From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1762539AbbA3Rr0 (ORCPT <rfc822;w@1wt.eu>);
	Fri, 30 Jan 2015 12:47:26 -0500
Received: from mailout3.w1.samsung.com ([210.118.77.13]:63087 "EHLO
	mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750742AbbA3RrY (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 30 Jan 2015 12:47:24 -0500
X-AuditID: cbfec7f4-b7f126d000001e9a-ac-54cbc3182e63
Message-id: <54CBC3A1.5040505@samsung.com>
Date: Fri, 30 Jan 2015 20:47:13 +0300
From: Andrey Ryabinin <a.ryabinin@samsung.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
 Thunderbird/31.3.0
MIME-version: 1.0
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
        Konstantin Serebryany <kcc@google.com>,
        Dmitry Chernenkov <dmitryc@google.com>,
        Andrey Konovalov <adech.fo@gmail.com>,
        Yuri Gribov <tetra2005@gmail.com>,
        Konstantin Khlebnikov <koct9i@gmail.com>,
        Sasha Levin <sasha.levin@oracle.com>, Christoph Lameter <cl@linux.com>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        Dave Hansen <dave.hansen@intel.com>, Andi Kleen <andi@firstfloor.org>,
        x86@kernel.org, linux-mm@kvack.org,
        Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Rusty Russell <rusty@rustcorp.com.au>, Michal Marek <mmarek@suse.cz>,
        "open list:KERNEL BUILD + fi..." <linux-kbuild@vger.kernel.org>
Subject: Re: [PATCH v10 17/17] kasan: enable instrumentation of global variables
References: <1404905415-9046-1-git-send-email-a.ryabinin@samsung.com>
 <1422544321-24232-1-git-send-email-a.ryabinin@samsung.com>
 <1422544321-24232-18-git-send-email-a.ryabinin@samsung.com>
 <20150129151332.3f87c0b2e335afd88af33e08@linux-foundation.org>
In-reply-to: <20150129151332.3f87c0b2e335afd88af33e08@linux-foundation.org>
Content-type: text/plain; charset=windows-1252
Content-transfer-encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA02Ra0iTYRiGeb/Tvi1Hn4fVq5HhUIiBU8HsxSSiX69EYCZhUdjUoYKbsjnT
	ItAUySUeplkNocWI2rC0SU5FRaZMwVIztUzaIU8YudKWGobmNMh/93Pf9/NcPx6WDLBSIWyO
	skCuUspyxYyAGt4anIiE/cMp0a7+OLTZ84hGTS3NDBqYWuehD2vfAFpdcgG06HbzUK27goca
	Xx1GpntlDLIuLBPIVOmi0Z+uDgK972pikKN5m0bjfQYClfeOEWi6cYxCxoEZEnkW6knUZrlP
	oo3WWfqMCD/uXAG4U/+Zhw0WDTZ2LxHYYq5ksGVVx8Pa5QkCe0ZGeHjo4SaF5yYeEHhl/hOF
	v/dOMvh56xCJ3xgGePinJRQPlXvpJO6KICFTnptTKFdFnb4uyPbUJud/FRW9tU9SJaDHXwv4
	LORioe71FLWnD8ExRwujBQI2gHsK4IsqO7E3lBFQX9YAtIBlhZwEtntJ3wLFRcBql31XM5wU
	bumtjE+LuFT4w/xrVws5f7hR79gFBHGR0LzYRfpuktwcDaesa4QvCOSSYIXD8o9cSkDzqIf2
	BXzuHKw2rZM+MLlDcL6T+GySOwbbmpfJWsDp9zH0/1v6fS0DIM1AJNdk5KvTsxQxUrVModYo
	s6QZeQoL2Hu2twMY7fE2wLFA7Cf8KBtOCaBlhepihQ1AlhQHCRt0O5YwU1Z8U67KS1NpcuVq
	GyBYfkgJiLkAjMyzUzO/D97wc2y6lW26i6GeiGRT962TVbFOSXzd2pPUy9FmV2BW4uhgccLZ
	VQK3WusaUtPCyYTzB8otBd6i0uDgzrBL/L7JBe3RL+mJVzt4RXGRUbNu5fHtmjvtptsvVU7z
	CedojaePkFYL6bCl+enCuxJR+JHxa7Z6MaXOlsVISJVa9hcveV0wygIAAA==
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 01/30/2015 02:13 AM, Andrew Morton wrote:
> On Thu, 29 Jan 2015 18:12:01 +0300 Andrey Ryabinin <a.ryabinin@samsung.com> wrote:
> 
>> This feature let us to detect accesses out of bounds
>> of global variables.
> 
> global variables *within modules*, I think?  More specificity needed here.

Within modules and within kernel image. Handling modules just the most
tricky part of this.

> 
>> The idea of this is simple. Compiler increases each global variable
>> by redzone size and add constructors invoking __asan_register_globals()
>> function. Information about global variable (address, size,
>> size with redzone ...) passed to __asan_register_globals() so we could
>> poison variable's redzone.
>>
>> This patch also forces module_alloc() to return 8*PAGE_SIZE aligned
>> address making shadow memory handling ( kasan_module_alloc()/kasan_module_free() )
>> more simple. Such alignment guarantees that each shadow page backing
>> modules address space correspond to only one module_alloc() allocation.
>>
>> ...
>>
>> +int kasan_module_alloc(void *addr, size_t size)
>> +{
>> +
>> +	size_t shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT,
>> +				PAGE_SIZE);
>> +	unsigned long shadow_start = kasan_mem_to_shadow((unsigned long)addr);
>> +	void *ret;
> 
> Like this:
> 
> 	size_t shadow_size;
> 	unsigned long shadow_start;
> 	void *ret;
> 
> 	shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE);
> 	shadow_start = kasan_mem_to_shadow((unsigned long)addr);
> 
> it's much easier to read and avoids the 80-column trickery.
> 
> I do suspect that
> 
> 	void *kasan_mem_to_shadow(const void *addr);
> 
> would clean up lots and lots of code.
> 

Agreed.

>> +	if (WARN_ON(!PAGE_ALIGNED(shadow_start)))
>> +		return -EINVAL;
>> +
>> +	ret = __vmalloc_node_range(shadow_size, 1, shadow_start,
>> +			shadow_start + shadow_size,
>> +			GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
>> +			PAGE_KERNEL, VM_NO_GUARD, NUMA_NO_NODE,
>> +			__builtin_return_address(0));
>> +	return ret ? 0 : -ENOMEM;
>> +}
>> +
>>
>> ...
>>
>> +struct kasan_global {
>> +	const void *beg;		/* Address of the beginning of the global variable. */
>> +	size_t size;			/* Size of the global variable. */
>> +	size_t size_with_redzone;	/* Size of the variable + size of the red zone. 32 bytes aligned */
>> +	const void *name;
>> +	const void *module_name;	/* Name of the module where the global variable is declared. */
>> +	unsigned long has_dynamic_init;	/* This needed for C++ */
> 
> This can be removed?
> 

No, compiler dictates layout of this struct. That probably deserves a comment.

>> +#if KASAN_ABI_VERSION >= 4
>> +	struct kasan_source_location *location;
>> +#endif
>> +};
>>
>> ...
>>
> 
>