181613][    T1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010016
[    4.181613][    T1] CR0: 80050033 CR2: 00000000 CR3: 05654000 CR4: 00000690
[    4.181613][    T1] Call Trace:
[ 4.181613][ T1] ? __lock_acquire (lockdep.c:?) 
[ 4.181613][ T1] ? update_cfs_rq_load_avg (fair.c:?) 
[ 4.181613][ T1] ? lock_acquire (??:?) 
[ 4.181613][ T1] ? ___slab_alloc (slub.c:?) 
[ 4.181613][ T1] ? _raw_spin_lock_irqsave (??:?) 
[ 4.181613][ T1] ? ___slab_alloc (slub.c:?) 
[ 4.181613][ T1] ? __cond_resched (??:?) 
[ 4.181613][ T1] ? slab_pre_alloc_hook (slub.c:?) 
[ 4.181613][ T1] ? kmem_cache_alloc (??:?) 
[ 4.181613][ T1] ? mempool_alloc_slab (??:?) 
[ 4.181613][ T1] ? mempool_init_node (??:?) 
[ 4.181613][ T1] ? mempool_init (??:?) 
[ 4.181613][ T1] ? mempool_alloc_slab (??:?) 
[ 4.181613][ T1] ? bioset_init (??:?) 
[ 4.181613][ T1] ? mempool_alloc_slab (??:?) 
[ 4.181613][ T1] ? init_bio (bio.c:?) 
[ 4.181613][ T1] ? blkdev_init (bio.c:?) 
[ 4.181613][ T1] ? do_one_initcall (??:?) 
[ 4.181613][ T1] ? blkdev_init (bio.c:?) 
[ 4.181613][ T1] ? do_initcall_level (main.c:?) 
[ 4.181613][ T1] ? do_initcalls (main.c:?) 
[ 4.181613][ T1] ? do_basic_setup (main.c:?) 
[ 4.181613][ T1] ? kernel_init_freeable (main.c:?) 
[ 4.181613][ T1] ? rest_init (main.c:?) 
[ 4.181613][ T1] ? kernel_init (main.c:?) 
[ 4.181613][ T1] ? rest_init (main.c:?) 
[ 4.181613][ T1] ? ret_from_fork (??:?) 
[    4.181613][    T1] irq event stamp: 52976
[ 4.181613][ T1] hardirqs last enabled at (52975): __schedule (core.c:?) 
[ 4.181613][ T1] hardirqs last disabled at (52976): _raw_spin_lock_irqsave (??:?) 
[ 4.181613][ T1] softirqs last enabled at (52954): __do_softirq (??:?) 
[ 4.181613][ T1] softirqs last disabled at (52949): do_softirq_own_stack (??:?) 
[    4.181613][    T1] ---[ end trace 0000000000000000 ]---


To reproduce:

        # build kernel
	cd linux
	cp config-6.1.0-rc1-00012-g216fd003b5ac .config
	make HOSTCC=clang-14 CC=clang-14 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=clang-14 CC=clang-14 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.
Andrey Konovalov Oct. 27, 2022, 7:15 p.m. UTC | #4 
On Wed, Oct 26, 2022 at 1:36 AM Kees Cook <keescook@chromium.org> wrote:
>
> Nothing appears to be using ksize() within the kmalloc-backed mempools
> except the mempool poisoning logic. Use the actual pool size instead
> of the ksize() to avoid needing any special handling of the memory as
> needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE.
>
> Suggested-by: Vlastimil Babka <vbabka@suse.cz>
> Link: https://lore.kernel.org/lkml/f4fc52c4-7c18-1d76-0c7a-4058ea2486b9@suse.cz/
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Cc: David Rientjes <rientjes@google.com>
> Cc: Marco Elver <elver@google.com>
> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: linux-mm@kvack.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> v3: remove ksize() calls instead of adding kmalloc_roundup_size() calls (vbabka)
> v2: https://lore.kernel.org/lkml/20221018090323.never.897-kees@kernel.org/
> v1: https://lore.kernel.org/lkml/20220923202822.2667581-14-keescook@chromium.org/
> ---
>  mm/mempool.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/mm/mempool.c b/mm/mempool.c
> index 96488b13a1ef..54204065037d 100644
> --- a/mm/mempool.c
> +++ b/mm/mempool.c
> @@ -58,7 +58,7 @@ static void check_element(mempool_t *pool, void *element)
>  {
>         /* Mempools backed by slab allocator */
>         if (pool->free == mempool_free_slab || pool->free == mempool_kfree) {
> -               __check_element(pool, element, ksize(element));
> +               __check_element(pool, element, (size_t)pool->pool_data);
>         } else if (pool->free == mempool_free_pages) {
>                 /* Mempools backed by page allocator */
>                 int order = (int)(long)pool->pool_data;
> @@ -81,7 +81,7 @@ static void poison_element(mempool_t *pool, void *element)
>  {
>         /* Mempools backed by slab allocator */
>         if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc) {
> -               __poison_element(element, ksize(element));
> +               __poison_element(element, (size_t)pool->pool_data);
>         } else if (pool->alloc == mempool_alloc_pages) {
>                 /* Mempools backed by page allocator */
>                 int order = (int)(long)pool->pool_data;
> @@ -112,7 +112,7 @@ static __always_inline void kasan_poison_element(mempool_t *pool, void *element)
>  static void kasan_unpoison_element(mempool_t *pool, void *element)
>  {
>         if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc)
> -               kasan_unpoison_range(element, __ksize(element));
> +               kasan_unpoison_range(element, (size_t)pool->pool_data);
>         else if (pool->alloc == mempool_alloc_pages)
>                 kasan_unpoison_pages(element, (unsigned long)pool->pool_data,
>                                      false);
> --
> 2.34.1
>

For the KASAN change:

Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>

Thanks!
diff mbox series

Patch

diff --git a/mm/mempool.c b/mm/mempool.c
index 96488b13a1ef..54204065037d 100644
--- a/mm/mempool.c
+++ b/mm/mempool.c
@@ -58,7 +58,7 @@  static void check_element(mempool_t *pool, void *element)
 {
 	/* Mempools backed by slab allocator */
 	if (pool->free == mempool_free_slab || pool->free == mempool_kfree) {
-		__check_element(pool, element, ksize(element));
+		__check_element(pool, element, (size_t)pool->pool_data);
 	} else if (pool->free == mempool_free_pages) {
 		/* Mempools backed by page allocator */
 		int order = (int)(long)pool->pool_data;
@@ -81,7 +81,7 @@  static void poison_element(mempool_t *pool, void *element)
 {
 	/* Mempools backed by slab allocator */
 	if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc) {
-		__poison_element(element, ksize(element));
+		__poison_element(element, (size_t)pool->pool_data);
 	} else if (pool->alloc == mempool_alloc_pages) {
 		/* Mempools backed by page allocator */
 		int order = (int)(long)pool->pool_data;
@@ -112,7 +112,7 @@  static __always_inline void kasan_poison_element(mempool_t *pool, void *element)
 static void kasan_unpoison_element(mempool_t *pool, void *element)
 {
 	if (pool->alloc == mempool_alloc_slab || pool->alloc == mempool_kmalloc)
-		kasan_unpoison_range(element, __ksize(element));
+		kasan_unpoison_range(element, (size_t)pool->pool_data);
 	else if (pool->alloc == mempool_alloc_pages)
 		kasan_unpoison_pages(element, (unsigned long)pool->pool_data,
 				     false);