[PATCH mm 1/2] fix for "kasan, vmalloc: only tag normal vmalloc allocations"

[andrey.k...@linux.dev]

From: Andrey Konovalov <andre...@google.com>

Pass KASAN_VMALLOC_PROT_NORMAL to kasan_unpoison_vmalloc() in the custom
KASAN instrumentation for Shadow Call Stack, as Shadow Call Stack mappings
are not executable and thus can be poisoned.

Signed-off-by: Andrey Konovalov <andre...@google.com>
---
kernel/scs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/scs.c b/kernel/scs.c
index b83bc9251f99..1033a76a3284 100644
--- a/kernel/scs.c
+++ b/kernel/scs.c
@@ -32,7 +32,8 @@ static void *__scs_alloc(int node)
for (i = 0; i < NR_CACHED_SCS; i++) {
s = this_cpu_xchg(scs_cache[i], NULL);
if (s) {
- kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_NONE);
+ kasan_unpoison_vmalloc(s, SCS_SIZE,
+ KASAN_VMALLOC_PROT_NORMAL);
memset(s, 0, SCS_SIZE);
return s;
}
@@ -78,7 +79,7 @@ void scs_free(void *s)
if (this_cpu_cmpxchg(scs_cache[i], 0, s) == NULL)
return;

- kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_NONE);
+ kasan_unpoison_vmalloc(s, SCS_SIZE, KASAN_VMALLOC_PROT_NORMAL);
vfree_atomic(s);
}

--
2.25.1

[andrey.k...@linux.dev]

From: Andrey Konovalov <andre...@google.com>

Fix up the custom KASAN instrumentation for Shadow Call Stack to support
vmalloc() mappings and pointers being tagged.

- Use the tagged pointer returned by kasan_unpoison_vmalloc() in
__scs_alloc() when calling memset() to avoid false-positives.

- Do not return a tagged Shadow Call Stack pointer from __scs_alloc(),
as this might lead to conflicts with the instrumentation.

Signed-off-by: Andrey Konovalov <andre...@google.com>

---

Andrew, please put this patch after
"kasan, vmalloc: only tag normal vmalloc allocations".
---
kernel/scs.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/kernel/scs.c b/kernel/scs.c
index 1033a76a3284..b7e1b096d906 100644
--- a/kernel/scs.c
+++ b/kernel/scs.c
@@ -32,16 +32,19 @@ static void *__scs_alloc(int node)

for (i = 0; i < NR_CACHED_SCS; i++) {
s = this_cpu_xchg(scs_cache[i], NULL);
if (s) {
- kasan_unpoison_vmalloc(s, SCS_SIZE,

- KASAN_VMALLOC_PROT_NORMAL);
+ s = kasan_unpoison_vmalloc(s, SCS_SIZE,

+ KASAN_VMALLOC_PROT_NORMAL);
memset(s, 0, SCS_SIZE);

- return s;
+ goto out;
}
}

- return __vmalloc_node_range(SCS_SIZE, 1, VMALLOC_START, VMALLOC_END,
+ s = __vmalloc_node_range(SCS_SIZE, 1, VMALLOC_START, VMALLOC_END,
GFP_SCS, PAGE_KERNEL, 0, node,
__builtin_return_address(0));
+
+out:
+ return kasan_reset_tag(s);
}

void *scs_alloc(int node)
--
2.25.1

[andrey.k...@linux.dev]

From: Andrey Konovalov <andre...@google.com>

"kasan, vmalloc: only tag normal vmalloc allocations" unintentionally
disabled poisoning of executable memory for the Generic mode. Fix it.

Reported-by: Vasily Gorbik <g...@linux.ibm.com>

Signed-off-by: Andrey Konovalov <andre...@google.com>
---

mm/kasan/shadow.c | 5 +++--

1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c
index 7272e248db87..a4f07de21771 100644
--- a/mm/kasan/shadow.c
+++ b/mm/kasan/shadow.c
@@ -489,10 +489,11 @@ void *__kasan_unpoison_vmalloc(const void *start, unsigned long size,
return (void *)start;

/*
- * Don't tag executable memory.
+ * Don't tag executable memory with the tag-based mode.
* The kernel doesn't tolerate having the PC register tagged.
*/
- if (!(flags & KASAN_VMALLOC_PROT_NORMAL))
+ if (IS_ENABLED(CONFIG_KASAN_SW_TAGS) &&
+ !(flags & KASAN_VMALLOC_PROT_NORMAL))
return (void *)start;

start = set_tag(start, kasan_random_tag());
--
2.25.1