Commit KASAN patches to Chromium OS 4.4 kernel |
|||||
Issue descriptionUsing issue 545468 as the reference, backport every patch required to run KASAN and syzkaller on the 4.4 kernel.
,
Jul 25 2016
,
Jul 26 2016
Below is the list of patches present in 3.18 but missing in 4.4: UPSTREAM: kernel: add kcov code coverage UPSTREAM: mm/slab: remove the checks for slab implementation bug UPSTREAM: mm/slab: remove object status buffer for DEBUG_SLAB_LEAK UPSTREAM: mm/slab: alternative implementation for DEBUG_SLAB_LEAK UPSTREAM: kasan: modify kmalloc_large_oob_right(), add kmalloc_pagealloc_oob_right() UPSTREAM: mm/slab: clean up DEBUG_PAGEALLOC processing code UPSTREAM: mm/slab: use more appropriate condition check for debug_pagealloc UPSTREAM: mm/slab: activate debug_pagealloc in SLAB when it is actually enabled UPSTREAM: mm/slab: fix stale code comment UPSTREAM: mm/slab: remove useless structure define UPSTREAM: mm/slab: align cache size first before determination of OFF_SLAB candidate UPSTREAM mm/mempool: avoid KASAN marking mempool poison checks as use-after-free UPSTREAM: mm, kasan: SLAB support UPSTREAM: mm/slab: factor out debugging initialization in cache_init_objs() UPSTREAM: mm/slab: do not change cache size if debug pagealloc isn't possible BACKPORT: mm/slab: move SLUB alloc hooks to common mm/slab.h UPSTREAM: mm, kasan: fix compilation for CONFIG_SLAB UPSTREAM: kasan: test fix: warn if the UAF could not be detected in kmalloc_uaf2 UPSTREAM: mm, kasan: stackdepot implementation. Enable stackdepot for SLAB BACKPORT: arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections UPSTREAM: mm, kasan: add GFP flags to KASAN API UPSTREAM: mm/slab: make criteria for off slab determination robust and simple UPSTREAM: mm/slab: clean up cache type determination UPSTREAM: mm/slab: put the freelist at the end of slab page BACKPORT: mm: kasan: initial memory quarantine implementation UPSTREAM: kasan/quarantine: fix bugs on qlist_move_cache() UPSTREAM: mm: mempool: kasan: don't poot mempool objects in quarantine UPSTREAM: kasan: change memory hot-add error messages to info messages UPSTREAM: mm: kasan: remove unused 'reserved' field from struct kasan_alloc_meta UPSTREAM: mm/kasan: add API to check memory regions UPSTREAM: MAINTAINERS: fill entries for KASAN UPSTREAM: mm/kasan: print name of mem[set,cpy,move]() caller in report
,
Jul 26 2016
Do you plan to cherry-pick the missing patches into 4.4 ?
,
Jul 26 2016
Yes, I am currently testing the patch series.
,
Jul 26 2016
Sent https://chromium-review.googlesource.com/#/c/363402/ for review. Actual list of patches below: https://chromium-review.googlesource.com/363402 UPSTREAM: kernel: add kcov code coverage https://chromium-review.googlesource.com/363403 UPSTREAM: mm/slab: remove the checks for slab implementation bug https://chromium-review.googlesource.com/363404 UPSTREAM: mm/slab: move SLUB alloc hooks to common mm/slab.h https://chromium-review.googlesource.com/363405 UPSTREAM: mm/slab: fix stale code comment https://chromium-review.googlesource.com/363406 UPSTREAM: mm/slab: remove useless structure define https://chromium-review.googlesource.com/363407 UPSTREAM: mm/slab: activate debug_pagealloc in SLAB when it is actually enabled https://chromium-review.googlesource.com/363408 UPSTREAM: mm/slab: use more appropriate condition check for debug_pagealloc https://chromium-review.googlesource.com/363409 UPSTREAM: mm/slab: clean up DEBUG_PAGEALLOC processing code https://chromium-review.googlesource.com/363420 UPSTREAM: mm/slab: alternative implementation for DEBUG_SLAB_LEAK https://chromium-review.googlesource.com/363421 UPSTREAM: mm/slab: remove object status buffer for DEBUG_SLAB_LEAK https://chromium-review.googlesource.com/363422 UPSTREAM: kasan: modify kmalloc_large_oob_right(), add kmalloc_pagealloc_oob_... https://chromium-review.googlesource.com/363423 UPSTREAM: mm/slab: align cache size first before determination of OFF_SLAB ... https://chromium-review.googlesource.com/363424 UPSTREAM: mm/mempool: avoid KASAN marking mempool poison checks as use-after-... https://chromium-review.googlesource.com/363425 UPSTREAM: mm/slab: factor out debugging initialization in cache_init_objs() https://chromium-review.googlesource.com/363426 UPSTREAM: mm, kasan: SLAB support https://chromium-review.googlesource.com/363427 UPSTREAM: mm/slab: do not change cache size if debug pagealloc isn't possible https://chromium-review.googlesource.com/363428 UPSTREAM: arch, ftrace: for KASAN put hard/soft IRQ entries into separate ... https://chromium-review.googlesource.com/363429 UPSTREAM: mm, kasan: stackdepot implementation. Enable stackdepot for SLAB https://chromium-review.googlesource.com/363430 UPSTREAM: kasan: test fix: warn if the UAF could not be detected in kmalloc_uaf2 https://chromium-review.googlesource.com/363431 UPSTREAM: mm, kasan: fix compilation for CONFIG_SLAB https://chromium-review.googlesource.com/363432 UPSTREAM: mm, kasan: add GFP flags to KASAN API https://chromium-review.googlesource.com/363433 UPSTREAM: mm/slab: put the freelist at the end of slab page https://chromium-review.googlesource.com/363434 UPSTREAM: mm/slab: clean up cache type determination https://chromium-review.googlesource.com/363435 UPSTREAM: mm/slab: make criteria for off slab determination robust and simple https://chromium-review.googlesource.com/363436 UPSTREAM: mm: kasan: initial memory quarantine implementation https://chromium-review.googlesource.com/363437 UPSTREAM: mm/kasan: print name of mem[set,cpy,move]() caller in report https://chromium-review.googlesource.com/363438 UPSTREAM: MAINTAINERS: fill entries for KASAN https://chromium-review.googlesource.com/363439 UPSTREAM: mm/kasan: add API to check memory regions https://chromium-review.googlesource.com/363440 UPSTREAM: mm: kasan: remove unused 'reserved' field from struct kasan_alloc_meta https://chromium-review.googlesource.com/363441 UPSTREAM: kasan: change memory hot-add error messages to info messages https://chromium-review.googlesource.com/363442 UPSTREAM: mm: mempool: kasan: don't poot mempool objects in quarantine https://chromium-review.googlesource.com/363443 UPSTREAM: kasan/quarantine: fix bugs on qlist_move_cache()
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e0fb3e0350bde285650078d9d765da5bd6a1574b commit e0fb3e0350bde285650078d9d765da5bd6a1574b Author: Dmitry Vyukov <dvyukov@google.com> Date: Tue Mar 22 21:27:30 2016 UPSTREAM: kernel: add kcov code coverage kcov provides code coverage collection for coverage-guided fuzzing (randomized testing). Coverage-guided fuzzing is a testing technique that uses coverage feedback to determine new interesting inputs to a system. A notable user-space example is AFL (http://lcamtuf.coredump.cx/afl/). However, this technique is not widely used for kernel testing due to missing compiler and kernel support. kcov does not aim to collect as much coverage as possible. It aims to collect more or less stable coverage that is function of syscall inputs. To achieve this goal it does not collect coverage in soft/hard interrupts and instrumentation of some inherently non-deterministic or non-interesting parts of kernel is disbled (e.g. scheduler, locking). Currently there is a single coverage collection mode (tracing), but the API anticipates additional collection modes. Initially I also implemented a second mode which exposes coverage in a fixed-size hash table of counters (what Quentin used in his original patch). I've dropped the second mode for simplicity. This patch adds the necessary support on kernel side. The complimentary compiler support was added in gcc revision 231296. We've used this support to build syzkaller system call fuzzer, which has found 90 kernel bugs in just 2 months: https://github.com/google/syzkaller/wiki/Found-Bugs We've also found 30+ bugs in our internal systems with syzkaller. Another (yet unexplored) direction where kcov coverage would greatly help is more traditional "blob mutation". For example, mounting a random blob as a filesystem, or receiving a random blob over wire. Why not gcov. Typical fuzzing loop looks as follows: (1) reset coverage, (2) execute a bit of code, (3) collect coverage, repeat. A typical coverage can be just a dozen of basic blocks (e.g. an invalid input). In such context gcov becomes prohibitively expensive as reset/collect coverage steps depend on total number of basic blocks/edges in program (in case of kernel it is about 2M). Cost of kcov depends only on number of executed basic blocks/edges. On top of that, kernel requires per-thread coverage because there are always background threads and unrelated processes that also produce coverage. With inlined gcov instrumentation per-thread coverage is not possible. kcov exposes kernel PCs and control flow to user-space which is insecure. But debugfs should not be mapped as user accessible. Based on a patch by Quentin Casasnovas. [akpm@linux-foundation.org: make task_struct.kcov_mode have type `enum kcov_mode'] [akpm@linux-foundation.org: unbreak allmodconfig] [akpm@linux-foundation.org: follow x86 Makefile layout standards] Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: syzkaller <syzkaller@googlegroups.com> Cc: Vegard Nossum <vegard.nossum@oracle.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Tavis Ormandy <taviso@google.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com> Cc: Kostya Serebryany <kcc@google.com> Cc: Eric Dumazet <edumazet@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Kees Cook <keescook@google.com> Cc: Bjorn Helgaas <bhelgaas@google.com> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: David Drysdale <drysdale@google.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Kirill A. Shutemov <kirill@shutemov.name> Cc: Jiri Slaby <jslaby@suse.cz> Cc: Ingo Molnar <mingo@elte.hu> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: "H. Peter Anvin" <hpa@zytor.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 5c9a8750a6409c63a0f01d51a9024861022f6593) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Conflicts: Makefile mm/kasan/Makefile scripts/Makefile.lib [glider: minor context conflicts] Change-Id: I08842b0e9cee1c0cc9d259b7ed664516af88be89 Reviewed-on: https://chromium-review.googlesource.com/363402 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/kernel/cpu/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/kernel/fork.c [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/lib/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/mm/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/kernel/apic/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/Kconfig [add] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/kernel/kcov.c [add] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/include/uapi/linux/kcov.h [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/scripts/Makefile.lib [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/kernel/locking/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/mm/Makefile [add] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/Documentation/kcov.txt [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/lib/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/mm/kasan/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/lib/Kconfig.debug [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/kernel/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/realmode/rm/Makefile [add] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/include/linux/kcov.h [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/boot/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/kernel/rcu/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/entry/vdso/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/arch/x86/boot/compressed/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/kernel/exit.c [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/kernel/sched/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/include/linux/sched.h [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/kernel/Makefile [modify] https://crrev.com/e0fb3e0350bde285650078d9d765da5bd6a1574b/drivers/firmware/efi/libstub/Makefile
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5c245d56eeb0a685f2f82b888b84632d156cfdc0 commit 5c245d56eeb0a685f2f82b888b84632d156cfdc0 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:12 2016 UPSTREAM: mm/slab: remove the checks for slab implementation bug Some of "#if DEBUG" are for reporting slab implementation bug rather than user usecase bug. It's not really needed because slab is stable for a quite long time and it makes code too dirty. This patch remove it. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Acked-by: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 260b61dd46ed07f517e4059ab9881402cbd6a385) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ibf90bb50700fdf48a47b15ec48a64e5bc41e45d1 Reviewed-on: https://chromium-review.googlesource.com/363403 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/5c245d56eeb0a685f2f82b888b84632d156cfdc0/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/941162aa51482089e60c874b5c4aa20d40ec5613 commit 941162aa51482089e60c874b5c4aa20d40ec5613 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:06 2016 UPSTREAM: mm/slab: fix stale code comment This patchset implements a new freed object management way, that is, OBJFREELIST_SLAB. Purpose of it is to reduce memory overhead in SLAB. SLAB needs a array to manage freed objects in a slab. If there is leftover after objects are packed into a slab, we can use it as a management array, and, in this case, there is no memory waste. But, in the other cases, we need to allocate extra memory for a management array or utilize dedicated internal memory in a slab for it. Both cases causes memory waste so it's not good. With this patchset, freed object itself can be used for a management array. So, memory waste could be reduced. Detailed idea and numbers are described in last patch's commit description. Please refer it. In fact, I tested another idea implementing OBJFREELIST_SLAB with extendable linked array through another freed object. It can remove memory waste completely but it causes more computational overhead in critical lock path and it seems that overhead outweigh benefit. So, this patchset doesn't include it. I will attach prototype just for a reference. This patch (of 16): We use freelist_idx_t type for free object management whose size would be smaller than size of unsigned int. Fix it. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 12c61fe9b763812adac44522100527caf534462e) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I7004cc996428267c19891e8229e1a6ec56abbd21 Reviewed-on: https://chromium-review.googlesource.com/363405 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/941162aa51482089e60c874b5c4aa20d40ec5613/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0bc290d87d395cc200978478c75f080dfc2f9865 commit 0bc290d87d395cc200978478c75f080dfc2f9865 Author: Jesper Dangaard Brouer <brouer@redhat.com> Date: Tue Mar 15 21:53:35 2016 UPSTREAM: mm/slab: move SLUB alloc hooks to common mm/slab.h First step towards sharing alloc_hook's between SLUB and SLAB allocators. Move the SLUB allocators *_alloc_hook to the common mm/slab.h for internal slab definitions. Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Vladimir Davydov <vdavydov@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 11c7aec2a9b4e685bbf6a15148e7841b3525fc0c) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I2fa1b6306c4f66ce14a20f0bb552473b0edf49d3 Reviewed-on: https://chromium-review.googlesource.com/363404 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/0bc290d87d395cc200978478c75f080dfc2f9865/mm/slab.h [modify] https://crrev.com/0bc290d87d395cc200978478c75f080dfc2f9865/mm/slub.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/68b1820adc479011a4cc4f281cdacb32b1c0882a commit 68b1820adc479011a4cc4f281cdacb32b1c0882a Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:09 2016 UPSTREAM: mm/slab: remove useless structure define It is obsolete so remove it. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Acked-by: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6fb924304ac35f1ab9f3abe73527efcd5156131f) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: If79b2d221fa38ae5acda8d804d7db8e3deddc4c7 Reviewed-on: https://chromium-review.googlesource.com/363406 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/68b1820adc479011a4cc4f281cdacb32b1c0882a/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/88a4f0836781824b5dc51777da24096c036b6420 commit 88a4f0836781824b5dc51777da24096c036b6420 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:15 2016 UPSTREAM: mm/slab: activate debug_pagealloc in SLAB when it is actually enabled Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Acked-by: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit a307ebd468e0b97c203f5a99a56a6017e4d1991a) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Idf2277e001b68916f6eff1f600ef889ebecd5226 Reviewed-on: https://chromium-review.googlesource.com/363407 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/88a4f0836781824b5dc51777da24096c036b6420/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b81c3f89b21c5693bffba8d7291be9521646d751 commit b81c3f89b21c5693bffba8d7291be9521646d751 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:18 2016 UPSTREAM: mm/slab: use more appropriate condition check for debug_pagealloc debug_pagealloc debugging is related to SLAB_POISON flag rather than FORCED_DEBUG option, although FORCED_DEBUG option will enable SLAB_POISON. Fix it. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Acked-by: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 40323278b557a5909bbecfa181c91a3af7afbbe3) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: If59061c6123561b77a02813aba307424b3e0da32 Reviewed-on: https://chromium-review.googlesource.com/363408 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/b81c3f89b21c5693bffba8d7291be9521646d751/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c35d12988ac70d14fc6cd25b1752b13e80913079 commit c35d12988ac70d14fc6cd25b1752b13e80913079 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:21 2016 UPSTREAM: mm/slab: clean up DEBUG_PAGEALLOC processing code Currently, open code for checking DEBUG_PAGEALLOC cache is spread to some sites. It makes code unreadable and hard to change. This patch cleans up this code. The following patch will change the criteria for DEBUG_PAGEALLOC cache so this clean-up will help it, too. [akpm@linux-foundation.org: fix build with CONFIG_DEBUG_PAGEALLOC=n] Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 40b44137971c2e5865a78f9f7de274449983ccb5) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I76cfe720e16529e77b67f2c2470bf3a8dd14cd62 Reviewed-on: https://chromium-review.googlesource.com/363409 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/c35d12988ac70d14fc6cd25b1752b13e80913079/include/linux/mm.h [modify] https://crrev.com/c35d12988ac70d14fc6cd25b1752b13e80913079/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1ed501c36b1fe2b1b41bc4a361f0d630cf4330fc commit 1ed501c36b1fe2b1b41bc4a361f0d630cf4330fc Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:24 2016 UPSTREAM: mm/slab: alternative implementation for DEBUG_SLAB_LEAK DEBUG_SLAB_LEAK is a debug option. It's current implementation requires status buffer so we need more memory to use it. And, it cause kmem_cache initialization step more complex. To remove this extra memory usage and to simplify initialization step, this patch implement this feature with another way. When user requests to get slab object owner information, it marks that getting information is started. And then, all free objects in caches are flushed to corresponding slab page. Now, we can distinguish all freed object so we can know all allocated objects, too. After collecting slab object owner information on allocated objects, mark is checked that there is no free during the processing. If true, we can be sure that our information is correct so information is returned to user. Although this way is rather complex, it has two important benefits mentioned above. So, I think it is worth changing. There is one drawback that it takes more time to get slab object owner information but it is just a debug option so it doesn't matter at all. To help review, this patch implements new way only. Following patch will remove useless code. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit d31676dfde257cb2b3e52d4e657d8ad2251e4d49) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Id0c77bb559687d788f80c30d62137c6744b1ec52 Reviewed-on: https://chromium-review.googlesource.com/363420 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/1ed501c36b1fe2b1b41bc4a361f0d630cf4330fc/include/linux/slab_def.h [modify] https://crrev.com/1ed501c36b1fe2b1b41bc4a361f0d630cf4330fc/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/094eefb80144701794a480beade0e314a5bd9d30 commit 094eefb80144701794a480beade0e314a5bd9d30 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:27 2016 UPSTREAM: mm/slab: remove object status buffer for DEBUG_SLAB_LEAK Now, we don't use object status buffer in any setup. Remove it. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 249247b6f8ee362189a2f2bf598a14ff6c95fb4c) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I41d1e25f1058c43e2c95c51c07564c86c5a90a35 Reviewed-on: https://chromium-review.googlesource.com/363421 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/094eefb80144701794a480beade0e314a5bd9d30/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/52aa57db36b00debe1816e1e6e41541938126bb0 commit 52aa57db36b00debe1816e1e6e41541938126bb0 Author: Alexander Potapenko <glider@google.com> Date: Fri Mar 25 21:21:56 2016 UPSTREAM: kasan: modify kmalloc_large_oob_right(), add kmalloc_pagealloc_oob_right() This patchset implements SLAB support for KASAN Unlike SLUB, SLAB doesn't store allocation/deallocation stacks for heap objects, therefore we reimplement this feature in mm/kasan/stackdepot.c. The intention is to ultimately switch SLUB to use this implementation as well, which will save a lot of memory (right now SLUB bloats each object by 256 bytes to store the allocation/deallocation stacks). Also neither SLUB nor SLAB delay the reuse of freed memory chunks, which is necessary for better detection of use-after-free errors. We introduce memory quarantine (mm/kasan/quarantine.c), which allows delayed reuse of deallocated memory. This patch (of 7): Rename kmalloc_large_oob_right() to kmalloc_pagealloc_oob_right(), as the test only checks the page allocator functionality. Also reimplement kmalloc_large_oob_right() so that the test allocates a large enough chunk of memory that still does not trigger the page allocator fallback. Signed-off-by: Alexander Potapenko <glider@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrey Konovalov <adech.fo@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Konstantin Serebryany <kcc@google.com> Cc: Dmitry Chernenkov <dmitryc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit e6e8379c876de16c6b78f83b15d5ac32c79cb440) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I326e374e89b4e530db24b9b1b57bcc37a3281994 Reviewed-on: https://chromium-review.googlesource.com/363422 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/52aa57db36b00debe1816e1e6e41541938126bb0/lib/test_kasan.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cd9482bdaa20b91d7c21344396f8b23f12d30811 commit cd9482bdaa20b91d7c21344396f8b23f12d30811 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:33 2016 UPSTREAM: mm/slab: align cache size first before determination of OFF_SLAB candidate Finding suitable OFF_SLAB candidate is more related to aligned cache size rather than original size. Same reasoning can be applied to the debug pagealloc candidate. So, this patch moves up alignment fixup to proper position. From that point, size is aligned so we can remove some alignment fixups. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 832a15d209cd260180407bde1af18965b21623f3) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ibed5cd90fe2fa6abf5ba8e64813fda61867f1382 Reviewed-on: https://chromium-review.googlesource.com/363423 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/cd9482bdaa20b91d7c21344396f8b23f12d30811/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/061b31aafadb37c9b96615d3f8a708a2acdca61e commit 061b31aafadb37c9b96615d3f8a708a2acdca61e Author: Matthew Dawson <matthew@mjdsystems.ca> Date: Fri Mar 11 21:08:07 2016 UPSTREAM: mm/mempool: avoid KASAN marking mempool poison checks as use-after-free When removing an element from the mempool, mark it as unpoisoned in KASAN before verifying its contents for SLUB/SLAB debugging. Otherwise KASAN will flag the reads checking the element use-after-free writes as use-after-free reads. Signed-off-by: Matthew Dawson <matthew@mjdsystems.ca> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 7640131032db9118a78af715ac77ba2debeeb17c) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ia42df05dff5f04958f06076207c4c06e680bb89c Reviewed-on: https://chromium-review.googlesource.com/363424 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/061b31aafadb37c9b96615d3f8a708a2acdca61e/mm/mempool.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/9c96057849eafe7240553ceee693ab06742024df commit 9c96057849eafe7240553ceee693ab06742024df Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:47 2016 UPSTREAM: mm/slab: factor out debugging initialization in cache_init_objs() cache_init_objs() will be changed in following patch and current form doesn't fit well for that change. So, before doing it, this patch separates debugging initialization. This would cause two loop iteration when debugging is enabled, but, this overhead seems too light than debug feature itself so effect may not be visible. This patch will greatly simplify changes in cache_init_objs() in following patch. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 10b2e9e8e808bd30e1f4018a36366d07b0abd12f) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ib7cbda4f5621186909bc3737a02d72bb33e4d8df Reviewed-on: https://chromium-review.googlesource.com/363425 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/9c96057849eafe7240553ceee693ab06742024df/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/64044c23ac112df633118ebc0c1dcdeb1d84a012 commit 64044c23ac112df633118ebc0c1dcdeb1d84a012 Author: Alexander Potapenko <glider@google.com> Date: Fri Mar 25 21:21:59 2016 UPSTREAM: mm, kasan: SLAB support Add KASAN hooks to SLAB allocator. This patch is based on the "mm: kasan: unified support for SLUB and SLAB allocators" patch originally prepared by Dmitry Chernenkov. Signed-off-by: Alexander Potapenko <glider@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrey Konovalov <adech.fo@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Konstantin Serebryany <kcc@google.com> Cc: Dmitry Chernenkov <dmitryc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 7ed2f9e663854db313f177a511145630e398b402) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I44fb37d502d21d86ff2ccf3746beee69cccd1e76 Reviewed-on: https://chromium-review.googlesource.com/363426 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/Documentation/kasan.txt [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/lib/Kconfig.kasan [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/mm/Makefile [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/mm/kasan/kasan.c [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/include/linux/slab.h [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/mm/kasan/kasan.h [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/mm/kasan/report.c [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/mm/slab_common.c [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/include/linux/slab_def.h [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/include/linux/kasan.h [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/include/linux/slub_def.h [modify] https://crrev.com/64044c23ac112df633118ebc0c1dcdeb1d84a012/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8c1f45e2778f4e6c22f80b963d1a95ebcb5b0984 commit 8c1f45e2778f4e6c22f80b963d1a95ebcb5b0984 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:38 2016 UPSTREAM: mm/slab: do not change cache size if debug pagealloc isn't possible We can fail to setup off slab in some conditions. Even in this case, debug pagealloc increases cache size to PAGE_SIZE in advance and it is waste because debug pagealloc cannot work for it when it isn't the off slab. To improve this situation, this patch checks first that this cache with increased size is suitable for off slab. It actually increases cache size when it is suitable for off-slab, so possible waste is removed. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit f3a3c320d54eea39a419fd539f5b0e9c74517b0a) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I5462624772f746643d7144f603d630d177971f36 Reviewed-on: https://chromium-review.googlesource.com/363427 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/8c1f45e2778f4e6c22f80b963d1a95ebcb5b0984/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/278e5bdcabe078ab87a5137b9eeaf84cfba3b464 commit 278e5bdcabe078ab87a5137b9eeaf84cfba3b464 Author: Alexander Potapenko <glider@google.com> Date: Fri Mar 25 21:22:05 2016 UPSTREAM: arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections KASAN needs to know whether the allocation happens in an IRQ handler. This lets us strip everything below the IRQ entry point to reduce the number of unique stack traces needed to be stored. Move the definition of __irq_entry to <linux/interrupt.h> so that the users don't need to pull in <linux/ftrace.h>. Also introduce the __softirq_entry macro which is similar to __irq_entry, but puts the corresponding functions to the .softirqentry.text section. Signed-off-by: Alexander Potapenko <glider@google.com> Acked-by: Steven Rostedt <rostedt@goodmis.org> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrey Konovalov <adech.fo@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Konstantin Serebryany <kcc@google.com> Cc: Dmitry Chernenkov <dmitryc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit be7635e7287e0e8013af3c89a6354a9e0182594c) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ia5eda8ce75d3afc16aba1e759f21476d3344aaa0 Reviewed-on: https://chromium-review.googlesource.com/363428 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/include/linux/interrupt.h [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/arm64/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/kernel/softirq.c [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/kernel/trace/trace_functions_graph.c [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/mips/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/arm/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/include/linux/ftrace.h [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/nios2/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/sparc/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/powerpc/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/arm64/include/asm/exception.h [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/sh/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/x86/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/s390/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/openrisc/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/microblaze/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/include/asm-generic/vmlinux.lds.h [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/blackfin/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/arm/include/asm/exception.h [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/tile/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/c6x/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/parisc/kernel/vmlinux.lds.S [modify] https://crrev.com/278e5bdcabe078ab87a5137b9eeaf84cfba3b464/arch/metag/kernel/vmlinux.lds.S
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a15d709dc42762cac4dff97573a3339594017e59 commit a15d709dc42762cac4dff97573a3339594017e59 Author: Alexander Potapenko <glider@google.com> Date: Fri Mar 25 21:22:08 2016 UPSTREAM: mm, kasan: stackdepot implementation. Enable stackdepot for SLAB Implement the stack depot and provide CONFIG_STACKDEPOT. Stack depot will allow KASAN store allocation/deallocation stack traces for memory chunks. The stack traces are stored in a hash table and referenced by handles which reside in the kasan_alloc_meta and kasan_free_meta structures in the allocated memory chunks. IRQ stack traces are cut below the IRQ entry point to avoid unnecessary duplication. Right now stackdepot support is only enabled in SLAB allocator. Once KASAN features in SLAB are on par with those in SLUB we can switch SLUB to stackdepot as well, thus removing the dependency on SLUB stack bookkeeping, which wastes a lot of memory. This patch is based on the "mm: kasan: stack depots" patch originally prepared by Dmitry Chernenkov. Joonsoo has said that he plans to reuse the stackdepot code for the mm/page_owner.c debugging facility. [akpm@linux-foundation.org: s/depot_stack_handle/depot_stack_handle_t] [aryabinin@virtuozzo.com: comment style fixes] Signed-off-by: Alexander Potapenko <glider@google.com> Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrey Konovalov <adech.fo@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Konstantin Serebryany <kcc@google.com> Cc: Dmitry Chernenkov <dmitryc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit cd11016e5f5212c13c0cec7384a525edc93b4921) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Conflicts: arch/x86/kernel/Makefile [glider: minor context mismatch] Change-Id: I3f1f8bfc9ab33dbeaa6895307d0aa0156e422a86 Reviewed-on: https://chromium-review.googlesource.com/363429 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/a15d709dc42762cac4dff97573a3339594017e59/lib/Kconfig.kasan [add] https://crrev.com/a15d709dc42762cac4dff97573a3339594017e59/include/linux/stackdepot.h [modify] https://crrev.com/a15d709dc42762cac4dff97573a3339594017e59/mm/kasan/kasan.c [modify] https://crrev.com/a15d709dc42762cac4dff97573a3339594017e59/lib/Makefile [modify] https://crrev.com/a15d709dc42762cac4dff97573a3339594017e59/lib/Kconfig [modify] https://crrev.com/a15d709dc42762cac4dff97573a3339594017e59/mm/kasan/kasan.h [modify] https://crrev.com/a15d709dc42762cac4dff97573a3339594017e59/mm/kasan/report.c [modify] https://crrev.com/a15d709dc42762cac4dff97573a3339594017e59/arch/x86/kernel/Makefile [add] https://crrev.com/a15d709dc42762cac4dff97573a3339594017e59/lib/stackdepot.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ffe649f9cc9b0072809d065357a297606f99f9d0 commit ffe649f9cc9b0072809d065357a297606f99f9d0 Author: Alexander Potapenko <glider@google.com> Date: Fri Mar 25 21:22:11 2016 UPSTREAM: kasan: test fix: warn if the UAF could not be detected in kmalloc_uaf2 Signed-off-by: Alexander Potapenko <glider@google.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrey Konovalov <adech.fo@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Konstantin Serebryany <kcc@google.com> Cc: Dmitry Chernenkov <dmitryc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 9dcadd381b1d199074937019d612346c061de415) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ife22de2e1236213ca2f54f3094c92d2bd48defc1 Reviewed-on: https://chromium-review.googlesource.com/363430 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/ffe649f9cc9b0072809d065357a297606f99f9d0/lib/test_kasan.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/97c45515919e1fd98acd675d36922c2d506253b1 commit 97c45515919e1fd98acd675d36922c2d506253b1 Author: Alexander Potapenko <glider@google.com> Date: Fri Apr 01 21:31:15 2016 UPSTREAM: mm, kasan: fix compilation for CONFIG_SLAB Add the missing argument to set_track(). Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") Signed-off-by: Alexander Potapenko <glider@google.com> Cc: Andrey Konovalov <adech.fo@gmail.com> Cc: Christoph Lameter <cl@linux.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Konstantin Serebryany <kcc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 0b355eaaaae9bb8bb08b563ef55ecb23a4d743da) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ieec099fb44f33dfb5036dd9ab79953ac50525403 Reviewed-on: https://chromium-review.googlesource.com/363431 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/97c45515919e1fd98acd675d36922c2d506253b1/mm/kasan/kasan.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/777277dc7f7fe2b17a4c684946434c3adbdcd150 commit 777277dc7f7fe2b17a4c684946434c3adbdcd150 Author: Alexander Potapenko <glider@google.com> Date: Fri Mar 25 21:22:02 2016 UPSTREAM: mm, kasan: add GFP flags to KASAN API Add GFP flags to KASAN hooks for future patches to use. This patch is based on the "mm: kasan: unified support for SLUB and SLAB allocators" patch originally prepared by Dmitry Chernenkov. Signed-off-by: Alexander Potapenko <glider@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrey Konovalov <adech.fo@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Konstantin Serebryany <kcc@google.com> Cc: Dmitry Chernenkov <dmitryc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 505f5dcb1c419e55a9621a01f83eb5745d8d7398) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I57c89277a850595b23836cd2e2791fc381fc9093 Reviewed-on: https://chromium-review.googlesource.com/363432 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/777277dc7f7fe2b17a4c684946434c3adbdcd150/mm/kasan/kasan.c [modify] https://crrev.com/777277dc7f7fe2b17a4c684946434c3adbdcd150/include/linux/slab.h [modify] https://crrev.com/777277dc7f7fe2b17a4c684946434c3adbdcd150/mm/slab_common.c [modify] https://crrev.com/777277dc7f7fe2b17a4c684946434c3adbdcd150/mm/slab.c [modify] https://crrev.com/777277dc7f7fe2b17a4c684946434c3adbdcd150/include/linux/kasan.h [modify] https://crrev.com/777277dc7f7fe2b17a4c684946434c3adbdcd150/mm/slab.h [modify] https://crrev.com/777277dc7f7fe2b17a4c684946434c3adbdcd150/mm/slub.c [modify] https://crrev.com/777277dc7f7fe2b17a4c684946434c3adbdcd150/mm/mempool.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e92c045fd457d53761495b815be3736a8fb73143 commit e92c045fd457d53761495b815be3736a8fb73143 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:30 2016 UPSTREAM: mm/slab: put the freelist at the end of slab page Currently, the freelist is at the front of slab page. This requires extra space to meet object alignment requirement. If we put the freelist at the end of a slab page, objects could start at page boundary and will be at correct alignment. This is possible because freelist has no alignment constraint itself. This gives us two benefits: It removes extra memory space for the freelist alignment and remove complex calculation at cache initialization step. I can't think notable drawback here. I mentioned that this would reduce extra memory space, but, this benefit is rather theoretical because it can be applied to very few cases. Following is the example cache type that can get benefit from this change. size align num before after 32 8 124 4100 4092 64 8 63 4103 4095 88 8 46 4102 4094 272 8 15 4103 4095 408 8 10 4098 4090 32 16 124 4108 4092 64 16 63 4111 4095 32 32 124 4124 4092 64 32 63 4127 4095 96 32 42 4106 4074 before means whole size for objects and aligned freelist before applying patch and after shows the result of this patch. Since before is more than 4096, number of object should decrease and memory waste happens. Anyway, this patch removes complex calculation so looks beneficial to me. [akpm@linux-foundation.org: fix kerneldoc] Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Acked-by: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 2e6b3602168797fd4d80d86d208c4ba8fcfa3b8b) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ib53ba833712c0cc4713e83ddfbc3ad79398eb178 Reviewed-on: https://chromium-review.googlesource.com/363433 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/e92c045fd457d53761495b815be3736a8fb73143/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e77bc13d517ca69dc91baeeb916a3976125f4ea5 commit e77bc13d517ca69dc91baeeb916a3976125f4ea5 Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:35 2016 UPSTREAM: mm/slab: clean up cache type determination Current cache type determination code is open-code and looks not understandable. Following patch will introduce one more cache type and it would make code more complex. So, before it happens, this patch abstracts these codes. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 158e319bba59e890c3920ce6d827c188287bae84) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I5c8b6f7a5cac918d0e7b68f25f5b377859475bfb Reviewed-on: https://chromium-review.googlesource.com/363434 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/e77bc13d517ca69dc91baeeb916a3976125f4ea5/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4aac1dcb6e4e2f44a54832fbc37706264a4ba4ad commit 4aac1dcb6e4e2f44a54832fbc37706264a4ba4ad Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Tue Mar 15 21:54:41 2016 UPSTREAM: mm/slab: make criteria for off slab determination robust and simple To become an off slab, there are some constraints to avoid bootstrapping problem and recursive call. This can be avoided differently by simply checking that corresponding kmalloc cache is ready and it's not a off slab. It would be more robust because static size checking can be affected by cache size change or architecture type but dynamic checking isn't. One check 'freelist_cache->size > cachep->size / 2' is added to check benefit of choosing off slab, because, now, there is no size constraint which ensures enough advantage when selecting off slab. Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 3217fd9bdf0017bd0847939f67d52a9c71d8fc56) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I61bbc82fd9684f4a41d36a3dbfc4fb749648d696 Reviewed-on: https://chromium-review.googlesource.com/363435 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/4aac1dcb6e4e2f44a54832fbc37706264a4ba4ad/mm/slab.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cca36bb48501a614b977e2e31b81179ab9539dcc commit cca36bb48501a614b977e2e31b81179ab9539dcc Author: Alexander Potapenko <glider@google.com> Date: Fri May 20 23:59:11 2016 UPSTREAM: mm: kasan: initial memory quarantine implementation Quarantine isolates freed objects in a separate queue. The objects are returned to the allocator later, which helps to detect use-after-free errors. When the object is freed, its state changes from KASAN_STATE_ALLOC to KASAN_STATE_QUARANTINE. The object is poisoned and put into quarantine instead of being returned to the allocator, therefore every subsequent access to that object triggers a KASAN error, and the error handler is able to say where the object has been allocated and deallocated. When it's time for the object to leave quarantine, its state becomes KASAN_STATE_FREE and it's returned to the allocator. From now on the allocator may reuse it for another allocation. Before that happens, it's still possible to detect a use-after free on that object (it retains the allocation/deallocation stacks). When the allocator reuses this object, the shadow is unpoisoned and old allocation/deallocation stacks are wiped. Therefore a use of this object, even an incorrect one, won't trigger ASan warning. Without the quarantine, it's not guaranteed that the objects aren't reused immediately, that's why the probability of catching a use-after-free is lower than with quarantine in place. Quarantine isolates freed objects in a separate queue. The objects are returned to the allocator later, which helps to detect use-after-free errors. Freed objects are first added to per-cpu quarantine queues. When a cache is destroyed or memory shrinking is requested, the objects are moved into the global quarantine queue. Whenever a kmalloc call allows memory reclaiming, the oldest objects are popped out of the global queue until the total size of objects in quarantine is less than 3/4 of the maximum quarantine size (which is a fraction of installed physical memory). As long as an object remains in the quarantine, KASAN is able to report accesses to it, so the chance of reporting a use-after-free is increased. Once the object leaves quarantine, the allocator may reuse it, in which case the object is unpoisoned and KASAN can't detect incorrect accesses to it. Right now quarantine support is only enabled in SLAB allocator. Unification of KASAN features in SLAB and SLUB will be done later. This patch is based on the "mm: kasan: quarantine" patch originally prepared by Dmitry Chernenkov. A number of improvements have been suggested by Andrey Ryabinin. [glider@google.com: v9] Link: http://lkml.kernel.org/r/1462987130-144092-1-git-send-email-glider@google.com Signed-off-by: Alexander Potapenko <glider@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrey Konovalov <adech.fo@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Konstantin Serebryany <kcc@google.com> Cc: Dmitry Chernenkov <dmitryc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 55834c59098d0c5a97b0f3247e55832b67facdcf) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ia94beb3d2e25e523e5b1acbbfa60ca89d322564d Reviewed-on: https://chromium-review.googlesource.com/363436 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/mm/kasan/kasan.c [modify] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/mm/kasan/kasan.h [modify] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/mm/kasan/report.c [modify] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/mm/slab_common.c [modify] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/mm/slab.c [modify] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/include/linux/kasan.h [modify] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/mm/kasan/Makefile [modify] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/mm/slab.h [add] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/mm/kasan/quarantine.c [modify] https://crrev.com/cca36bb48501a614b977e2e31b81179ab9539dcc/mm/mempool.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/403d67e7abd14438f68070e5d5bfb56428a94727 commit 403d67e7abd14438f68070e5d5bfb56428a94727 Author: Andrey Ryabinin <aryabinin@virtuozzo.com> Date: Fri May 20 23:59:20 2016 UPSTREAM: mm/kasan: print name of mem[set,cpy,move]() caller in report When bogus memory access happens in mem[set,cpy,move]() it's usually caller's fault. So don't blame mem[set,cpy,move]() in bug report, blame the caller instead. Before: BUG: KASAN: out-of-bounds access in memset+0x23/0x40 at <address> After: BUG: KASAN: out-of-bounds access in <memset_caller> at <address> Link: http://lkml.kernel.org/r/1462538722-1574-2-git-send-email-aryabinin@virtuozzo.com Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Acked-by: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 936bb4bbbb832f81055328b84e5afe1fc7246a8d) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ifcfc91bd690d2b6cb44709832bbd306827d3a7ee Reviewed-on: https://chromium-review.googlesource.com/363437 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/403d67e7abd14438f68070e5d5bfb56428a94727/mm/kasan/kasan.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5bb6f623ff69eb109f05fe12299a306657bafa99 commit 5bb6f623ff69eb109f05fe12299a306657bafa99 Author: Andrey Ryabinin <aryabinin@virtuozzo.com> Date: Fri Mar 25 21:22:17 2016 UPSTREAM: MAINTAINERS: fill entries for KASAN Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 0ba1d91df93b33ea2c29390881f0ba13574f1a01) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I133210c55af160ed8f702a5e55be2eb3a4b67ca1 Reviewed-on: https://chromium-review.googlesource.com/363438 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/5bb6f623ff69eb109f05fe12299a306657bafa99/MAINTAINERS
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0e3ab5ebc1b8105cce332314d90bdad1e4c4d505 commit 0e3ab5ebc1b8105cce332314d90bdad1e4c4d505 Author: Andrey Ryabinin <aryabinin@virtuozzo.com> Date: Fri May 20 23:59:28 2016 UPSTREAM: mm/kasan: add API to check memory regions Memory access coded in an assembly won't be seen by KASAN as a compiler can instrument only C code. Add kasan_check_[read,write]() API which is going to be used to check a certain memory range. Link: http://lkml.kernel.org/r/1462538722-1574-3-git-send-email-aryabinin@virtuozzo.com Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Acked-by: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 64f8ebaf115bcddc4aaa902f981c57ba6506bc42) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Ib8c5cf4a9a882face604e9519bd5a91f93c7b965 Reviewed-on: https://chromium-review.googlesource.com/363439 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [add] https://crrev.com/0e3ab5ebc1b8105cce332314d90bdad1e4c4d505/include/linux/kasan-checks.h [modify] https://crrev.com/0e3ab5ebc1b8105cce332314d90bdad1e4c4d505/MAINTAINERS [modify] https://crrev.com/0e3ab5ebc1b8105cce332314d90bdad1e4c4d505/mm/kasan/kasan.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/27465cb6a3575b3742af4c36534050758d5fbca7 commit 27465cb6a3575b3742af4c36534050758d5fbca7 Author: Andrey Ryabinin <aryabinin@virtuozzo.com> Date: Thu May 26 22:16:11 2016 UPSTREAM: mm: kasan: remove unused 'reserved' field from struct kasan_alloc_meta Commit cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") added 'reserved' field, but never used it. Link: http://lkml.kernel.org/r/1464021054-2307-1-git-send-email-aryabinin@virtuozzo.com Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 9725759a96efb1ce56a1b93455ac0ab1901c5327) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: I0d8c78d84f1547e0d535830fa95c5d3a181e39e0 Reviewed-on: https://chromium-review.googlesource.com/363440 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/27465cb6a3575b3742af4c36534050758d5fbca7/mm/kasan/kasan.h
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/821ac6ed10f9306244f4b08c6d831d00e07b0b25 commit 821ac6ed10f9306244f4b08c6d831d00e07b0b25 Author: Shuah Khan <shuahkh@osg.samsung.com> Date: Wed Jun 08 22:33:45 2016 UPSTREAM: kasan: change memory hot-add error messages to info messages Change the following memory hot-add error messages to info messages. There is no need for these to be errors. kasan: WARNING: KASAN doesn't support memory hot-add kasan: Memory hot-add will be disabled Link: http://lkml.kernel.org/r/1464794430-5486-1-git-send-email-shuahkh@osg.samsung.com Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 91a4c272145652d798035c17e1c02c91001d3f51) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Icd7dbccf49627e1b0f6a0763eb306ac0b58f37c7 Reviewed-on: https://chromium-review.googlesource.com/363441 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/821ac6ed10f9306244f4b08c6d831d00e07b0b25/mm/kasan/kasan.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/39971e0342cc1f9fa09a8eb16cd7bb4d79bcb13e commit 39971e0342cc1f9fa09a8eb16cd7bb4d79bcb13e Author: Andrey Ryabinin <aryabinin@virtuozzo.com> Date: Fri Jun 24 21:49:34 2016 UPSTREAM: mm: mempool: kasan: don't poot mempool objects in quarantine Currently we may put reserved by mempool elements into quarantine via kasan_kfree(). This is totally wrong since quarantine may really free these objects. So when mempool will try to use such element, use-after-free will happen. Or mempool may decide that it no longer need that element and double-free it. So don't put object into quarantine in kasan_kfree(), just poison it. Rename kasan_kfree() to kasan_poison_kfree() to respect that. Also, we shouldn't use kasan_slab_alloc()/kasan_krealloc() in kasan_unpoison_element() because those functions may update allocation stacktrace. This would be wrong for the most of the remove_element call sites. (The only call site where we may want to update alloc stacktrace is in mempool_alloc(). Kmemleak solves this by calling kmemleak_update_trace(), so we could make something like that too. But this is out of scope of this patch). Fixes: 55834c59098d ("mm: kasan: initial memory quarantine implementation") Link: http://lkml.kernel.org/r/575977C3.1010905@virtuozzo.com Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Reported-by: Kuthonuzo Luruo <kuthonuzo.luruo@hpe.com> Acked-by: Alexander Potapenko <glider@google.com> Cc: Dmitriy Vyukov <dvyukov@google.com> Cc: Kostya Serebryany <kcc@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 9b75a867cc9ddbafcaf35029358ac500f2635ff3) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Iff5a6df8accba6b1b4e2e4ee34892b8cbe0b7806 Reviewed-on: https://chromium-review.googlesource.com/363442 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/39971e0342cc1f9fa09a8eb16cd7bb4d79bcb13e/mm/mempool.c [modify] https://crrev.com/39971e0342cc1f9fa09a8eb16cd7bb4d79bcb13e/include/linux/kasan.h [modify] https://crrev.com/39971e0342cc1f9fa09a8eb16cd7bb4d79bcb13e/mm/kasan/kasan.c
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2758d35f14e483818fc5d53f936a23b1882d87eb commit 2758d35f14e483818fc5d53f936a23b1882d87eb Author: Joonsoo Kim <iamjoonsoo.kim@lge.com> Date: Thu Jul 14 19:07:17 2016 UPSTREAM: kasan/quarantine: fix bugs on qlist_move_cache() There are two bugs on qlist_move_cache(). One is that qlist's tail isn't set properly. curr->next can be NULL since it is singly linked list and NULL value on tail is invalid if there is one item on qlist. Another one is that if cache is matched, qlist_put() is called and it will set curr->next to NULL. It would cause to stop the loop prematurely. These problems come from complicated implementation so I'd like to re-implement it completely. Implementation in this patch is really simple. Iterate all qlist_nodes and put them to appropriate list. Unfortunately, I got this bug sometime ago and lose oops message. But, the bug looks trivial and no need to attach oops. Fixes: 55834c59098d ("mm: kasan: initial memory quarantine implementation") Link: http://lkml.kernel.org/r/1467766348-22419-1-git-send-email-iamjoonsoo.kim@lge.com Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Acked-by: Alexander Potapenko <glider@google.com> Cc: Kuthonuzo Luruo <poll.stdin@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 0ab686d8c8303069e80300663b3be6201a8697fb) Signed-off-by: Alexander Potapenko <glider@google.com> BUG= chromium:631045 TEST=build the kernel and start up syzkaller Change-Id: Iefc5ae5edcfc1c5dc881b431b5eeba9fa8fe3886 Reviewed-on: https://chromium-review.googlesource.com/363443 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/2758d35f14e483818fc5d53f936a23b1882d87eb/mm/kasan/quarantine.c
,
Aug 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b0c85a0defe81aae07db5461aa9a7899ead0898d commit b0c85a0defe81aae07db5461aa9a7899ead0898d Author: Alexander Potapenko <glider@google.com> Date: Thu Jun 16 16:39:52 2016 UPSTREAM: arm64: allow building with kcov coverage on ARM64 Add ARCH_HAS_KCOV to ARM64 config. To avoid potential crashes, disable instrumentation of the files in arch/arm64/kvm/hyp/*. Signed-off-by: Alexander Potapenko <glider@google.com> Acked-by: Mark Rutland <mark.rutland@arm.com> Acked-by: Marc Zyngier <marc.zyngier@arm.com> Tested-by: James Morse <james.morse@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> BUG= chromium:631045 TEST=Build arm64 image and ensure that it still works (cherry picked from commit 5e4c7549f7082b06bbba566c68696dbb8d2e5b6b) Signed-off-by: Alexander Potapenko <glider@google.com> Conflicts: arch/arm64/kvm/hyp/Makefile [glider: arch/arm64/kvm/hyp/Makefile not present in the Chromium tree] Change-Id: Ieb7ef7664fb68505eaaf860b166790418cbed517 Reviewed-on: https://chromium-review.googlesource.com/364920 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/b0c85a0defe81aae07db5461aa9a7899ead0898d/arch/arm64/Kconfig
,
Aug 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b0c85a0defe81aae07db5461aa9a7899ead0898d commit b0c85a0defe81aae07db5461aa9a7899ead0898d Author: Alexander Potapenko <glider@google.com> Date: Thu Jun 16 16:39:52 2016 UPSTREAM: arm64: allow building with kcov coverage on ARM64 Add ARCH_HAS_KCOV to ARM64 config. To avoid potential crashes, disable instrumentation of the files in arch/arm64/kvm/hyp/*. Signed-off-by: Alexander Potapenko <glider@google.com> Acked-by: Mark Rutland <mark.rutland@arm.com> Acked-by: Marc Zyngier <marc.zyngier@arm.com> Tested-by: James Morse <james.morse@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> BUG= chromium:631045 TEST=Build arm64 image and ensure that it still works (cherry picked from commit 5e4c7549f7082b06bbba566c68696dbb8d2e5b6b) Signed-off-by: Alexander Potapenko <glider@google.com> Conflicts: arch/arm64/kvm/hyp/Makefile [glider: arch/arm64/kvm/hyp/Makefile not present in the Chromium tree] Change-Id: Ieb7ef7664fb68505eaaf860b166790418cbed517 Reviewed-on: https://chromium-review.googlesource.com/364920 Commit-Ready: Alexander Potapenko <glider@chromium.org> Tested-by: Alexander Potapenko <glider@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/b0c85a0defe81aae07db5461aa9a7899ead0898d/arch/arm64/Kconfig
,
Apr 6 2018
,
Apr 6 2018
I think this can be closed now. KASAN works fine in 4.4.
,
Apr 6 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by glider@chromium.org
, Jul 25 2016