[merged mm-stable] kmsan-support-slab_poison.patch removed from -mm tree

[Andrew Morton]

The quilt patch titled
Subject: kmsan: support SLAB_POISON
has been removed from the -mm tree. Its filename was
kmsan-support-slab_poison.patch

This patch was dropped because it was merged into the mm-stable branch
of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

------------------------------------------------------
From: Ilya Leoshkevich <i...@linux.ibm.com>
Subject: kmsan: support SLAB_POISON
Date: Fri, 21 Jun 2024 13:34:57 +0200

Avoid false KMSAN negatives with SLUB_DEBUG by allowing kmsan_slab_free()
to poison the freed memory, and by preventing init_object() from
unpoisoning new allocations by using __memset().

There are two alternatives to this approach. First, init_object() can be
marked with __no_sanitize_memory. This annotation should be used with
great care, because it drops all instrumentation from the function, and
any shadow writes will be lost. Even though this is not a concern with
the current init_object() implementation, this may change in the future.

Second, kmsan_poison_memory() calls may be added after memset() calls.
The downside is that init_object() is called from free_debug_processing(),
in which case poisoning will erase the distinction between simply
uninitialized memory and UAF.

Link: https://lkml.kernel.org/r/20240621113706...@linux.ibm.com
Signed-off-by: Ilya Leoshkevich <i...@linux.ibm.com>
Reviewed-by: Alexander Potapenko <gli...@google.com>
Cc: Alexander Gordeev <agor...@linux.ibm.com>
Cc: Christian Borntraeger <bornt...@linux.ibm.com>
Cc: Christoph Lameter <c...@linux.com>
Cc: David Rientjes <rien...@google.com>
Cc: Dmitry Vyukov <dvy...@google.com>
Cc: Heiko Carstens <h...@linux.ibm.com>
Cc: Hyeonggon Yoo <42.h...@gmail.com>
Cc: Joonsoo Kim <iamjoon...@lge.com>
Cc: <kasa...@googlegroups.com>
Cc: Marco Elver <el...@google.com>
Cc: Mark Rutland <mark.r...@arm.com>
Cc: Masami Hiramatsu (Google) <mhir...@kernel.org>
Cc: Pekka Enberg <pen...@kernel.org>
Cc: Roman Gushchin <roman.g...@linux.dev>
Cc: Steven Rostedt (Google) <ros...@goodmis.org>
Cc: Sven Schnelle <sv...@linux.ibm.com>
Cc: Vasily Gorbik <g...@linux.ibm.com>
Cc: Vlastimil Babka <vba...@suse.cz>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
---

mm/kmsan/hooks.c | 2 +-
mm/slub.c | 15 +++++++++++----
2 files changed, 12 insertions(+), 5 deletions(-)

--- a/mm/kmsan/hooks.c~kmsan-support-slab_poison
+++ a/mm/kmsan/hooks.c
@@ -74,7 +74,7 @@ void kmsan_slab_free(struct kmem_cache *
return;

/* RCU slabs could be legally used after free within the RCU period */
- if (unlikely(s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)))
+ if (unlikely(s->flags & SLAB_TYPESAFE_BY_RCU))
return;
/*
* If there's a constructor, freed memory must remain in the same state
--- a/mm/slub.c~kmsan-support-slab_poison
+++ a/mm/slub.c
@@ -1139,7 +1139,13 @@ static void init_object(struct kmem_cach
unsigned int poison_size = s->object_size;

if (s->flags & SLAB_RED_ZONE) {
- memset(p - s->red_left_pad, val, s->red_left_pad);
+ /*
+ * Here and below, avoid overwriting the KMSAN shadow. Keeping
+ * the shadow makes it possible to distinguish uninit-value
+ * from use-after-free.
+ */
+ memset_no_sanitize_memory(p - s->red_left_pad, val,
+ s->red_left_pad);

if (slub_debug_orig_size(s) && val == SLUB_RED_ACTIVE) {
/*
@@ -1152,12 +1158,13 @@ static void init_object(struct kmem_cach
}

if (s->flags & __OBJECT_POISON) {
- memset(p, POISON_FREE, poison_size - 1);
- p[poison_size - 1] = POISON_END;
+ memset_no_sanitize_memory(p, POISON_FREE, poison_size - 1);
+ memset_no_sanitize_memory(p + poison_size - 1, POISON_END, 1);
}

if (s->flags & SLAB_RED_ZONE)
- memset(p + poison_size, val, s->inuse - poison_size);
+ memset_no_sanitize_memory(p + poison_size, val,
+ s->inuse - poison_size);
}

static void restore_bytes(struct kmem_cache *s, char *message, u8 data,
_

Patches currently in -mm which might be from i...@linux.ibm.com are