patches for DPDK stable branches
 help / color / mirror / Atom feed
From: Kevin Traynor <ktraynor@redhat.com>
To: Anatoly Burakov <anatoly.burakov@intel.com>
Cc: David Marchand <david.marchand@redhat.com>,
	dpdk stable <stable@dpdk.org>
Subject: patch 'malloc: fix ASan handling for unmapped memory' has been queued to stable release 21.11.2
Date: Tue, 10 May 2022 13:29:57 +0100
Message-ID: <20220510123010.159523-20-ktraynor@redhat.com> (raw)
In-Reply-To: <20220510123010.159523-1-ktraynor@redhat.com>

Hi,

FYI, your patch has been queued to stable release 21.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/15/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/de48c79f3bc2af6a9ac271e575f73bcb66b20c9c

Thanks.

Kevin

---
From de48c79f3bc2af6a9ac271e575f73bcb66b20c9c Mon Sep 17 00:00:00 2001
From: Anatoly Burakov <anatoly.burakov@intel.com>
Date: Wed, 4 May 2022 14:31:58 +0000
Subject: [PATCH] malloc: fix ASan handling for unmapped memory

[ upstream commit 4d8bdd8b56a102fbe7d8ca167d5044625f4dbb32 ]

Currently, when we free previously allocated memory, we mark the area as
"freed" for ASan purposes (flag 0xfd). However, sometimes, freeing a
malloc element will cause pages to be unmapped from memory and re-backed
with anonymous memory again. This may cause ASan's "use-after-free"
error down the line, because the allocator will try to write into
memory areas recently marked as "freed".

To fix this, we need to mark the unmapped memory area as "available",
and fixup surrounding malloc element header/trailers to enable later
malloc routines to safely write into new malloc elements' headers or
trailers.

Bugzilla ID: 994
Fixes: 6cc51b1293ce ("mem: instrument allocator for ASan")

Reported-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
 lib/eal/common/malloc_elem.h |  4 ++++
 lib/eal/common/malloc_heap.c | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/lib/eal/common/malloc_elem.h b/lib/eal/common/malloc_elem.h
index 15d8ba7af2..c5f26ffd2f 100644
--- a/lib/eal/common/malloc_elem.h
+++ b/lib/eal/common/malloc_elem.h
@@ -273,4 +273,8 @@ old_malloc_size(struct malloc_elem *elem)
 #define __rte_no_asan
 
+static inline void
+asan_set_zone(void *ptr __rte_unused, size_t len __rte_unused,
+		uint32_t val __rte_unused) { }
+
 static inline void
 asan_set_freezone(void *ptr __rte_unused, size_t size __rte_unused) { }
diff --git a/lib/eal/common/malloc_heap.c b/lib/eal/common/malloc_heap.c
index 55aad2711b..1ca01e0901 100644
--- a/lib/eal/common/malloc_heap.c
+++ b/lib/eal/common/malloc_heap.c
@@ -861,4 +861,5 @@ malloc_heap_free(struct malloc_elem *elem)
 	unsigned int i, n_segs, before_space, after_space;
 	int ret;
+	bool unmapped = false;
 	const struct internal_config *internal_conf =
 		eal_get_internal_configuration();
@@ -1027,4 +1028,7 @@ malloc_heap_free(struct malloc_elem *elem)
 	}
 
+	/* we didn't exit early, meaning we have unmapped some pages */
+	unmapped = true;
+
 	RTE_LOG(DEBUG, EAL, "Heap on socket %d was shrunk by %zdMB\n",
 		msl->socket_id, aligned_len >> 20ULL);
@@ -1034,4 +1038,35 @@ free_unlock:
 	asan_set_freezone(asan_ptr, asan_data_len);
 
+	/* if we unmapped some memory, we need to do additional work for ASan */
+	if (unmapped) {
+		void *asan_end = RTE_PTR_ADD(asan_ptr, asan_data_len);
+		void *aligned_end = RTE_PTR_ADD(aligned_start, aligned_len);
+		void *aligned_trailer = RTE_PTR_SUB(aligned_start,
+				MALLOC_ELEM_TRAILER_LEN);
+
+		/*
+		 * There was a memory area that was unmapped. This memory area
+		 * will have to be marked as available for ASan, because we will
+		 * want to use it next time it gets mapped again. The OS memory
+		 * protection should trigger a fault on access to these areas
+		 * anyway, so we are not giving up any protection.
+		 */
+		asan_set_zone(aligned_start, aligned_len, 0x00);
+
+		/*
+		 * ...however, when we unmap pages, we create new free elements
+		 * which might have been marked as "freed" with an earlier
+		 * `asan_set_freezone` call. So, if there is an area past the
+		 * unmapped space that was marked as freezone for ASan, we need
+		 * to mark the malloc header as available.
+		 */
+		if (asan_end > aligned_end)
+			asan_set_zone(aligned_end, MALLOC_ELEM_HEADER_LEN, 0x00);
+
+		/* if there's space before unmapped memory, mark as available */
+		if (asan_ptr < aligned_start)
+			asan_set_zone(aligned_trailer, MALLOC_ELEM_TRAILER_LEN, 0x00);
+	}
+
 	rte_spinlock_unlock(&(heap->lock));
 	return ret;
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-05-10 13:24:22.147587271 +0100
+++ 0020-malloc-fix-ASan-handling-for-unmapped-memory.patch	2022-05-10 13:24:21.611646370 +0100
@@ -1 +1 @@
-From 4d8bdd8b56a102fbe7d8ca167d5044625f4dbb32 Mon Sep 17 00:00:00 2001
+From de48c79f3bc2af6a9ac271e575f73bcb66b20c9c Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 4d8bdd8b56a102fbe7d8ca167d5044625f4dbb32 ]
+
@@ -20 +21,0 @@
-Cc: stable@dpdk.org
@@ -30 +31 @@
-index f2aa98821b..c5f65895e1 100644
+index 15d8ba7af2..c5f26ffd2f 100644
@@ -33 +34 @@
-@@ -279,4 +279,8 @@ old_malloc_size(struct malloc_elem *elem)
+@@ -273,4 +273,8 @@ old_malloc_size(struct malloc_elem *elem)
@@ -43 +44 @@
-index 6c572b6f2c..a3d26fcbea 100644
+index 55aad2711b..1ca01e0901 100644
@@ -46 +47 @@
-@@ -862,4 +862,5 @@ malloc_heap_free(struct malloc_elem *elem)
+@@ -861,4 +861,5 @@ malloc_heap_free(struct malloc_elem *elem)
@@ -52 +53 @@
-@@ -1028,4 +1029,7 @@ malloc_heap_free(struct malloc_elem *elem)
+@@ -1027,4 +1028,7 @@ malloc_heap_free(struct malloc_elem *elem)
@@ -60 +61 @@
-@@ -1035,4 +1039,35 @@ free_unlock:
+@@ -1034,4 +1038,35 @@ free_unlock:


  parent reply	other threads:[~2022-05-10 12:30 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-10 12:29 patch 'eal/windows: add missing C++ include guards' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/dpaa2: fix dpdmux default interface' " Kevin Traynor
2022-05-10 12:29 ` patch 'examples/bond: fix invalid use of trylock' " Kevin Traynor
2022-05-10 12:29 ` patch 'test/bpf: skip test if libpcap is unavailable' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/ice: improve performance of Rx timestamp offload' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/i40e: populate error in flow director parser' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/ice: add missing Tx burst mode name' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/ice: refactor parser usage' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/ice: fix raw flow input pattern parsing' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/netvsc: fix calculation of checksums based on mbuf flag' " Kevin Traynor
2022-05-10 12:29 ` patch 'common/mlx5: fix memory region range calculation' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/mlx5: fix Tx when inlining is impossible' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/mlx5: fix probing with secondary bonding member' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/mlx5: fix counter in non-termination meter' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/mlx5: restrict Rx queue array access to boundary' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/mlx5: fix GTP handling in header modify action' " Kevin Traynor
2022-05-10 12:29 ` patch 'net/mlx5: fix Rx/Tx stats concurrency' " Kevin Traynor
2022-05-10 12:29 ` patch 'test/table: fix buffer overflow on lpm entry' " Kevin Traynor
2022-05-10 12:29 ` patch 'mem: skip attaching external memory in secondary process' " Kevin Traynor
2022-05-10 12:29 ` Kevin Traynor [this message]
2022-05-10 12:29 ` patch 'eal: fix C++ include for device event and DMA' " Kevin Traynor
2022-05-10 12:29 ` patch 'crypto/dpaa_sec: fix digest size' " Kevin Traynor
2022-05-10 12:30 ` patch 'security: fix SA lifetime comments' " Kevin Traynor
2022-05-10 12:30 ` patch 'crypto/mlx5: fix login cleanup' " Kevin Traynor
2022-05-10 12:30 ` patch 'crypto/dpaa2_sec: fix fle buffer leak' " Kevin Traynor
2022-05-10 12:30 ` patch 'crypto/dpaa2_sec: fix buffer pool ID check' " Kevin Traynor
2022-05-10 12:30 ` patch 'crypto/dpaa_sec: fix chained FD length in raw datapath' " Kevin Traynor
2022-05-10 12:30 ` patch 'crypto/dpaa2_sec: " Kevin Traynor
2022-05-10 12:30 ` patch 'crypto/dpaa_sec: fix secondary process probing' " Kevin Traynor
2022-05-10 12:30 ` patch 'crypto/dpaa2_sec: fix crypto operation pointer' " Kevin Traynor
2022-05-10 12:30 ` patch 'crypto/dpaa2_sec: fix operation status for simple FD' " Kevin Traynor
2022-05-10 12:30 ` patch 'common/dpaax: fix short MAC-I IV calculation for ZUC' " Kevin Traynor
2022-05-10 12:30 ` patch 'examples/l2fwd-crypto: fix stats refresh rate' " Kevin Traynor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220510123010.159523-20-ktraynor@redhat.com \
    --to=ktraynor@redhat.com \
    --cc=anatoly.burakov@intel.com \
    --cc=david.marchand@redhat.com \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

patches for DPDK stable branches

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.dpdk.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ http://inbox.dpdk.org/stable \
		stable@dpdk.org
	public-inbox-index stable

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git