fuzzing with
syzkaller for the last few years, see the details here:
https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md
Andrey Konovalov (3):
kcov: remote coverage support
usb, kcov: collect coverage from hub_event
vhost, kcov: collect coverage from vhost_worker
: Andrey Konovalov
---
drivers/vhost/vhost.c | 15 +++
drivers/vhost/vhost.h | 3 +++
2 files changed, 18 insertions(+)
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 36ca2cf419bf..71a349f6b352 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -357,7
particular USB bus for coverage collection.
Signed-off-by: Andrey Konovalov
---
drivers/usb/core/hub.c| 4
include/linux/kcov.h | 1 +
include/uapi/linux/kcov.h | 7 +++
3 files changed, 12 insertions(+)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 236313f41f4a
with kcov_remote_start/kcov_remote_stop.
Signed-off-by: Andrey Konovalov
---
Documentation/dev-tools/kcov.rst | 99 +++
include/linux/kcov.h | 9 +
include/linux/sched.h| 6 +
include/uapi/linux/kcov.h| 11 +
kernel/kcov.c
On Thu, Oct 17, 2019 at 8:18 PM Greg Kroah-Hartman
wrote:
>
> On Thu, Oct 17, 2019 at 07:44:15PM +0200, Andrey Konovalov wrote:
> > This patch adds kcov_remote_start/kcov_remote_stop annotations to the
> > vhost_worker function, which is responsible for processing vhos
On Thu, Oct 17, 2019 at 8:19 PM Greg Kroah-Hartman
wrote:
>
> On Thu, Oct 17, 2019 at 07:44:14PM +0200, Andrey Konovalov wrote:
> > This patch adds kcov_remote_start/kcov_remote_stop annotations to the
> > hub_event function, which is responsible for processing events on
On Thu, Oct 17, 2019 at 10:28 PM Greg Kroah-Hartman
wrote:
>
> On Thu, Oct 17, 2019 at 09:00:18PM +0200, Andrey Konovalov wrote:
> > On Thu, Oct 17, 2019 at 8:18 PM Greg Kroah-Hartman
> > wrote:
> > >
> > > On Thu, Oct 17, 2019 at 07:44:15PM +0200, Andrey Kono
This patch increases the maximum number of Dummy UDC/HCD devices to 32.
---
drivers/usb/gadget/udc/dummy_hcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/dummy_hcd.c
b/drivers/usb/gadget/udc/dummy_hcd.c
index 3d499d93c083..a8f1e5707c14 100644
--- a/
patch
changes dummy-hcd to use the usb_urb_dir_in() helper to match that
behavior.
Signed-off-by: Andrey Konovalov
---
drivers/usb/gadget/udc/dummy_hcd.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/gadget/udc/dummy_hcd.c
b/drivers/usb/gadget/udc/dumm
On Fri, Oct 18, 2019 at 4:53 PM syzbot
wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:c2453450 kmsan: kcov: prettify the code unpoisoning area->..
> git tree: https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?
On Fri, Oct 18, 2019 at 8:07 PM Greg Kroah-Hartman
wrote:
>
> On Fri, Oct 18, 2019 at 04:55:56PM +0200, Andrey Konovalov wrote:
> > This patch increases the maximum number of Dummy UDC/HCD devices to 32.
>
> Yes, that is a good description of _what_ the patch does, but it does
&
Changes in v2:
- Added missing Signed-off-by.
- Added better explanation as to why we need more Dummy devices.
Andrey Konovalov (2):
USB: dummy-hcd: increase max number of devices to 32
USB: dummy-hcd: use usb_urb_dir_in instead of usb_pipein
drivers/usb/gadget/udc/dummy_hcd.c | 10
number of Dummy UDC/HCD devices to 32
(more than 8 in case we need more of them in the future).
Signed-off-by: Andrey Konovalov
---
drivers/usb/gadget/udc/dummy_hcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/dummy_hcd.c
b/drivers/usb/gadget/udc
patch
changes dummy-hcd to use the usb_urb_dir_in() helper to match that
behavior.
Signed-off-by: Andrey Konovalov
---
drivers/usb/gadget/udc/dummy_hcd.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/gadget/udc/dummy_hcd.c
b/drivers/usb/gadget/udc/dumm
Similarly to 96fedce2 ("kasan: make tag based mode work with
CONFIG_HARDENED_USERCOPY"), we need to reset pointer tags in
__check_heap_object() in mm/slab.c before doing any pointer math.
Signed-off-by: Andrey Konovalov
---
mm/slab.c | 2 ++
1 file changed, 2 insertions(+)
diff
management object, leads to freelist being stored non-tagged.
Signed-off-by: Andrey Konovalov
---
mm/slab.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/mm/slab.c b/mm/slab.c
index c84458281a88..4ad95fcb1686 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -2359,7 +2359,7
kasan_slab_alloc() calls in kmem_cache_alloc() and kmem_cache_alloc_node()
are redundant as they are already called via slab_alloc/slab_alloc_node()->
slab_post_alloc_hook()->kasan_slab_alloc(). Remove them.
Signed-off-by: Andrey Konovalov
---
mm/slab.c | 2 --
1 file changed, 2 del
Similarly to 0d0c8de8 ("kasan: mark file common so ftrace doesn't trace
it") add the -pg flag to mm/kasan/tags.c to prevent conflicts with
tracing.
Reported-by: Qian Cai
Signed-off-by: Andrey Konovalov
---
mm/kasan/Makefile | 2 ++
1 file changed, 2 insertions(+)
diff -
ot syncing: Fatal exception
> [18869.026705] SMP: stopping secondary CPUs
> [18870.254279] SMP: failed to stop secondary CPUs 1-7,32,40,127
> [18870.259942] Kernel Offset: disabled
> [18870.263434] CPU features: 0x002,2c18
> [18870.267358] Memory Limit: none
> [18870.270725]
On Tue, Feb 19, 2019 at 10:49 PM Arnd Bergmann wrote:
>
> Building an arm64 allmodconfig kernel with clang results in over 140 warnings
> about overly large stack frames, the worst ones being:
>
> drivers/gpu/drm/panel/panel-sitronix-st7789v.c:196:12: error: stack frame
> size of 20224 bytes in f
ed as a debugging tool and not a mitigation.
Signed-off-by: Andrey Konovalov
---
arch/arm64/kernel/setup.c | 3 +++
arch/arm64/mm/kasan_init.c | 2 --
mm/kasan/tags.c| 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/k
On Fri, Feb 8, 2019 at 6:17 PM Christophe Leroy wrote:
>
> Hi Daniel,
>
> Le 08/02/2019 à 17:18, Daniel Axtens a écrit :
> > Hi Christophe,
> >
> > I've been attempting to port this to 64-bit Book3e nohash (e6500),
> > although I think I've ended up with an approach more similar to Aneesh's
> > mu
From: Andrey Konovalov
Date: Wed, Jan 2, 2019 at 4:30 PM
To: Samuel Ortiz
Cc: David S . Miller, , netdev, LKML,
Dmitry Vyukov, Kostya Serebryany
> On Mon, Jun 4, 2018 at 6:29 AM Samuel Ortiz wrote:
> >
> > Hi Andrey,
> >
> > On Thu, Apr 12, 2018 at 06:56:56PM +0
On Fri, May 3, 2019 at 7:03 PM Catalin Marinas wrote:
>
> On Tue, Apr 30, 2019 at 03:25:09PM +0200, Andrey Konovalov wrote:
> > This patch is a part of a series that extends arm64 kernel ABI to allow to
> > pass tagged user pointers (with the top byte set to something else other
On Fri, Apr 26, 2019 at 4:17 PM Catalin Marinas wrote:
>
> On Tue, Apr 02, 2019 at 02:47:34PM +0200, Andrey Konovalov wrote:
> > On Fri, Mar 29, 2019 at 11:30 AM Catalin Marinas
> > wrote:
> > > On Thu, Mar 28, 2019 at 02:19:34PM -0400, Steven Rostedt wrote:
> >
kernel accepting tagged
user pointers the test fails with EFAULT.
Signed-off-by: Andrey Konovalov
---
tools/testing/selftests/arm64/.gitignore | 1 +
tools/testing/selftests/arm64/Makefile| 11 ++
.../testing/selftests/arm64/run_tags_test.sh | 12 +++
tools/testing
pointers.
Untag the pointers in this function.
Signed-off-by: Andrey Konovalov
---
drivers/media/v4l2-core/videobuf-dma-contig.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/media/v4l2-core/videobuf-dma-contig.c
b/drivers/media/v4l2-core/videobuf-dma
user pointers in this function.
Signed-off-by: Andrey Konovalov
---
drivers/vfio/vfio_iommu_type1.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index d0f731c9920a..5daa966d799e 100644
--- a/drivers/vfio/vfio_iommu_type1.c
On Thu, May 2, 2019 at 5:36 PM Nathan Chancellor
wrote:
>
> When building with -Wuninitialized and CONFIG_KASAN_SW_TAGS unset, Clang
> warns:
>
> mm/kasan/common.c:484:40: warning: variable 'tag' is uninitialized when
> used here [-Wuninitialized]
> kasan_unpoison_shadow(set_tag(object, ta
, which will later be expanded to
> (void *)(object) without a use of tag. Initialize tag to 0xff, as it
> removes this warning and doesn't change the meaning of the code.
>
> Link: https://github.com/ClangBuiltLinux/linux/issues/465
> Signed-off-by: Nathan Chancellor
Reviewed-by:
On Thu, Jul 25, 2019 at 7:04 AM syzbot
wrote:
>
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit:6a3599ce usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.
On Wed, Jul 17, 2019 at 2:29 PM syzbot
wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger
> crash:
>
> Reported-and-tested-by:
> syzbot+8a8f48672560c8ca5...@syzkaller.appspotmail.com
>
> Tested on:
>
> commit: 6a3599ce usb-fuzzer: main usb gadget
On Fri, Aug 9, 2019 at 6:51 PM Alan Stern wrote:
>
> Greg:
>
> See below...
>
> On Fri, 9 Aug 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan
On Fri, Aug 9, 2019 at 6:51 PM Alan Stern wrote:
>
> Greg:
>
> See below...
>
> On Fri, 9 Aug 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan
On Tue, Jul 23, 2019 at 4:28 PM syzbot
wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:6a3599ce usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f6
page)); \
> + const void *__addr_tag = \
> + __tag_set((void *)__addr, page_kasan_tag(page));\
> ((void *)__addr_tag); \
> })
>
> --
> 1.8.3.1
>
Reviewed-by: Andrey Konovalov
On Tue, Aug 6, 2019 at 2:36 PM Oliver Neukum wrote:
>
> Am Donnerstag, den 01.08.2019, 14:47 -0400 schrieb Alan Stern:
> >
> > I think this must be caused by an unbalanced refcount. That is,
> > something must drop one more reference to the device than it takes.
> > That would explain why the inv
; b) verified the
>added double-kzfree() is detected.
>
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199359
> Signed-off-by: Marco Elver
> Cc: Andrey Ryabinin
> Cc: Dmitry Vyukov
> Cc: Alexander Potapenko
> Cc: Andrey Konovalov
> Cc: Christoph Lameter
> Cc: Pekka
On Thu, Jun 20, 2019 at 9:56 PM Christian Lamparter wrote:
>
> On Thursday, June 20, 2019 9:46:32 PM CEST Alan Stern wrote:
> > On Wed, 19 Jun 2019, syzbot wrote:
> >
> > > syzbot has found a reproducer for the following crash on:
> > >
> > > HEAD commit:9939f56e usb-fuzzer: main usb gadget fu
pointers in validate_range().
Reviewed-by: Vincenzo Frascino
Reviewed-by: Catalin Marinas
Reviewed-by: Kees Cook
Signed-off-by: Andrey Konovalov
---
fs/userfaultfd.c | 22 --
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
radeon_gem_userptr_ioctl().
Suggested-by: Felix Kuehling
Acked-by: Felix Kuehling
Signed-off-by: Andrey Konovalov
---
drivers/gpu/drm/radeon/radeon_gem.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_gem.c
b/drivers/gpu/drm/radeon/radeon_gem.c
index 44617dec8183
On Mon, Jun 24, 2019 at 2:59 PM Bjørn Mork wrote:
>
> syzbot writes:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:9939f56e usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan.git usb-fuzzer
> > console output: https://
On Thu, May 2, 2019 at 6:39 PM Greg Kroah-Hartman
wrote:
>
> On Thu, May 02, 2019 at 06:09:26PM +0200, Andrey Konovalov wrote:
> > When the pvrusb2 driver detects that there's something wrong with the
> > device, it prints a warning message. Right now those message
On Wed, Jun 19, 2019 at 4:30 PM Andrey Konovalov wrote:
>
> On Thu, May 2, 2019 at 6:39 PM Greg Kroah-Hartman
> wrote:
> >
> > On Thu, May 02, 2019 at 06:09:26PM +0200, Andrey Konovalov wrote:
> > > When the pvrusb2 driver detects that there's something wrong
ll unblock syzkaller testing of this
driver.
Reviewed-by: Greg Kroah-Hartman
Reported-by: syzbot+af8f8d2ac0d39b0ed...@syzkaller.appspotmail.com
Reported-by: syzbot+170a86bf206dd2c62...@syzkaller.appspotmail.com
Signed-off-by: Andrey Konovalov
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++--
dri
On Wed, Jun 19, 2019 at 4:45 PM Mauro Carvalho Chehab
wrote:
>
> Em Wed, 19 Jun 2019 16:30:01 +0200
> Andrey Konovalov escreveu:
>
> > On Thu, May 2, 2019 at 6:39 PM Greg Kroah-Hartman
> > wrote:
> > >
> > > On Thu, May 02, 2019 at 06:09:26PM +0200
On Mon, Jun 10, 2019 at 4:28 PM Catalin Marinas wrote:
>
> On Mon, Jun 03, 2019 at 06:55:07PM +0200, Andrey Konovalov wrote:
> > This patch is a part of a series that extends arm64 kernel ABI to allow to
> > pass tagged user pointers (with the top byte set to something else o
On Thu, Jun 6, 2019 at 10:54 AM Oliver Neukum wrote:
>
> Am Montag, den 03.06.2019, 04:41 -0700 schrieb syzbot:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan.git
On Fri, Jul 5, 2019 at 11:50 AM Hillf Danton wrote:
>
>
> On Thu, 04 Jul 2019 07:09:05 -0700 (PDT)
> > syzbot has found a reproducer for the following crash on:
> >
> > HEAD commit:7829a896 usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan.git usb-fu
t void *arch_kasan_set_tag(const void *addr, u8 tag)
> +{
> + return addr;
> +}
> #endif
> #ifndef arch_kasan_reset_tag
> #define arch_kasan_reset_tag(addr) ((void *)(addr))
> --
> 2.17.2 (Apple Git-113)
>
Reviewed-by: Andrey Konovalov
Thanks!
On Tue, Feb 12, 2019 at 2:43 PM Qian Cai wrote:
>
>
>
> On 2/12/19 8:26 AM, Andrey Konovalov wrote:
> > Hm, did you apply all 6 patches (the one that you sent and these five)
> Yes.
I'm failing to reproduce this in QEMU. You're still using the same
config, rig
On Wed, Feb 13, 2019 at 3:06 AM Qian Cai wrote:
>
> get_freepointer() could return NULL if there is no more free objects in
> the slab. However, it could return a tagged pointer (like
> 0x2200) with KASAN_SW_TAGS which would escape the NULL
> object checking in check_valid_pointer() an
On Tue, Feb 12, 2019 at 4:57 PM Vincenzo Frascino
wrote:
>
> On 11/02/2019 21:59, Andrey Konovalov wrote:
> > Right now we call kmemleak hooks before assigning tags to pointers in
> > KASAN hooks. As a result, when an objects gets allocated, kmemleak sees
> > a di
On Tue, Feb 12, 2019 at 10:12 PM Andrew Morton
wrote:
>
> On Mon, 11 Feb 2019 22:59:53 +0100 Andrey Konovalov
> wrote:
>
> > With tag based KASAN page_address() looks at the page flags to see
> > whether the resulting pointer needs to have a tag set. Since we don'
perly
propagate tags throughout the loop.
Reported-by: Qian Cai
Signed-off-by: Andrey Konovalov
---
mm/slub.c | 20 +++-
1 file changed, 7 insertions(+), 13 deletions(-)
diff --git a/mm/slub.c b/mm/slub.c
index a7e7c7f719f9..80da3a40b74d 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3
ed-by: Qian Cai
Signed-off-by: Andrey Konovalov
---
mm/slab.h| 6 ++
mm/slab_common.c | 2 +-
mm/slub.c| 3 ++-
3 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/mm/slab.h b/mm/slab.h
index 4190c24ef0e9..638ea1b25d39 100644
--- a/mm/slab.h
+++ b/mm/slab.h
@@ -437,11 +
untag pointers before saving them to min_addr
and max_addr and when performing a lookup.
Signed-off-by: Andrey Konovalov
---
mm/kmemleak.c| 10 +++---
mm/slab.h| 1 +
mm/slab_common.c | 1 +
mm/slub.c| 1 +
4 files changed, 10 insertions(+), 3 deletions(-)
diff --git a
dress() is called before kasan_poison_slab(). Fix it by changing
the order.
Signed-off-by: Andrey Konovalov
---
mm/slub.c | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/mm/slub.c b/mm/slub.c
index f5a451c49190..a7e7c7f719f9 100644
--- a/mm/slub.c
+++ b/mm/s
Changes in v2:
- Add comments about kmemleak vs KASAN hooks order.
- Fix compilation error when CONFIG_SLUB_DEBUG is not defined.
Andrey Konovalov (5):
kasan: fix assigning tags twice
kasan, kmemleak: pass tagged pointers to kmemleak
kmemleak: account for tagged pointers when calculating
When an object is kmalloc()'ed, two hooks are called: kasan_slab_alloc()
and kasan_kmalloc(). Right now we assign a tag twice, once in each of
the hooks. Fix it by assigning a tag only in the former hook.
Signed-off-by: Andrey Konovalov
---
mm/kasan/common.c
On Wed, Feb 13, 2019 at 9:42 PM Andrew Morton wrote:
>
> On Wed, 13 Feb 2019 14:58:25 +0100 Andrey Konovalov
> wrote:
>
> > Changes in v2:
> > - Add comments about kmemleak vs KASAN hooks order.
>
> I assume this refers to Vincenzo's review of "ka
rates over objects in a cache, it
passes untagged pointers to check_object(). check_object() in turns
calls get_freepointer() with an untagged pointer, which causes the
freepointer to be restored incorrectly.
Add kasan_reset_tag to freelist_ptr(). Also add a detailed comment.
Signed-off-by: A
On Wed, Feb 13, 2019 at 10:12 PM Qian Cai wrote:
>
> On Wed, 2019-02-13 at 11:31 +0100, Andrey Konovalov wrote:
> > On Wed, Feb 13, 2019 at 3:06 AM Qian Cai wrote:
> > >
> > > get_freepointer() could return NULL if there is no more free objects in
> > &g
On Thu, Feb 14, 2019 at 1:25 AM Andrey Konovalov wrote:
>
> When CONFIG_KASAN_SW_TAGS is enabled, ptr_addr might be tagged.
> Normally, this doesn't cause any issues, as both set_freepointer()
> and get_freepointer() are called with a pointer with the same tag.
> However, t
seq_print_user_ip() uses provided user pointers for vma lookups, which
can only by done with untagged pointers.
Untag user pointers in this function.
Signed-off-by: Andrey Konovalov
---
kernel/trace/trace_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace
This patch adds a simple test, that calls the uname syscall with a
tagged user pointer as an argument. Without the kernel accepting tagged
user pointers the test fails with EFAULT.
Signed-off-by: Andrey Konovalov
---
tools/testing/selftests/arm64/.gitignore | 1 +
tools/testing/selftests
moved untagging pointers returned from __uaccess_mask_ptr.
Changes in v1:
- Rebased onto 4.17-rc1.
Changes in RFC v2:
- Added "#ifndef untagged_addr..." fallback in linux/uaccess.h instead of
defining it for each arch individually.
- Updated Documentation/arm64/tagged-pointers.txt.
- Dro
prctl_set_mm() and prctl_set_mm_map() use provided user pointers for vma
lookups, which can only by done with untagged pointers.
Untag user pointers in these functions.
Signed-off-by: Andrey Konovalov
---
kernel/sys.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/kernel
userfaultfd_register() and userfaultfd_unregister() use provided user
pointers for vma lookups, which can only by done with untagged pointers.
Untag user pointers in these functions.
Signed-off-by: Andrey Konovalov
---
fs/userfaultfd.c | 5 +
1 file changed, 5 insertions(+)
diff --git a
This commit allows tagged pointers to be passed to the following memory
syscalls: madvise, mbind, get_mempolicy, mincore, mlock, mlock2, brk,
mmap_pgoff, old_mmap, munmap, remap_file_pages, mprotect, pkey_mprotect,
mremap, msync and shmdt.
Signed-off-by: Andrey Konovalov
---
ipc/shm.c | 2
Document the changes in Documentation/arm64/tagged-pointers.txt.
Signed-off-by: Andrey Konovalov
---
Documentation/arm64/tagged-pointers.txt | 25 +++--
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/Documentation/arm64/tagged-pointers.txt
b/Documentation
arm64.
Acked-by: Catalin Marinas
Signed-off-by: Andrey Konovalov
---
include/linux/memory.h | 4
1 file changed, 4 insertions(+)
diff --git a/include/linux/memory.h b/include/linux/memory.h
index a6ddefc60517..fc383bc39ab8 100644
--- a/include/linux/memory.h
+++ b/include/linux/memory.h
tcp_zerocopy_receive() uses provided user pointers for vma lookups, which
can only by done with untagged pointers.
Untag user pointers in this function.
Signed-off-by: Andrey Konovalov
---
net/ipv4/tcp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
the address before subtracting.
Signed-off-by: Andrey Konovalov
---
fs/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index a677b59efd74..d4b7adef9204 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2730,7 +2730,7 @@ void
for vma lookup.
Signed-off-by: Andrey Konovalov
---
mm/gup.c | 4
1 file changed, 4 insertions(+)
diff --git a/mm/gup.c b/mm/gup.c
index 75029649baca..b6eda1608bea 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -683,6 +683,8 @@ static long __get_user_pages(struct task_struct *tsk,
struct mm_struct
strncpy_from_user and strnlen_user accept user addresses as arguments, and
do not go through the same path as copy_from_user and others, so here we
need to handle the case of tagged user addresses separately.
Untag user pointers passed to these functions.
Signed-off-by: Andrey Konovalov
in access_ok and in __uaccess_mask_ptr,
before performing access validity checks.
Note, that this patch only temporarily untags the pointers to perform the
checks, but then passes them as is into the kernel internals.
Reviewed-by: Catalin Marinas
Signed-off-by: Andrey Konovalov
---
arch/arm64
On Fri, Feb 22, 2019 at 4:35 PM Szabolcs Nagy wrote:
>
> On 22/02/2019 12:53, Andrey Konovalov wrote:
> > This patchset is meant to be merged together with "arm64 relaxed ABI" [1].
> >
> > arm64 has a feature called Top Byte Ignore, which allows to embed pointer
> Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via
> pagealloc")
> Signed-off-by: Arnd Bergmann
Reviewed-by: Andrey Konovalov
Thanks!
> ---
> arch/arm64/include/asm/memory.h | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
&
On Sun, Feb 17, 2019 at 5:34 AM Qian Cai wrote:
>
> Enabling function tracer with CONFIG_KASAN_SW_TAGS=y (hwasan) tracer
> causes the whole system frozen on ThunderX2 systems with 256 CPUs,
> because there is a burst of too much pointer access, and then KASAN will
> dereference each byte of the sh
On Mon, Feb 18, 2019 at 4:53 PM Qian Cai wrote:
>
>
>
> On 2/18/19 10:25 AM, Andrey Konovalov wrote:
> > On Sun, Feb 17, 2019 at 5:34 AM Qian Cai wrote:
> >>
> >> Enabling function tracer with CONFIG_KASAN_SW_TAGS=y (hwasan) tracer
> >> causes the
ned-off-by: Andrey Konovalov
---
mm/kasan/init.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/mm/kasan/init.c b/mm/kasan/init.c
index 45a1b5e38e1e..fcaa1ca03175 100644
--- a/mm/kasan/init.c
+++ b/mm/kasan/init.c
@@ -42,7 +42,7 @@ static inline bool kasan_p4d_table(pgd_t p
On Fri, Mar 1, 2019 at 7:37 PM Dave Hansen wrote:
>
> On 3/1/19 8:59 AM, Catalin Marinas wrote:
> >>> So, we have to patch all these sites before the tagged values get to the
> >>> point of hitting the vma lookup functions. Dumb question: Why don't we
> >>> just patch the vma lookup functions the
D_WIDTH 0
> #endif
>
> -#ifdef CONFIG_KASAN_SW_TAGS
> -#define KASAN_TAG_WIDTH 8
> #if SECTIONS_WIDTH+NODES_WIDTH+ZONES_WIDTH+LAST_CPUPID_WIDTH+KASAN_TAG_WIDTH
> \
> > BITS_PER_LONG - NR_PAGEFLAGS
> #error "KASAN: not enough bits in page flags for tag"
> #endif
> -#else
> -#define KASAN_TAG_WIDTH 0
> -#endif
>
> /*
> * We are going to use the flags for the page to node mapping if its in
> --
> 2.20.0
>
Reviewed-by: Andrey Konovalov
Thanks!
Defining ARCH_SLAB_MINALIGN in arch/arm64/include/asm/cache.h when KASAN
is off is not needed, as it is defined in defined in include/linux/slab.h
as ifndef.
Signed-off-by: Andrey Konovalov
---
arch/arm64/include/asm/cache.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/arm64
On Wed, Jan 9, 2019 at 11:10 AM Vincenzo Frascino
wrote:
>
> On 03/01/2019 18:45, Andrey Konovalov wrote:
> > Instead of changing cache->align to be aligned to KASAN_SHADOW_SCALE_SIZE
> > in kasan_cache_create() we can reuse the ARCH_SLAB_MINALIGN macro.
> >
> >
On Tue, Sep 25, 2018 at 5:15 PM, Alan Stern wrote:
> On Tue, 25 Sep 2018, Vladis Dronov wrote:
>
>> > What reason is there for having two different fixes for the same bug?
>> > This one isn't going to get into any mainline trees that don't already
>> > have c9a4cb204e9e.
>>
>> I believe this is th
This patch adds a simple test, that calls the uname syscall with a
tagged user pointer as an argument. Without the kernel accepting tagged
user pointers the test fails with EFAULT.
Signed-off-by: Andrey Konovalov
---
tools/testing/selftests/arm64/.gitignore | 1 +
tools/testing/selftests
for vma lookup.
Signed-off-by: Andrey Konovalov
---
mm/gup.c | 4
1 file changed, 4 insertions(+)
diff --git a/mm/gup.c b/mm/gup.c
index 1abc8b4afff6..6f09132c654e 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -666,6 +666,8 @@ static long __get_user_pages(struct task_struct *tsk,
struct mm_struct
On Fri, Sep 21, 2018 at 5:13 PM, Andrey Konovalov wrote:
> This patch updates KASAN documentation to reflect the addition of the new
> tag-based mode.
>
> Signed-off-by: Andrey Konovalov
> ---
> Documentation/dev-tools/kasan.rst | 232 ++
>
Tag-based KASAN uses the Top Byte Ignore feature of arm64 CPUs to store a
pointer tag in the top byte of each pointer. This commit enables the
TCR_TBI1 bit, which enables Top Byte Ignore for the kernel, when tag-based
KASAN is used.
Signed-off-by: Andrey Konovalov
---
arch/arm64/include/asm
On Fri, Sep 21, 2018 at 10:42 AM, 'Dmitry Vyukov' via kasan-dev
wrote:
> On Fri, Sep 21, 2018 at 3:50 AM, Andy Lutomirski wrote:
>> This patch seems reasonable, but you emailed the wrong people :)
>>
>> On Thu, Sep 20, 2018 at 5:15 PM Jason A. Donenfeld wrote:
>>>
>>> It turns out that KASAN in
On Wed, May 2, 2018 at 7:25 PM, Andrey Konovalov wrote:
> On Wed, May 2, 2018 at 5:36 PM, Kirill A. Shutemov
> wrote:
>> On Wed, May 02, 2018 at 02:38:42PM +0000, Andrey Konovalov wrote:
>>> > Does having a tagged address here makes any difference? I couldn't hit a
d onto 3eb2ce82 (4.16-rc7).
Andrey Konovalov (6):
arm64: add type casts to untagged_addr macro
uaccess: add untagged_addr definition for other arches
arm64: untag user addresses in access_ok and __uaccess_mask_ptr
mm, arm64: untag user addresses in mm/gup.c
lib, arm64: untag
in access_ok and in __uaccess_mask_ptr,
before performing access validity checks.
Signed-off-by: Andrey Konovalov
---
arch/arm64/include/asm/uaccess.h | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm
architectures besides arm64.
Signed-off-by: Andrey Konovalov
---
include/linux/uaccess.h | 4
1 file changed, 4 insertions(+)
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index efe79c1cdd47..c045b4eff95e 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
strncpy_from_user and strnlen_user accept user addresses as arguments, and
do not go through the same path as copy_from_user and others, so here we
need to handle the case of tagged user addresses separately.
Untag user pointers passed to these functions.
Signed-off-by: Andrey Konovalov
Add a note that work on passing tagged user pointers to the kernel via
syscalls has started, but might not be complete yet.
Signed-off-by: Andrey Konovalov
---
Documentation/arm64/tagged-pointers.txt | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/Documentation/arm64
lookup.
Signed-off-by: Andrey Konovalov
---
mm/gup.c | 4
1 file changed, 4 insertions(+)
diff --git a/mm/gup.c b/mm/gup.c
index 76af4cfeaf68..65a9566c96d3 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -647,6 +647,8 @@ static long __get_user_pages(struct task_struct *tsk,
struct mm_struct *mm
This patch makes the untagged_addr macro accept all kinds of address types
(void *, unsigned long, etc.) and allows not to specify type casts in each
place where it is used. This is done by using __typeof__.
Signed-off-by: Andrey Konovalov
---
arch/arm64/include/asm/uaccess.h | 3 ++-
1 file
801 - 900 of 2085 matches
Mail list logo
