[PATCH RFC v2] mm/shmem: set __GFP_SKIP_KASAN for swap_cluster_readahead
1 view
Skip to first unread message
Chia-I Wu via B4 Relay
12:32 AM (15 hours ago) 12:32 AM
to Andrey Ryabinin, Alexander Potapenko, Andrey Konovalov, Dmitry Vyukov, Vincenzo Frascino, Andrew Morton, Hugh Dickins, Baolin Wang, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, Boris Brezillon, Chia-I Wu
From: Chia-I Wu <olv...@gmail.com>
swap_cluster_readahead can allocate folios for other mappings. If the
gfp flags do not have __GFP_SKIP_KASAN, but the other mappings have
PROT_MTE, we can end up with false KASAN errors such as
BUG: KASAN: invalid-access in swap_writepage+0xb0/0x21c
Read at addr f5ffff81aa71dff8 by task WM.task-4/6956
Pointer tag: [f5], memory tag: [f9]
In the above example, because __GFP_SKIP_KASAN was missing, KASAN set
both pointer tag and memory tag to 0xf5 when swap_cluster_readahead
allocated the folio. But the userspace had already set the memory tag to
0xf9 before swapped out. arch_swap_restore restored the memory tag back
to 0xf9, leading to the mismatch.
Signed-off-by: Chia-I Wu <olv...@gmail.com>
---
Changes in v2:
- set __GFP_SKIP_KASAN for shmem instead of drm/panthor
- Link to v1: https://patch.msgid.link/20260512-panthor-kas...@gmail.com
---
mm/shmem.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/mm/shmem.c b/mm/shmem.c
index 3b5dc21b323c2..db9130a8c5b76 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1784,6 +1784,11 @@ static struct folio *shmem_swapin_cluster(swp_entry_t swap, gfp_t gfp,
pgoff_t ilx;
struct folio *folio;
+ /* swap_cluster_readahead might cross the mapping boundary and
+ * allocate pages for other mappings. We have to skip KASAN.
+ */
+ gfp |= __GFP_SKIP_KASAN;
+
mpol = shmem_get_pgoff_policy(info, index, 0, &ilx);
folio = swap_cluster_readahead(swap, gfp, mpol, ilx);
mpol_cond_put(mpol);
---
base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
change-id: 20260512-panthor-kasan-10477239bad1
Best regards,
--
Chia-I Wu <olv...@gmail.com>
swap_cluster_readahead can allocate folios for other mappings. If the
gfp flags do not have __GFP_SKIP_KASAN, but the other mappings have
PROT_MTE, we can end up with false KASAN errors such as
BUG: KASAN: invalid-access in swap_writepage+0xb0/0x21c
Read at addr f5ffff81aa71dff8 by task WM.task-4/6956
Pointer tag: [f5], memory tag: [f9]
In the above example, because __GFP_SKIP_KASAN was missing, KASAN set
both pointer tag and memory tag to 0xf5 when swap_cluster_readahead
allocated the folio. But the userspace had already set the memory tag to
0xf9 before swapped out. arch_swap_restore restored the memory tag back
to 0xf9, leading to the mismatch.
Signed-off-by: Chia-I Wu <olv...@gmail.com>
---
Changes in v2:
- set __GFP_SKIP_KASAN for shmem instead of drm/panthor
- Link to v1: https://patch.msgid.link/20260512-panthor-kas...@gmail.com
---
mm/shmem.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/mm/shmem.c b/mm/shmem.c
index 3b5dc21b323c2..db9130a8c5b76 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1784,6 +1784,11 @@ static struct folio *shmem_swapin_cluster(swp_entry_t swap, gfp_t gfp,
pgoff_t ilx;
struct folio *folio;
+ /* swap_cluster_readahead might cross the mapping boundary and
+ * allocate pages for other mappings. We have to skip KASAN.
+ */
+ gfp |= __GFP_SKIP_KASAN;
+
mpol = shmem_get_pgoff_policy(info, index, 0, &ilx);
folio = swap_cluster_readahead(swap, gfp, mpol, ilx);
mpol_cond_put(mpol);
---
base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8
change-id: 20260512-panthor-kasan-10477239bad1
Best regards,
--
Chia-I Wu <olv...@gmail.com>
Baolin Wang
6:04 AM (9 hours ago) 6:04 AM
to olv...@gmail.com, Andrey Ryabinin, Alexander Potapenko, Andrey Konovalov, Dmitry Vyukov, Vincenzo Frascino, Andrew Morton, Hugh Dickins, Kairui Song, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, Boris Brezillon
CC Kairui,
If we force __GFP_SKIP_KASAN, would this cause issues for mappings that
explicitly should NOT have the flag? and your v1 link already mentions
this scenario.
Additionally, I'm wondering if we could use shmem_should_replace_folio()
to detect such cases where shmem is being prematurely swapped in with
incorrect GFP flags (e.g.: __GFP_SKIP_KASAN), and then handle it through
shmem_replace_folio()?
explicitly should NOT have the flag? and your v1 link already mentions
this scenario.
Additionally, I'm wondering if we could use shmem_should_replace_folio()
to detect such cases where shmem is being prematurely swapped in with
incorrect GFP flags (e.g.: __GFP_SKIP_KASAN), and then handle it through
shmem_replace_folio()?
Chia-I Wu
1:06 PM (2 hours ago) 1:06 PM
to Baolin Wang, Andrey Ryabinin, Alexander Potapenko, Andrey Konovalov, Dmitry Vyukov, Vincenzo Frascino, Andrew Morton, Hugh Dickins, Kairui Song, kasa...@googlegroups.com, linu...@kvack.org, linux-...@vger.kernel.org, Boris Brezillon
by forcing the flag.
The other mappings swap_cluster_readahead can affect are anon
mappings, regular shmem mappings, or gpu shmem mappings. I think only
gpu shmem mappings miss __GFP_SKIP_KASAN. That might not even be
intentional, because gpu shmem mappings pick GFP_HIGHUSER over
GFP_HIGHUSER_MOVABLE to avoid __GFP_MOVABLE. That was before
__GFP_SKIP_KASAN was added to GFP_HIGHUSER_MOVABLE.
I guess what I am trying to say is these are all user pages. We have
to skip kasan when user pages can be mapped PROT_MTE. The
justification for gpu shmem mappings is that they cannot be mapped
PROT_MTE. But if readahead can affect non-gpu shmem mappings, it seems
we have to either force __GFP_SKIP_KASAN or to cap/disable readahead.
>
> Additionally, I'm wondering if we could use shmem_should_replace_folio()
> to detect such cases where shmem is being prematurely swapped in with
> incorrect GFP flags (e.g.: __GFP_SKIP_KASAN), and then handle it through
> shmem_replace_folio()?
importantly, this only helps shmem mappings but not anon mappings.
Reply all
Reply to author
Forward
0 new messages