From: Walter Wu <walter-zh.wu@mediatek.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: "Paul E. McKenney" <paulmck@kernel.org>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Josh Triplett <josh@joshtriplett.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Lai Jiangshan <jiangshanlai@gmail.com>,
Joel Fernandes <joel@joelfernandes.org>,
Andrew Morton <akpm@linux-foundation.org>,
kasan-dev <kasan-dev@googlegroups.com>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
"Linux ARM" <linux-arm-kernel@lists.infradead.org>,
wsd_upstream <wsd_upstream@mediatek.com>,
<linux-mediatek@lists.infradead.org>
Subject: Re: [PATCH v2 1/3] rcu/kasan: record and print call_rcu() call stack
Date: Wed, 13 May 2020 10:05:31 +0800 [thread overview]
Message-ID: <1589335531.19238.52.camel@mtksdccf07> (raw)
In-Reply-To: <CACT4Y+aWNDntO6+Rhn0a-4N1gLOTe5UzYB9m5TnkFxG_L15cXA@mail.gmail.com>
On Tue, 2020-05-12 at 18:22 +0200, Dmitry Vyukov wrote:
> On Tue, May 12, 2020 at 6:14 PM Paul E. McKenney <paulmck@kernel.org> wrote:
> > > > > > > > This feature will record first and last call_rcu() call stack and
> > > > > > > > print two call_rcu() call stack in KASAN report.
> > > > > > >
> > > > > > > Suppose that a given rcu_head structure is passed to call_rcu(), then
> > > > > > > the grace period elapses, the callback is invoked, and the enclosing
> > > > > > > data structure is freed. But then that same region of memory is
> > > > > > > immediately reallocated as the same type of structure and again
> > > > > > > passed to call_rcu(), and that this cycle repeats several times.
> > > > > > >
> > > > > > > Would the first call stack forever be associated with the first
> > > > > > > call_rcu() in this series? If so, wouldn't the last two usually
> > > > > > > be the most useful? Or am I unclear on the use case?
> > > > >
> > > > > 2 points here:
> > > > >
> > > > > 1. With KASAN the object won't be immediately reallocated. KASAN has
> > > > > 'quarantine' to delay reuse of heap objects. It is assumed that the
> > > > > object is still in quarantine when we detect a use-after-free. In such
> > > > > a case we will have proper call_rcu stacks as well.
> > > > > It is possible that the object is not in quarantine already and was
> > > > > reused several times (quarantine is not infinite), but then KASAN will
> > > > > report non-sense stacks for allocation/free as well. So wrong call_rcu
> > > > > stacks are less of a problem in such cases.
> > > > >
> > > > > 2. We would like to memorize 2 last call_rcu stacks regardless, but we
> > > > > just don't have a good place for the index (bit which of the 2 is the
> > > > > one to overwrite). Probably could shove it into some existing field,
> > > > > but then will require atomic operations, etc.
> > > > >
> > > > > Nobody knows how well/bad it will work. I think we need to get the
> > > > > first version in, deploy on syzbot, accumulate some base of example
> > > > > reports and iterate from there.
> > > >
> > > > If I understood the stack-index point below, why not just move the
> > > > previous stackm index to clobber the previous-to-previous stack index,
> > > > then put the current stack index into the spot thus opened up?
> > >
> > > We don't have any index in this change (don't have memory for such index).
> > > The pseudo code is"
> > >
> > > u32 aux_stacks[2]; // = {0,0}
> > >
> > > if (aux_stacks[0] != 0)
> > > aux_stacks[0] = stack;
> > > else
> > > aux_stacks[1] = stack;
> >
> > I was thinking in terms of something like this:
> >
> > u32 aux_stacks[2]; // = {0,0}
> >
> > if (aux_stacks[0] != 0) {
> > aux_stacks[0] = stack;
> > } else {
> > if (aux_stacks[1])
> > aux_stacks[0] = aux_stacks[1];
> > aux_stacks[1] = stack;
> > }
> >
> > Whether this actually makes sense in real life, I have no idea.
> > The theory is that you want the last two stacks. However, if these
> > elements get cleared at kfree() time, then I could easily believe that
> > the approach you already have (first and last) is the way to go.
> >
> > Just asking the question, not arguing for a change!
>
> Oh, this is so obvious... in hindsight! :)
>
> Walter, what do you think?
>
u32 aux_stacks[2]; // = {0,0}
if (aux_stacks[0] != 0) {
aux_stacks[0] = stack;
} else {
if (aux_stacks[1])
aux_stacks[0] = aux_stacks[1];
aux_stacks[1] = stack;
}
Hmm...why I think it will always cover aux_stacks[0] after aux_stacks[0]
has stack, it should not record last two stacks?
How about this:
u32 aux_stacks[2]; // = {0,0}
if (aux_stacks[1])
aux_stacks[0] = aux_stacks[1];
aux_stacks[1] = stack;
> I would do this. I think latter stacks are generally more interesting
> wrt shedding light on a bug. The first stack may even be "statically
> known" (e.g. if object is always queued into a workqueue for some lazy
> initialization during construction).
I think it make more sense to record latter stack, too.
Thanks for your and Paul's suggestion.
next prev parent reply other threads:[~2020-05-13 2:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-11 2:31 Walter Wu
2020-05-11 11:08 ` Dmitry Vyukov
2020-05-11 12:29 ` Walter Wu
2020-05-11 11:14 ` Dmitry Vyukov
2020-05-11 12:20 ` Dmitry Vyukov
2020-05-11 12:54 ` Walter Wu
2020-05-11 13:00 ` Dmitry Vyukov
2020-05-11 12:31 ` Dmitry Vyukov
2020-05-11 12:43 ` Dmitry Vyukov
2020-05-11 13:29 ` Walter Wu
2020-05-11 14:19 ` Dmitry Vyukov
2020-05-12 3:38 ` Walter Wu
2020-05-12 14:03 ` Dmitry Vyukov
2020-05-13 1:47 ` Walter Wu
2020-05-13 6:51 ` Dmitry Vyukov
2020-05-13 9:05 ` Walter Wu
2020-05-13 9:16 ` Dmitry Vyukov
2020-05-13 9:22 ` Walter Wu
2020-05-11 18:05 ` Paul E. McKenney
2020-05-12 2:36 ` Walter Wu
2020-05-12 13:56 ` Dmitry Vyukov
2020-05-12 14:25 ` Paul E. McKenney
2020-05-12 15:50 ` Dmitry Vyukov
2020-05-12 16:14 ` Paul E. McKenney
2020-05-12 16:22 ` Dmitry Vyukov
2020-05-13 2:05 ` Walter Wu [this message]
2020-05-13 3:19 ` Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1589335531.19238.52.camel@mtksdccf07 \
--to=walter-zh.wu@mediatek.com \
--cc=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=jiangshanlai@gmail.com \
--cc=joel@joelfernandes.org \
--cc=josh@joshtriplett.org \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=matthias.bgg@gmail.com \
--cc=paulmck@kernel.org \
--cc=wsd_upstream@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox