arch/powerpc/mm/kasan/kasan_init_32.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
From: Chen Jingwen <chenjingwen6@huawei.com>
This is backport for 5.4
Upstream commit 5647a94a26e352beed61788b46e035d9d12664cd
The shadow's page table is not updated when PTE_RPN_SHIFT is 24
and PAGE_SHIFT is 12. It not only causes false positives but
also false negative as shown the following text.
Fix it by bringing the logic of kasan_early_shadow_page_entry here.
1. False Positive:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50
Write of size 16 at addr f57f3be0 by task swapper/0/1
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1
Call Trace:
[c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable)
[c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300
[c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200
[c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0
[c80d1cc0] [c03018a4] memset+0x34/0x90
[c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50
[c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570
[c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0
[c80d1db0] [c2036580] init_sd+0xc4/0x1d0
[c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c
[c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384
[c80d1ef0] [c0004b14] kernel_init+0x24/0x170
[c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64
Memory state around the buggy address:
f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
2. False Negative (with KASAN tests):
==================================================================
Before fix:
ok 45 - kmalloc_double_kzfree
# vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039
KASAN failure expected in "((volatile char *)area)[3100]", but none occurred
not ok 46 - vmalloc_oob
not ok 1 - kasan
==================================================================
After fix:
ok 1 - kasan
Fixes: cbd18991e24fe ("powerpc/mm: Fix an Oops in kasan_mmu_init()")
Cc: stable@vger.kernel.org # 5.4.x
Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211229035226.59159-1-chenjingwen6@huawei.com
[chleroy: Backport for 5.4]
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
---
arch/powerpc/mm/kasan/kasan_init_32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/mm/kasan/kasan_init_32.c b/arch/powerpc/mm/kasan/kasan_init_32.c
index 1cfe57b51d7e..3f78007a7282 100644
--- a/arch/powerpc/mm/kasan/kasan_init_32.c
+++ b/arch/powerpc/mm/kasan/kasan_init_32.c
@@ -121,7 +121,7 @@ static void __init kasan_remap_early_shadow_ro(void)
pmd_t *pmd = pmd_offset(pud_offset(pgd_offset_k(k_cur), k_cur), k_cur);
pte_t *ptep = pte_offset_kernel(pmd, k_cur);
- if ((pte_val(*ptep) & PTE_RPN_MASK) != pa)
+ if (pte_page(*ptep) != virt_to_page(lm_alias(kasan_early_shadow_page)))
continue;
__set_pte_at(&init_mm, k_cur, ptep, pfn_pte(PHYS_PFN(pa), prot), 0);
--
2.35.1> This is backport for 5.4 > > Upstream commit 5647a94a26e352beed61788b46e035d9d12664cd Thank you for your rebase. I went on vacation and couldn't submit the code at that time
On Sat, Apr 02, 2022 at 06:13:31PM +0200, Christophe Leroy wrote: > From: Chen Jingwen <chenjingwen6@huawei.com> > > This is backport for 5.4 > > Upstream commit 5647a94a26e352beed61788b46e035d9d12664cd This is not a commit in Linus's tree :(
Le 03/04/2022 à 12:25, Greg KH a écrit : > On Sat, Apr 02, 2022 at 06:13:31PM +0200, Christophe Leroy wrote: >> From: Chen Jingwen <chenjingwen6@huawei.com> >> >> This is backport for 5.4 >> >> Upstream commit 5647a94a26e352beed61788b46e035d9d12664cd > > This is not a commit in Linus's tree :( > Oops. Don't know what I did, that's indeed the commit after I cherry-picked it on top of 5.4.188 and before I modified it. According to the mail you sent me yesterday to tell it FAILED to apply on 5.4, the upstream commit is dd75080aa8409ce10d50fb58981c6b59bf8707d3 Thanks Christophe
On Sun, Apr 03, 2022 at 11:54:55AM +0000, Christophe Leroy wrote: > > > Le 03/04/2022 à 12:25, Greg KH a écrit : > > On Sat, Apr 02, 2022 at 06:13:31PM +0200, Christophe Leroy wrote: > >> From: Chen Jingwen <chenjingwen6@huawei.com> > >> > >> This is backport for 5.4 > >> > >> Upstream commit 5647a94a26e352beed61788b46e035d9d12664cd > > > > This is not a commit in Linus's tree :( > > > > Oops. Don't know what I did, that's indeed the commit after I > cherry-picked it on top of 5.4.188 and before I modified it. > > According to the mail you sent me yesterday to tell it FAILED to apply > on 5.4, the upstream commit is dd75080aa8409ce10d50fb58981c6b59bf8707d3 Can you resend with this fixed up please? thanks, greg k-h
© 2016 - 2026 Red Hat, Inc.