Back to home page

OSCL-LXR
 
 

     

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * This file contains KASAN runtime code that manages shadow memory for
0004  * generic and software tag-based KASAN modes.
0005  *
0006  * Copyright (c) 2014 Samsung Electronics Co., Ltd.
0007  * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
0008  *
0009  * Some code borrowed from https://github.com/xairy/kasan-prototype by
0010  *        Andrey Konovalov <andreyknvl@gmail.com>
0011  */
0012 
0013 #include <linux/init.h>
0014 #include <linux/kasan.h>
0015 #include <linux/kernel.h>
0016 #include <linux/kfence.h>
0017 #include <linux/kmemleak.h>
0018 #include <linux/memory.h>
0019 #include <linux/mm.h>
0020 #include <linux/string.h>
0021 #include <linux/types.h>
0022 #include <linux/vmalloc.h>
0023 
0024 #include <asm/cacheflush.h>
0025 #include <asm/tlbflush.h>
0026 
0027 #include "kasan.h"
0028 
0029 bool __kasan_check_read(const volatile void *p, unsigned int size)
0030 {
0031     return kasan_check_range((unsigned long)p, size, false, _RET_IP_);
0032 }
0033 EXPORT_SYMBOL(__kasan_check_read);
0034 
0035 bool __kasan_check_write(const volatile void *p, unsigned int size)
0036 {
0037     return kasan_check_range((unsigned long)p, size, true, _RET_IP_);
0038 }
0039 EXPORT_SYMBOL(__kasan_check_write);
0040 
0041 #undef memset
0042 void *memset(void *addr, int c, size_t len)
0043 {
0044     if (!kasan_check_range((unsigned long)addr, len, true, _RET_IP_))
0045         return NULL;
0046 
0047     return __memset(addr, c, len);
0048 }
0049 
0050 #ifdef __HAVE_ARCH_MEMMOVE
0051 #undef memmove
0052 void *memmove(void *dest, const void *src, size_t len)
0053 {
0054     if (!kasan_check_range((unsigned long)src, len, false, _RET_IP_) ||
0055         !kasan_check_range((unsigned long)dest, len, true, _RET_IP_))
0056         return NULL;
0057 
0058     return __memmove(dest, src, len);
0059 }
0060 #endif
0061 
0062 #undef memcpy
0063 void *memcpy(void *dest, const void *src, size_t len)
0064 {
0065     if (!kasan_check_range((unsigned long)src, len, false, _RET_IP_) ||
0066         !kasan_check_range((unsigned long)dest, len, true, _RET_IP_))
0067         return NULL;
0068 
0069     return __memcpy(dest, src, len);
0070 }
0071 
0072 void kasan_poison(const void *addr, size_t size, u8 value, bool init)
0073 {
0074     void *shadow_start, *shadow_end;
0075 
0076     if (!kasan_arch_is_ready())
0077         return;
0078 
0079     /*
0080      * Perform shadow offset calculation based on untagged address, as
0081      * some of the callers (e.g. kasan_poison_object_data) pass tagged
0082      * addresses to this function.
0083      */
0084     addr = kasan_reset_tag(addr);
0085 
0086     /* Skip KFENCE memory if called explicitly outside of sl*b. */
0087     if (is_kfence_address(addr))
0088         return;
0089 
0090     if (WARN_ON((unsigned long)addr & KASAN_GRANULE_MASK))
0091         return;
0092     if (WARN_ON(size & KASAN_GRANULE_MASK))
0093         return;
0094 
0095     shadow_start = kasan_mem_to_shadow(addr);
0096     shadow_end = kasan_mem_to_shadow(addr + size);
0097 
0098     __memset(shadow_start, value, shadow_end - shadow_start);
0099 }
0100 EXPORT_SYMBOL(kasan_poison);
0101 
0102 #ifdef CONFIG_KASAN_GENERIC
0103 void kasan_poison_last_granule(const void *addr, size_t size)
0104 {
0105     if (!kasan_arch_is_ready())
0106         return;
0107 
0108     if (size & KASAN_GRANULE_MASK) {
0109         u8 *shadow = (u8 *)kasan_mem_to_shadow(addr + size);
0110         *shadow = size & KASAN_GRANULE_MASK;
0111     }
0112 }
0113 #endif
0114 
0115 void kasan_unpoison(const void *addr, size_t size, bool init)
0116 {
0117     u8 tag = get_tag(addr);
0118 
0119     /*
0120      * Perform shadow offset calculation based on untagged address, as
0121      * some of the callers (e.g. kasan_unpoison_object_data) pass tagged
0122      * addresses to this function.
0123      */
0124     addr = kasan_reset_tag(addr);
0125 
0126     /*
0127      * Skip KFENCE memory if called explicitly outside of sl*b. Also note
0128      * that calls to ksize(), where size is not a multiple of machine-word
0129      * size, would otherwise poison the invalid portion of the word.
0130      */
0131     if (is_kfence_address(addr))
0132         return;
0133 
0134     if (WARN_ON((unsigned long)addr & KASAN_GRANULE_MASK))
0135         return;
0136 
0137     /* Unpoison all granules that cover the object. */
0138     kasan_poison(addr, round_up(size, KASAN_GRANULE_SIZE), tag, false);
0139 
0140     /* Partially poison the last granule for the generic mode. */
0141     if (IS_ENABLED(CONFIG_KASAN_GENERIC))
0142         kasan_poison_last_granule(addr, size);
0143 }
0144 
0145 #ifdef CONFIG_MEMORY_HOTPLUG
0146 static bool shadow_mapped(unsigned long addr)
0147 {
0148     pgd_t *pgd = pgd_offset_k(addr);
0149     p4d_t *p4d;
0150     pud_t *pud;
0151     pmd_t *pmd;
0152     pte_t *pte;
0153 
0154     if (pgd_none(*pgd))
0155         return false;
0156     p4d = p4d_offset(pgd, addr);
0157     if (p4d_none(*p4d))
0158         return false;
0159     pud = pud_offset(p4d, addr);
0160     if (pud_none(*pud))
0161         return false;
0162 
0163     /*
0164      * We can't use pud_large() or pud_huge(), the first one is
0165      * arch-specific, the last one depends on HUGETLB_PAGE.  So let's abuse
0166      * pud_bad(), if pud is bad then it's bad because it's huge.
0167      */
0168     if (pud_bad(*pud))
0169         return true;
0170     pmd = pmd_offset(pud, addr);
0171     if (pmd_none(*pmd))
0172         return false;
0173 
0174     if (pmd_bad(*pmd))
0175         return true;
0176     pte = pte_offset_kernel(pmd, addr);
0177     return !pte_none(*pte);
0178 }
0179 
0180 static int __meminit kasan_mem_notifier(struct notifier_block *nb,
0181             unsigned long action, void *data)
0182 {
0183     struct memory_notify *mem_data = data;
0184     unsigned long nr_shadow_pages, start_kaddr, shadow_start;
0185     unsigned long shadow_end, shadow_size;
0186 
0187     nr_shadow_pages = mem_data->nr_pages >> KASAN_SHADOW_SCALE_SHIFT;
0188     start_kaddr = (unsigned long)pfn_to_kaddr(mem_data->start_pfn);
0189     shadow_start = (unsigned long)kasan_mem_to_shadow((void *)start_kaddr);
0190     shadow_size = nr_shadow_pages << PAGE_SHIFT;
0191     shadow_end = shadow_start + shadow_size;
0192 
0193     if (WARN_ON(mem_data->nr_pages % KASAN_GRANULE_SIZE) ||
0194         WARN_ON(start_kaddr % KASAN_MEMORY_PER_SHADOW_PAGE))
0195         return NOTIFY_BAD;
0196 
0197     switch (action) {
0198     case MEM_GOING_ONLINE: {
0199         void *ret;
0200 
0201         /*
0202          * If shadow is mapped already than it must have been mapped
0203          * during the boot. This could happen if we onlining previously
0204          * offlined memory.
0205          */
0206         if (shadow_mapped(shadow_start))
0207             return NOTIFY_OK;
0208 
0209         ret = __vmalloc_node_range(shadow_size, PAGE_SIZE, shadow_start,
0210                     shadow_end, GFP_KERNEL,
0211                     PAGE_KERNEL, VM_NO_GUARD,
0212                     pfn_to_nid(mem_data->start_pfn),
0213                     __builtin_return_address(0));
0214         if (!ret)
0215             return NOTIFY_BAD;
0216 
0217         kmemleak_ignore(ret);
0218         return NOTIFY_OK;
0219     }
0220     case MEM_CANCEL_ONLINE:
0221     case MEM_OFFLINE: {
0222         struct vm_struct *vm;
0223 
0224         /*
0225          * shadow_start was either mapped during boot by kasan_init()
0226          * or during memory online by __vmalloc_node_range().
0227          * In the latter case we can use vfree() to free shadow.
0228          * Non-NULL result of the find_vm_area() will tell us if
0229          * that was the second case.
0230          *
0231          * Currently it's not possible to free shadow mapped
0232          * during boot by kasan_init(). It's because the code
0233          * to do that hasn't been written yet. So we'll just
0234          * leak the memory.
0235          */
0236         vm = find_vm_area((void *)shadow_start);
0237         if (vm)
0238             vfree((void *)shadow_start);
0239     }
0240     }
0241 
0242     return NOTIFY_OK;
0243 }
0244 
0245 static int __init kasan_memhotplug_init(void)
0246 {
0247     hotplug_memory_notifier(kasan_mem_notifier, 0);
0248 
0249     return 0;
0250 }
0251 
0252 core_initcall(kasan_memhotplug_init);
0253 #endif
0254 
0255 #ifdef CONFIG_KASAN_VMALLOC
0256 
0257 void __init __weak kasan_populate_early_vm_area_shadow(void *start,
0258                                unsigned long size)
0259 {
0260 }
0261 
0262 static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr,
0263                       void *unused)
0264 {
0265     unsigned long page;
0266     pte_t pte;
0267 
0268     if (likely(!pte_none(*ptep)))
0269         return 0;
0270 
0271     page = __get_free_page(GFP_KERNEL);
0272     if (!page)
0273         return -ENOMEM;
0274 
0275     memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
0276     pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
0277 
0278     spin_lock(&init_mm.page_table_lock);
0279     if (likely(pte_none(*ptep))) {
0280         set_pte_at(&init_mm, addr, ptep, pte);
0281         page = 0;
0282     }
0283     spin_unlock(&init_mm.page_table_lock);
0284     if (page)
0285         free_page(page);
0286     return 0;
0287 }
0288 
0289 int kasan_populate_vmalloc(unsigned long addr, unsigned long size)
0290 {
0291     unsigned long shadow_start, shadow_end;
0292     int ret;
0293 
0294     if (!is_vmalloc_or_module_addr((void *)addr))
0295         return 0;
0296 
0297     shadow_start = (unsigned long)kasan_mem_to_shadow((void *)addr);
0298     shadow_end = (unsigned long)kasan_mem_to_shadow((void *)addr + size);
0299 
0300     /*
0301      * User Mode Linux maps enough shadow memory for all of virtual memory
0302      * at boot, so doesn't need to allocate more on vmalloc, just clear it.
0303      *
0304      * The remaining CONFIG_UML checks in this file exist for the same
0305      * reason.
0306      */
0307     if (IS_ENABLED(CONFIG_UML)) {
0308         __memset((void *)shadow_start, KASAN_VMALLOC_INVALID, shadow_end - shadow_start);
0309         return 0;
0310     }
0311 
0312     shadow_start = PAGE_ALIGN_DOWN(shadow_start);
0313     shadow_end = PAGE_ALIGN(shadow_end);
0314 
0315     ret = apply_to_page_range(&init_mm, shadow_start,
0316                   shadow_end - shadow_start,
0317                   kasan_populate_vmalloc_pte, NULL);
0318     if (ret)
0319         return ret;
0320 
0321     flush_cache_vmap(shadow_start, shadow_end);
0322 
0323     /*
0324      * We need to be careful about inter-cpu effects here. Consider:
0325      *
0326      *   CPU#0                CPU#1
0327      * WRITE_ONCE(p, vmalloc(100));     while (x = READ_ONCE(p)) ;
0328      *                  p[99] = 1;
0329      *
0330      * With compiler instrumentation, that ends up looking like this:
0331      *
0332      *   CPU#0                CPU#1
0333      * // vmalloc() allocates memory
0334      * // let a = area->addr
0335      * // we reach kasan_populate_vmalloc
0336      * // and call kasan_unpoison:
0337      * STORE shadow(a), unpoison_val
0338      * ...
0339      * STORE shadow(a+99), unpoison_val x = LOAD p
0340      * // rest of vmalloc process       <data dependency>
0341      * STORE p, a               LOAD shadow(x+99)
0342      *
0343      * If there is no barrier between the end of unpoisoning the shadow
0344      * and the store of the result to p, the stores could be committed
0345      * in a different order by CPU#0, and CPU#1 could erroneously observe
0346      * poison in the shadow.
0347      *
0348      * We need some sort of barrier between the stores.
0349      *
0350      * In the vmalloc() case, this is provided by a smp_wmb() in
0351      * clear_vm_uninitialized_flag(). In the per-cpu allocator and in
0352      * get_vm_area() and friends, the caller gets shadow allocated but
0353      * doesn't have any pages mapped into the virtual address space that
0354      * has been reserved. Mapping those pages in will involve taking and
0355      * releasing a page-table lock, which will provide the barrier.
0356      */
0357 
0358     return 0;
0359 }
0360 
0361 static int kasan_depopulate_vmalloc_pte(pte_t *ptep, unsigned long addr,
0362                     void *unused)
0363 {
0364     unsigned long page;
0365 
0366     page = (unsigned long)__va(pte_pfn(*ptep) << PAGE_SHIFT);
0367 
0368     spin_lock(&init_mm.page_table_lock);
0369 
0370     if (likely(!pte_none(*ptep))) {
0371         pte_clear(&init_mm, addr, ptep);
0372         free_page(page);
0373     }
0374     spin_unlock(&init_mm.page_table_lock);
0375 
0376     return 0;
0377 }
0378 
0379 /*
0380  * Release the backing for the vmalloc region [start, end), which
0381  * lies within the free region [free_region_start, free_region_end).
0382  *
0383  * This can be run lazily, long after the region was freed. It runs
0384  * under vmap_area_lock, so it's not safe to interact with the vmalloc/vmap
0385  * infrastructure.
0386  *
0387  * How does this work?
0388  * -------------------
0389  *
0390  * We have a region that is page aligned, labeled as A.
0391  * That might not map onto the shadow in a way that is page-aligned:
0392  *
0393  *                    start                     end
0394  *                    v                         v
0395  * |????????|????????|AAAAAAAA|AA....AA|AAAAAAAA|????????| < vmalloc
0396  *  -------- -------- --------          -------- --------
0397  *      |        |       |                 |        |
0398  *      |        |       |         /-------/        |
0399  *      \-------\|/------/         |/---------------/
0400  *              |||                ||
0401  *             |??AAAAAA|AAAAAAAA|AA??????|                < shadow
0402  *                 (1)      (2)      (3)
0403  *
0404  * First we align the start upwards and the end downwards, so that the
0405  * shadow of the region aligns with shadow page boundaries. In the
0406  * example, this gives us the shadow page (2). This is the shadow entirely
0407  * covered by this allocation.
0408  *
0409  * Then we have the tricky bits. We want to know if we can free the
0410  * partially covered shadow pages - (1) and (3) in the example. For this,
0411  * we are given the start and end of the free region that contains this
0412  * allocation. Extending our previous example, we could have:
0413  *
0414  *  free_region_start                                    free_region_end
0415  *  |                 start                     end      |
0416  *  v                 v                         v        v
0417  * |FFFFFFFF|FFFFFFFF|AAAAAAAA|AA....AA|AAAAAAAA|FFFFFFFF| < vmalloc
0418  *  -------- -------- --------          -------- --------
0419  *      |        |       |                 |        |
0420  *      |        |       |         /-------/        |
0421  *      \-------\|/------/         |/---------------/
0422  *              |||                ||
0423  *             |FFAAAAAA|AAAAAAAA|AAF?????|                < shadow
0424  *                 (1)      (2)      (3)
0425  *
0426  * Once again, we align the start of the free region up, and the end of
0427  * the free region down so that the shadow is page aligned. So we can free
0428  * page (1) - we know no allocation currently uses anything in that page,
0429  * because all of it is in the vmalloc free region. But we cannot free
0430  * page (3), because we can't be sure that the rest of it is unused.
0431  *
0432  * We only consider pages that contain part of the original region for
0433  * freeing: we don't try to free other pages from the free region or we'd
0434  * end up trying to free huge chunks of virtual address space.
0435  *
0436  * Concurrency
0437  * -----------
0438  *
0439  * How do we know that we're not freeing a page that is simultaneously
0440  * being used for a fresh allocation in kasan_populate_vmalloc(_pte)?
0441  *
0442  * We _can_ have kasan_release_vmalloc and kasan_populate_vmalloc running
0443  * at the same time. While we run under free_vmap_area_lock, the population
0444  * code does not.
0445  *
0446  * free_vmap_area_lock instead operates to ensure that the larger range
0447  * [free_region_start, free_region_end) is safe: because __alloc_vmap_area and
0448  * the per-cpu region-finding algorithm both run under free_vmap_area_lock,
0449  * no space identified as free will become used while we are running. This
0450  * means that so long as we are careful with alignment and only free shadow
0451  * pages entirely covered by the free region, we will not run in to any
0452  * trouble - any simultaneous allocations will be for disjoint regions.
0453  */
0454 void kasan_release_vmalloc(unsigned long start, unsigned long end,
0455                unsigned long free_region_start,
0456                unsigned long free_region_end)
0457 {
0458     void *shadow_start, *shadow_end;
0459     unsigned long region_start, region_end;
0460     unsigned long size;
0461 
0462     region_start = ALIGN(start, KASAN_MEMORY_PER_SHADOW_PAGE);
0463     region_end = ALIGN_DOWN(end, KASAN_MEMORY_PER_SHADOW_PAGE);
0464 
0465     free_region_start = ALIGN(free_region_start, KASAN_MEMORY_PER_SHADOW_PAGE);
0466 
0467     if (start != region_start &&
0468         free_region_start < region_start)
0469         region_start -= KASAN_MEMORY_PER_SHADOW_PAGE;
0470 
0471     free_region_end = ALIGN_DOWN(free_region_end, KASAN_MEMORY_PER_SHADOW_PAGE);
0472 
0473     if (end != region_end &&
0474         free_region_end > region_end)
0475         region_end += KASAN_MEMORY_PER_SHADOW_PAGE;
0476 
0477     shadow_start = kasan_mem_to_shadow((void *)region_start);
0478     shadow_end = kasan_mem_to_shadow((void *)region_end);
0479 
0480     if (shadow_end > shadow_start) {
0481         size = shadow_end - shadow_start;
0482         if (IS_ENABLED(CONFIG_UML)) {
0483             __memset(shadow_start, KASAN_SHADOW_INIT, shadow_end - shadow_start);
0484             return;
0485         }
0486         apply_to_existing_page_range(&init_mm,
0487                          (unsigned long)shadow_start,
0488                          size, kasan_depopulate_vmalloc_pte,
0489                          NULL);
0490         flush_tlb_kernel_range((unsigned long)shadow_start,
0491                        (unsigned long)shadow_end);
0492     }
0493 }
0494 
0495 void *__kasan_unpoison_vmalloc(const void *start, unsigned long size,
0496                    kasan_vmalloc_flags_t flags)
0497 {
0498     /*
0499      * Software KASAN modes unpoison both VM_ALLOC and non-VM_ALLOC
0500      * mappings, so the KASAN_VMALLOC_VM_ALLOC flag is ignored.
0501      * Software KASAN modes can't optimize zeroing memory by combining it
0502      * with setting memory tags, so the KASAN_VMALLOC_INIT flag is ignored.
0503      */
0504 
0505     if (!is_vmalloc_or_module_addr(start))
0506         return (void *)start;
0507 
0508     /*
0509      * Don't tag executable memory with the tag-based mode.
0510      * The kernel doesn't tolerate having the PC register tagged.
0511      */
0512     if (IS_ENABLED(CONFIG_KASAN_SW_TAGS) &&
0513         !(flags & KASAN_VMALLOC_PROT_NORMAL))
0514         return (void *)start;
0515 
0516     start = set_tag(start, kasan_random_tag());
0517     kasan_unpoison(start, size, false);
0518     return (void *)start;
0519 }
0520 
0521 /*
0522  * Poison the shadow for a vmalloc region. Called as part of the
0523  * freeing process at the time the region is freed.
0524  */
0525 void __kasan_poison_vmalloc(const void *start, unsigned long size)
0526 {
0527     if (!is_vmalloc_or_module_addr(start))
0528         return;
0529 
0530     size = round_up(size, KASAN_GRANULE_SIZE);
0531     kasan_poison(start, size, KASAN_VMALLOC_INVALID, false);
0532 }
0533 
0534 #else /* CONFIG_KASAN_VMALLOC */
0535 
0536 int kasan_alloc_module_shadow(void *addr, size_t size, gfp_t gfp_mask)
0537 {
0538     void *ret;
0539     size_t scaled_size;
0540     size_t shadow_size;
0541     unsigned long shadow_start;
0542 
0543     shadow_start = (unsigned long)kasan_mem_to_shadow(addr);
0544     scaled_size = (size + KASAN_GRANULE_SIZE - 1) >>
0545                 KASAN_SHADOW_SCALE_SHIFT;
0546     shadow_size = round_up(scaled_size, PAGE_SIZE);
0547 
0548     if (WARN_ON(!PAGE_ALIGNED(shadow_start)))
0549         return -EINVAL;
0550 
0551     if (IS_ENABLED(CONFIG_UML)) {
0552         __memset((void *)shadow_start, KASAN_SHADOW_INIT, shadow_size);
0553         return 0;
0554     }
0555 
0556     ret = __vmalloc_node_range(shadow_size, 1, shadow_start,
0557             shadow_start + shadow_size,
0558             GFP_KERNEL,
0559             PAGE_KERNEL, VM_NO_GUARD, NUMA_NO_NODE,
0560             __builtin_return_address(0));
0561 
0562     if (ret) {
0563         struct vm_struct *vm = find_vm_area(addr);
0564         __memset(ret, KASAN_SHADOW_INIT, shadow_size);
0565         vm->flags |= VM_KASAN;
0566         kmemleak_ignore(ret);
0567 
0568         if (vm->flags & VM_DEFER_KMEMLEAK)
0569             kmemleak_vmalloc(vm, size, gfp_mask);
0570 
0571         return 0;
0572     }
0573 
0574     return -ENOMEM;
0575 }
0576 
0577 void kasan_free_module_shadow(const struct vm_struct *vm)
0578 {
0579     if (IS_ENABLED(CONFIG_UML))
0580         return;
0581 
0582     if (vm->flags & VM_KASAN)
0583         vfree(kasan_mem_to_shadow(vm->addr));
0584 }
0585 
0586 #endif
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!