From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B040CA0093 for ; Tue, 10 May 2022 14:30:52 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AC3EC42839; Tue, 10 May 2022 14:30:52 +0200 (CEST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id D4D3142832 for ; Tue, 10 May 2022 14:30:50 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1652185850; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FvmbaJX1APPaQ6H3TAFuD+xUnn0apXB8gOrtr9FYytE=; b=RMyeyW3EaXbCSgxZuFWzyAG8XUFmUX7uNUe3DZ91ltvv1eAiycihocLoZ0TPvD0NxUTpNT NhRjaRPIV2NPkHJRn0mjKtdvPNlsH1n+w+Te/A0jlIOrJK4Rfahy2r4JuvlLUewMyqDhom FZISMlegWx+VofYhDsuJVHuq6kBNJnY= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-25-6y7aSze-NIS2Yf_-3TFUwQ-1; Tue, 10 May 2022 08:30:47 -0400 X-MC-Unique: 6y7aSze-NIS2Yf_-3TFUwQ-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 093181881211; Tue, 10 May 2022 12:30:47 +0000 (UTC) Received: from rh.Home (unknown [10.39.195.199]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1663E400E89E; Tue, 10 May 2022 12:30:45 +0000 (UTC) From: Kevin Traynor To: Anatoly Burakov Cc: David Marchand , dpdk stable Subject: patch 'malloc: fix ASan handling for unmapped memory' has been queued to stable release 21.11.2 Date: Tue, 10 May 2022 13:29:57 +0100 Message-Id: <20220510123010.159523-20-ktraynor@redhat.com> In-Reply-To: <20220510123010.159523-1-ktraynor@redhat.com> References: <20220510123010.159523-1-ktraynor@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ktraynor@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 21.11.2 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 05/15/22. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable/commit/de48c79f3bc2af6a9ac271e575f73bcb66b20c9c Thanks. Kevin --- >From de48c79f3bc2af6a9ac271e575f73bcb66b20c9c Mon Sep 17 00:00:00 2001 From: Anatoly Burakov Date: Wed, 4 May 2022 14:31:58 +0000 Subject: [PATCH] malloc: fix ASan handling for unmapped memory [ upstream commit 4d8bdd8b56a102fbe7d8ca167d5044625f4dbb32 ] Currently, when we free previously allocated memory, we mark the area as "freed" for ASan purposes (flag 0xfd). However, sometimes, freeing a malloc element will cause pages to be unmapped from memory and re-backed with anonymous memory again. This may cause ASan's "use-after-free" error down the line, because the allocator will try to write into memory areas recently marked as "freed". To fix this, we need to mark the unmapped memory area as "available", and fixup surrounding malloc element header/trailers to enable later malloc routines to safely write into new malloc elements' headers or trailers. Bugzilla ID: 994 Fixes: 6cc51b1293ce ("mem: instrument allocator for ASan") Reported-by: David Marchand Signed-off-by: Anatoly Burakov --- lib/eal/common/malloc_elem.h | 4 ++++ lib/eal/common/malloc_heap.c | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/lib/eal/common/malloc_elem.h b/lib/eal/common/malloc_elem.h index 15d8ba7af2..c5f26ffd2f 100644 --- a/lib/eal/common/malloc_elem.h +++ b/lib/eal/common/malloc_elem.h @@ -273,4 +273,8 @@ old_malloc_size(struct malloc_elem *elem) #define __rte_no_asan +static inline void +asan_set_zone(void *ptr __rte_unused, size_t len __rte_unused, + uint32_t val __rte_unused) { } + static inline void asan_set_freezone(void *ptr __rte_unused, size_t size __rte_unused) { } diff --git a/lib/eal/common/malloc_heap.c b/lib/eal/common/malloc_heap.c index 55aad2711b..1ca01e0901 100644 --- a/lib/eal/common/malloc_heap.c +++ b/lib/eal/common/malloc_heap.c @@ -861,4 +861,5 @@ malloc_heap_free(struct malloc_elem *elem) unsigned int i, n_segs, before_space, after_space; int ret; + bool unmapped = false; const struct internal_config *internal_conf = eal_get_internal_configuration(); @@ -1027,4 +1028,7 @@ malloc_heap_free(struct malloc_elem *elem) } + /* we didn't exit early, meaning we have unmapped some pages */ + unmapped = true; + RTE_LOG(DEBUG, EAL, "Heap on socket %d was shrunk by %zdMB\n", msl->socket_id, aligned_len >> 20ULL); @@ -1034,4 +1038,35 @@ free_unlock: asan_set_freezone(asan_ptr, asan_data_len); + /* if we unmapped some memory, we need to do additional work for ASan */ + if (unmapped) { + void *asan_end = RTE_PTR_ADD(asan_ptr, asan_data_len); + void *aligned_end = RTE_PTR_ADD(aligned_start, aligned_len); + void *aligned_trailer = RTE_PTR_SUB(aligned_start, + MALLOC_ELEM_TRAILER_LEN); + + /* + * There was a memory area that was unmapped. This memory area + * will have to be marked as available for ASan, because we will + * want to use it next time it gets mapped again. The OS memory + * protection should trigger a fault on access to these areas + * anyway, so we are not giving up any protection. + */ + asan_set_zone(aligned_start, aligned_len, 0x00); + + /* + * ...however, when we unmap pages, we create new free elements + * which might have been marked as "freed" with an earlier + * `asan_set_freezone` call. So, if there is an area past the + * unmapped space that was marked as freezone for ASan, we need + * to mark the malloc header as available. + */ + if (asan_end > aligned_end) + asan_set_zone(aligned_end, MALLOC_ELEM_HEADER_LEN, 0x00); + + /* if there's space before unmapped memory, mark as available */ + if (asan_ptr < aligned_start) + asan_set_zone(aligned_trailer, MALLOC_ELEM_TRAILER_LEN, 0x00); + } + rte_spinlock_unlock(&(heap->lock)); return ret; -- 2.34.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2022-05-10 13:24:22.147587271 +0100 +++ 0020-malloc-fix-ASan-handling-for-unmapped-memory.patch 2022-05-10 13:24:21.611646370 +0100 @@ -1 +1 @@ -From 4d8bdd8b56a102fbe7d8ca167d5044625f4dbb32 Mon Sep 17 00:00:00 2001 +From de48c79f3bc2af6a9ac271e575f73bcb66b20c9c Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 4d8bdd8b56a102fbe7d8ca167d5044625f4dbb32 ] + @@ -20 +21,0 @@ -Cc: stable@dpdk.org @@ -30 +31 @@ -index f2aa98821b..c5f65895e1 100644 +index 15d8ba7af2..c5f26ffd2f 100644 @@ -33 +34 @@ -@@ -279,4 +279,8 @@ old_malloc_size(struct malloc_elem *elem) +@@ -273,4 +273,8 @@ old_malloc_size(struct malloc_elem *elem) @@ -43 +44 @@ -index 6c572b6f2c..a3d26fcbea 100644 +index 55aad2711b..1ca01e0901 100644 @@ -46 +47 @@ -@@ -862,4 +862,5 @@ malloc_heap_free(struct malloc_elem *elem) +@@ -861,4 +861,5 @@ malloc_heap_free(struct malloc_elem *elem) @@ -52 +53 @@ -@@ -1028,4 +1029,7 @@ malloc_heap_free(struct malloc_elem *elem) +@@ -1027,4 +1028,7 @@ malloc_heap_free(struct malloc_elem *elem) @@ -60 +61 @@ -@@ -1035,4 +1039,35 @@ free_unlock: +@@ -1034,4 +1038,35 @@ free_unlock: