lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42483a2b-efb9-88a8-02b2-9f44eed3d418@ghiti.fr>
Date:   Wed, 24 Feb 2021 14:11:07 -0500
From:   Alex Ghiti <alex@...ti.fr>
To:     Nylon Chen <nylon7@...estech.com>
Cc:     "aou@...s.berkeley.edu" <aou@...s.berkeley.edu>,
        Nick Chun-Ming Hu(胡峻銘) 
        <nickhu@...estech.com>,
        Alan Quey-Liang Kao(高魁良) 
        <alankao@...estech.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "kasan-dev@...glegroups.com" <kasan-dev@...glegroups.com>,
        "nylon7717@...il.com" <nylon7717@...il.com>,
        "aryabinin@...tuozzo.com" <aryabinin@...tuozzo.com>,
        Palmer Dabbelt <palmer@...belt.com>,
        Paul Walmsley <paul.walmsley@...ive.com>,
        "glider@...gle.com" <glider@...gle.com>,
        "linux-riscv@...ts.infradead.org" <linux-riscv@...ts.infradead.org>,
        "dvyukov@...gle.com" <dvyukov@...gle.com>
Subject: Re: [PATCH v2 1/1] riscv/kasan: add KASAN_VMALLOC support

Hi Nylon,

Le 2/22/21 à 12:13 PM, Alex Ghiti a écrit :
> Le 2/21/21 à 8:37 PM, Nylon Chen a écrit :
>> Hi Alex, Palmer
>>
>> Sorry I missed this message.
>> On Sun, Feb 21, 2021 at 09:38:04PM +0800, Alex Ghiti wrote:
>>> Le 2/13/21 à 5:52 AM, Alex Ghiti a écrit :
>>>> Hi Nylon, Palmer,
>>>>
>>>> Le 2/8/21 à 1:28 AM, Alex Ghiti a écrit :
>>>>> Hi Nylon,
>>>>>
>>>>> Le 1/22/21 à 10:56 PM, Palmer Dabbelt a écrit :
>>>>>> On Fri, 15 Jan 2021 21:58:35 PST (-0800), nylon7@...estech.com wrote:
>>>>>>> It references to x86/s390 architecture.
>>>>>>>>> So, it doesn't map the early shadow page to cover VMALLOC space.
>>>>>>>
>>>>>>> Prepopulate top level page table for the range that would 
>>>>>>> otherwise be
>>>>>>> empty.
>>>>>>>
>>>>>>> lower levels are filled dynamically upon memory allocation while
>>>>>>> booting.
>>>>>
>>>>> I think we can improve the changelog a bit here with something like 
>>>>> that:
>>>>>
>>>>> "KASAN vmalloc space used to be mapped using kasan early shadow page.
>>>>> KASAN_VMALLOC requires the top-level of the kernel page table to be
>>>>> properly populated, lower levels being filled dynamically upon memory
>>>>> allocation at runtime."
>>>>>
>>>>>>>
>>>>>>> Signed-off-by: Nylon Chen <nylon7@...estech.com>
>>>>>>> Signed-off-by: Nick Hu <nickhu@...estech.com>
>>>>>>> ---
>>>>>>>   arch/riscv/Kconfig         |  1 +
>>>>>>>   arch/riscv/mm/kasan_init.c | 57 
>>>>>>> +++++++++++++++++++++++++++++++++++++-
>>>>>>>   2 files changed, 57 insertions(+), 1 deletion(-)
>>>>>>>
>>>>>>> diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
>>>>>>> index 81b76d44725d..15a2c8088bbe 100644
>>>>>>> --- a/arch/riscv/Kconfig
>>>>>>> +++ b/arch/riscv/Kconfig
>>>>>>> @@ -57,6 +57,7 @@ config RISCV
>>>>>>>       select HAVE_ARCH_JUMP_LABEL
>>>>>>>       select HAVE_ARCH_JUMP_LABEL_RELATIVE
>>>>>>>       select HAVE_ARCH_KASAN if MMU && 64BIT
>>>>>>> +    select HAVE_ARCH_KASAN_VMALLOC if MMU && 64BIT
>>>>>>>       select HAVE_ARCH_KGDB
>>>>>>>       select HAVE_ARCH_KGDB_QXFER_PKT
>>>>>>>       select HAVE_ARCH_MMAP_RND_BITS if MMU
>>>>>>> diff --git a/arch/riscv/mm/kasan_init.c b/arch/riscv/mm/kasan_init.c
>>>>>>> index 12ddd1f6bf70..4b9149f963d3 100644
>>>>>>> --- a/arch/riscv/mm/kasan_init.c
>>>>>>> +++ b/arch/riscv/mm/kasan_init.c
>>>>>>> @@ -9,6 +9,19 @@
>>>>>>>   #include <linux/pgtable.h>
>>>>>>>   #include <asm/tlbflush.h>
>>>>>>>   #include <asm/fixmap.h>
>>>>>>> +#include <asm/pgalloc.h>
>>>>>>> +
>>>>>>> +static __init void *early_alloc(size_t size, int node)
>>>>>>> +{
>>>>>>> +    void *ptr = memblock_alloc_try_nid(size, size,
>>>>>>> +        __pa(MAX_DMA_ADDRESS), MEMBLOCK_ALLOC_ACCESSIBLE, node);
>>>>>>> +
>>>>>>> +    if (!ptr)
>>>>>>> +        panic("%pS: Failed to allocate %zu bytes align=%zx nid=%d
>>>>>>> from=%llx\n",
>>>>>>> +            __func__, size, size, node, 
>>>>>>> (u64)__pa(MAX_DMA_ADDRESS));
>>>>>>> +
>>>>>>> +    return ptr;
>>>>>>> +}
>>>>>>>
>>>>>>>   extern pgd_t early_pg_dir[PTRS_PER_PGD];
>>>>>>>   asmlinkage void __init kasan_early_init(void)
>>>>>>> @@ -83,6 +96,40 @@ static void __init populate(void *start, void 
>>>>>>> *end)
>>>>>>>       memset(start, 0, end - start);
>>>>>>>   }
>>>>>>>
>>>>>>> +void __init kasan_shallow_populate(void *start, void *end)
>>>>>>> +{
>>>>>>> +    unsigned long vaddr = (unsigned long)start & PAGE_MASK;
>>>>>>> +    unsigned long vend = PAGE_ALIGN((unsigned long)end);
>>>>>>> +    unsigned long pfn;
>>>>>>> +    int index;
>>>>>>> +    void *p;
>>>>>>> +    pud_t *pud_dir, *pud_k;
>>>>>>> +    pgd_t *pgd_dir, *pgd_k;
>>>>>>> +    p4d_t *p4d_dir, *p4d_k;
>>>>>>> +
>>>>>>> +    while (vaddr < vend) {
>>>>>>> +        index = pgd_index(vaddr);
>>>>>>> +        pfn = csr_read(CSR_SATP) & SATP_PPN;
>>>>>
>>>>> At this point in the boot process, we know that we use swapper_pg_dir
>>>>> so no need to read SATP.
>>>>>
>>>>>>> +        pgd_dir = (pgd_t *)pfn_to_virt(pfn) + index;
>>>>>
>>>>> Here, this pgd_dir assignment is overwritten 2 lines below, so no need
>>>>> for it.
>>>>>
>>>>>>> +        pgd_k = init_mm.pgd + index;
>>>>>>> +        pgd_dir = pgd_offset_k(vaddr);
>>>>>
>>>>> pgd_offset_k(vaddr) = init_mm.pgd + pgd_index(vaddr) so pgd_k == 
>>>>> pgd_dir.
>>>>>
>>>>>>> +        set_pgd(pgd_dir, *pgd_k);
>>>>>>> +
>>>>>>> +        p4d_dir = p4d_offset(pgd_dir, vaddr);
>>>>>>> +        p4d_k  = p4d_offset(pgd_k, vaddr);
>>>>>>> +
>>>>>>> +        vaddr = (vaddr + PUD_SIZE) & PUD_MASK;
>>>>>
>>>>> Why do you increase vaddr *before* populating the first one ? And
>>>>> pud_addr_end does that properly: it returns the next pud address if it
>>>>> does not go beyond end address to map.
>>>>>
>>>>>>> +        pud_dir = pud_offset(p4d_dir, vaddr);
>>>>>>> +        pud_k = pud_offset(p4d_k, vaddr);
>>>>>>> +
>>>>>>> +        if (pud_present(*pud_dir)) {
>>>>>>> +            p = early_alloc(PAGE_SIZE, NUMA_NO_NODE);
>>>>>>> +            pud_populate(&init_mm, pud_dir, p);
>>>>>
>>>>> init_mm is not needed here.
>>>>>
>>>>>>> +        }
>>>>>>> +        vaddr += PAGE_SIZE;
>>>>>
>>>>> Why do you need to add PAGE_SIZE ? vaddr already points to the next 
>>>>> pud.
>>>>>
>>>>> It seems like this patch tries to populate userspace page table
>>>>> whereas at this point in the boot process, only swapper_pg_dir is used
>>>>> or am I missing something ?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Alex
>>>>
>>>> I implemented this morning a version that fixes all the comments I made
>>>> earlier. I was able to insert test_kasan_module on both sv39 and sv48
>>>> without any modification: set_pgd "goes through" all the unused page
>>>> table levels, whereas p*d_populate are noop for unused levels.
>>>>
>>>> If you have any comment, do not hesitate.
>>>>
>>>> diff --git a/arch/riscv/mm/kasan_init.c b/arch/riscv/mm/kasan_init.c
>>>> index adbf94b7e68a..d643b222167c 100644
>>>> --- a/arch/riscv/mm/kasan_init.c
>>>> +++ b/arch/riscv/mm/kasan_init.c
>>>> @@ -195,6 +195,31 @@ static void __init kasan_populate(void *start, 
>>>> void
>>>> *end)
>>>>           memset(start, KASAN_SHADOW_INIT, end - start);
>>>>    }
>>>>
>>>>
>>>> +void __init kasan_shallow_populate_pgd(unsigned long vaddr, unsigned
>>>> long end)
>>>> +{
>>>> +       unsigned long next;
>>>> +       void *p;
>>>> +       pgd_t *pgd_k = pgd_offset_k(vaddr);
>>>> +
>>>> +       do {
>>>> +               next = pgd_addr_end(vaddr, end);
>>>> +               if (pgd_page_vaddr(*pgd_k) == (unsigned
>>>> long)lm_alias(kasan_early_shadow_pgd_next)) {
>>>> +                       p = memblock_alloc(PAGE_SIZE, PAGE_SIZE);
>>>> +                       set_pgd(pgd_k, pfn_pgd(PFN_DOWN(__pa(p)),
>>>> PAGE_TABLE));
>>>> +               }
>>>> +       } while (pgd_k++, vaddr = next, vaddr != end);
>>>> +}
>>>> +
>>>
>>> This way of going through the page table seems to be largely used across
>>> the kernel (cf KASAN population functions of arm64/x86) so I do think
>>> this patch brings value to Nylon and Nick's patch.
>>>
>>> I can propose a real patch if you agree and I'll add a co-developed by
>>> Nylon/Nick since this only 'improves' theirs.
>>>
>>> Thanks,
>>>
>>> Alex
>>>
>> I agree with your proposal, but when I try your patch that it dosen't 
>> work
>> because `kasan_early_shadow_pgd_next` function wasn't define.
> 
> Oops, I messed up my rebase, please replace 
> 'kasan_early_shadow_pgd_next' with 'kasan_early_shadow_pmd'.
> 
> Thank you for your feeback,
> 
> Alex
> 

Did you have time to test the above fix ? It would be nice to replace 
your current patch with the above solution before it gets merged for 
5.12, I will propose something tomorrow, feel free to review and test :)

Thanks again,

Alex

>>
>> Do you have complete patch? or just I missed some content?
>>>> +void __init kasan_shallow_populate(void *start, void *end)
>>>> +{
>>>> +       unsigned long vaddr = (unsigned long)start & PAGE_MASK;
>>>> +       unsigned long vend = PAGE_ALIGN((unsigned long)end);
>>>> +
>>>> +       kasan_shallow_populate_pgd(vaddr, vend);
>>>> +
>>>> +       local_flush_tlb_all();
>>>> +}
>>>> +
>>>>    void __init kasan_init(void)
>>>>    {
>>>>           phys_addr_t _start, _end;
>>>> @@ -206,7 +231,15 @@ void __init kasan_init(void)
>>>>            */
>>>>           kasan_populate_early_shadow((void *)KASAN_SHADOW_START,
>>>>                                       (void 
>>>> *)kasan_mem_to_shadow((void *)
>>>> - VMALLOC_END));
>>>> + VMEMMAP_END));
>>>> +       if (IS_ENABLED(CONFIG_KASAN_VMALLOC))
>>>> +               kasan_shallow_populate(
>>>> +                       (void *)kasan_mem_to_shadow((void 
>>>> *)VMALLOC_START),
>>>> +                       (void *)kasan_mem_to_shadow((void 
>>>> *)VMALLOC_END));
>>>> +       else
>>>> +               kasan_populate_early_shadow(
>>>> +                       (void *)kasan_mem_to_shadow((void 
>>>> *)VMALLOC_START),
>>>> +                       (void *)kasan_mem_to_shadow((void 
>>>> *)VMALLOC_END));
>>>>
>>>>
>>>>           /* Populate the linear mapping */
>>>>           for_each_mem_range(i, &_start, &_end) {
>>
>> _______________________________________________
>> linux-riscv mailing list
>> linux-riscv@...ts.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-riscv
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ