From nobody Thu Dec 18 20:17:30 2025 Received: from out-173.mta0.migadu.com (out-173.mta0.migadu.com [91.218.175.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 52972194A43 for ; Wed, 4 Dec 2024 08:35:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733301348; cv=none; b=ZJyrIUOQ+WWScNug8putBkrHtSVDIBg8/kNPrQO73phD80mXonZmuo/IzqqNpEpyCM4bUX7JTotv5TjiiW5f2pqPqAh0FlEEVkqgWXlwimck1ZmZ9D7XVpH//WVuovtyydSBTQc49CTXbjhn+ck1dU8fpyqnJkFlMUfJLRZpJaY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733301348; c=relaxed/simple; bh=/+yoOe6yvLO9gS3WZYfN816bz9nfKC5dIUHYrP/DVJs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=cvv3dDl8fuDX+RyzeNiUg9T7WfcE3ZyNJbztM92gHTerM1HPm63TbynKWynW02TY91Gf//w9Zo+vpLgocIRmQTTo+UsTthzRHbcuedrYjmZBWwzJ8BIW7vErOUhFS6WyB33N6kHxTT8tZETHYWBMGdloDZ+wRXKS9S5xAPM0mLc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=dQbCY2EQ; arc=none smtp.client-ip=91.218.175.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="dQbCY2EQ" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1733301342; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WQ/bt9UKnbTwCWMXSy/te0h7IEpxPojbhIAC28Qjeok=; b=dQbCY2EQZIzXZjdvlEpa0YXDQaXBl2uX/Kox8kvYpk+fyff8onQeV3AddiDxpQPkEWJaap EHUBr+INzuYLNmgQj+vg2Yl232EiW7epwtzxFjjclMAPcng0hDaBAMZ/sddGBzofA3duce 1JPlyzm3E7eaQABgPLbH1hhheB9bW7M= From: Hao Ge To: surenb@google.com, kent.overstreet@linux.dev, akpm@linux-foundation.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, hao.ge@linux.dev, Hao Ge Subject: [PATCH v2] mm/alloc_tag: fix vm_module_tags_populate's KASAN poisoning logic Date: Wed, 4 Dec 2024 16:34:48 +0800 Message-Id: <20241204083448.387862-1-hao.ge@linux.dev> In-Reply-To: <20241204075248.384215-1-hao.ge@linux.dev> References: <20241204075248.384215-1-hao.ge@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Hao Ge After merge commit 233e89322cbe ("alloc_tag: fix module allocation tags populated area calculation"), We still encountered a KASAN bug. This is because we have only actually performed page allocation and address mapping here. we need to unpoisoned portions of underlying memory. Because we have a change in the size here,we need to re-annotate poisoned and unpoisoned portions of underlying memory according to the new size. Here is the log for KASAN: [ 5.041171][ T1] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 5.042047][ T1] BUG: KASAN: vmalloc-out-of-bounds in move_module+0x2= c0/0x708 [ 5.042723][ T1] Write of size 240 at addr ffff80007e510000 by task s= ystemd/1 [ 5.043412][ T1] [ 5.043523][ T72] input: QEMU QEMU USB Tablet as /devices/pci0000:00/0= 000:00:01.1/0000:02:001 [ 5.043614][ T1] CPU: 0 UID: 0 PID: 1 Comm: systemd Not tainted 6.13.= 0-rc1+ #28 [ 5.045560][ T1] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 = 02/06/2015 [ 5.046328][ T1] Call trace: [ 5.046670][ T1] show_stack+0x20/0x38 (C) [ 5.047127][ T1] dump_stack_lvl+0x80/0xf8 [ 5.047533][ T1] print_address_description.constprop.0+0x58/0x358 [ 5.048092][ T72] hid-generic 0003:0627:0001.0001: input,hidraw0: USB = HID v0.01 Mouse [QEMU 0 [ 5.048126][ T1] print_report+0xb0/0x280 [ 5.049682][ T1] kasan_report+0xb8/0x108 [ 5.050170][ T1] kasan_check_range+0xe8/0x190 [ 5.050685][ T1] memcpy+0x58/0xa0 [ 5.051135][ T1] move_module+0x2c0/0x708 [ 5.051586][ T1] layout_and_allocate.constprop.0+0x308/0x5b8 [ 5.052219][ T1] load_module+0x134/0x16c8 [ 5.052671][ T1] init_module_from_file+0xdc/0x138 [ 5.053193][ T1] idempotent_init_module+0x344/0x600 [ 5.053742][ T1] __arm64_sys_finit_module+0xbc/0x150 [ 5.054289][ T1] invoke_syscall+0xd4/0x258 [ 5.054749][ T1] el0_svc_common.constprop.0+0xb4/0x240 [ 5.055319][ T1] do_el0_svc+0x48/0x68 [ 5.055743][ T1] el0_svc+0x40/0xe0 [ 5.056142][ T1] el0t_64_sync_handler+0x10c/0x138 [ 5.056658][ T1] el0t_64_sync+0x1ac/0x1b0 Fixes: 233e89322cbe ("alloc_tag: fix module allocation tags populated area = calculation") Signed-off-by: Hao Ge --- v2: Add comments to kasan_unpoison_vmalloc like other places. commit 233e89322cbe ("alloc_tag: fix module allocation tags populated area calculation") is currently in the mm-hotfixes-unstable branch, so this patch is developed based on the mm-hotfixes-unstable branch. --- lib/alloc_tag.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/lib/alloc_tag.c b/lib/alloc_tag.c index 4ee6caa6d2da..f885b3f3af0e 100644 --- a/lib/alloc_tag.c +++ b/lib/alloc_tag.c @@ -421,7 +421,20 @@ static int vm_module_tags_populate(void) __free_page(next_page[i]); return -ENOMEM; } + + kasan_poison_vmalloc((void *)module_tags.start_addr, + vm_module_tags->nr_pages << PAGE_SHIFT); + vm_module_tags->nr_pages +=3D nr; + + /* + * Mark the pages as accessible, now that they are mapped. + * With hardware tag-based KASAN, marking is skipped for + * non-VM_ALLOC mappings, see __kasan_unpoison_vmalloc(). + */ + kasan_unpoison_vmalloc((void *)module_tags.start_addr, + vm_module_tags->nr_pages << PAGE_SHIFT, + KASAN_VMALLOC_PROT_NORMAL); } =20 return 0; --=20 2.25.1