From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2FA9C3DA4A for ; Thu, 8 Aug 2024 18:57:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4C32E6B0095; Thu, 8 Aug 2024 14:57:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 472416B0098; Thu, 8 Aug 2024 14:57:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2ED856B00A0; Thu, 8 Aug 2024 14:57:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 119776B0095 for ; Thu, 8 Aug 2024 14:57:18 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id B264E4165F for ; Thu, 8 Aug 2024 18:57:17 +0000 (UTC) X-FDA: 82429986114.20.DB7E980 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf16.hostedemail.com (Postfix) with ESMTP id 3D23E180014 for ; Thu, 8 Aug 2024 18:57:15 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=yTjlZ+qi; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=OPlEzteZ; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=yTjlZ+qi; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=OPlEzteZ; dmarc=none; spf=pass (imf16.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723143382; a=rsa-sha256; cv=none; b=zgle1N1UtSfB36EDgLFPp9PJRvx3+Qn1dAP99L40ez6AZvz6hiN/HUUWnvs2Anf5TTifz3 4YzNho4gkl1dHtCoUX2dlv4DxjgidU/+HczByG1sr8tjeAdrL1j3liYqMmG9SWeK0PEScc c153YzBwiS17IMEDeiSUtZm2q9Ouf2Q= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=yTjlZ+qi; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=OPlEzteZ; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=yTjlZ+qi; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=OPlEzteZ; dmarc=none; spf=pass (imf16.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723143382; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=3XZ1KdontnFU5/Se3Co5kaGh6xMEyUNzr24XjDVGQww=; b=7dWDcfrbH6LSvsE96JFDm0V1i1wNfGk7qbQ+KQinSr/1f/f0vJ0PypzgAZcxYatc8HCQD4 P2PIhwIxz1n4MSgeaJLYzBJWHopvAnaZgujoHWpDpe0Pry6axuLmOq/5pr0SMf11Lcghku gQeMZfMq08tE/VkGiUb7osnceO/izAA= Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 5D6B521DAC; Thu, 8 Aug 2024 18:57:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1723143433; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=3XZ1KdontnFU5/Se3Co5kaGh6xMEyUNzr24XjDVGQww=; b=yTjlZ+qirVOcA9P79cQALQrFZ19c9zLsofgKvyft56R9vfU2TvTkJ9XyMm+nHo6TbZ1fQ/ TSp7R7iSXfI5sldUay+2ouLcmeEZ2fKAqBpHU1CIkxOFJ0xYd4UiFFI56ZOQdOBQ3sgGpk lZnoY7Pz8ZhkqW9Q0pdEElzQf9UKXTY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1723143433; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=3XZ1KdontnFU5/Se3Co5kaGh6xMEyUNzr24XjDVGQww=; b=OPlEzteZLhRBGrlpFL7CTBui1vjTLHKlQiIVVl5vy2oN1oa/ERZdhaxCv+97FN/X9if2LK dnTxT4pDeZj+vfCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1723143433; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=3XZ1KdontnFU5/Se3Co5kaGh6xMEyUNzr24XjDVGQww=; b=yTjlZ+qirVOcA9P79cQALQrFZ19c9zLsofgKvyft56R9vfU2TvTkJ9XyMm+nHo6TbZ1fQ/ TSp7R7iSXfI5sldUay+2ouLcmeEZ2fKAqBpHU1CIkxOFJ0xYd4UiFFI56ZOQdOBQ3sgGpk lZnoY7Pz8ZhkqW9Q0pdEElzQf9UKXTY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1723143433; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=3XZ1KdontnFU5/Se3Co5kaGh6xMEyUNzr24XjDVGQww=; b=OPlEzteZLhRBGrlpFL7CTBui1vjTLHKlQiIVVl5vy2oN1oa/ERZdhaxCv+97FN/X9if2LK dnTxT4pDeZj+vfCg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 348BD13876; Thu, 8 Aug 2024 18:57:13 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id hJJnDAkVtWarVwAAD6G6ig (envelope-from ); Thu, 08 Aug 2024 18:57:13 +0000 Message-ID: <1ca6275f-a2fc-4bad-81dc-6257d4f8d750@suse.cz> Date: Thu, 8 Aug 2024 20:57:12 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v7 2/2] slub: Introduce CONFIG_SLUB_RCU_DEBUG Content-Language: en-US To: Jann Horn , Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: Marco Elver , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, David Sterba , syzbot+263726e59eab6b442723@syzkaller.appspotmail.com References: <20240808-kasan-tsbrcu-v7-0-0d0590c54ae6@google.com> <20240808-kasan-tsbrcu-v7-2-0d0590c54ae6@google.com> From: Vlastimil Babka Autocrypt: addr=vbabka@suse.cz; keydata= xsFNBFZdmxYBEADsw/SiUSjB0dM+vSh95UkgcHjzEVBlby/Fg+g42O7LAEkCYXi/vvq31JTB KxRWDHX0R2tgpFDXHnzZcQywawu8eSq0LxzxFNYMvtB7sV1pxYwej2qx9B75qW2plBs+7+YB 87tMFA+u+L4Z5xAzIimfLD5EKC56kJ1CsXlM8S/LHcmdD9Ctkn3trYDNnat0eoAcfPIP2OZ+ 9oe9IF/R28zmh0ifLXyJQQz5ofdj4bPf8ecEW0rhcqHfTD8k4yK0xxt3xW+6Exqp9n9bydiy tcSAw/TahjW6yrA+6JhSBv1v2tIm+itQc073zjSX8OFL51qQVzRFr7H2UQG33lw2QrvHRXqD Ot7ViKam7v0Ho9wEWiQOOZlHItOOXFphWb2yq3nzrKe45oWoSgkxKb97MVsQ+q2SYjJRBBH4 8qKhphADYxkIP6yut/eaj9ImvRUZZRi0DTc8xfnvHGTjKbJzC2xpFcY0DQbZzuwsIZ8OPJCc LM4S7mT25NE5kUTG/TKQCk922vRdGVMoLA7dIQrgXnRXtyT61sg8PG4wcfOnuWf8577aXP1x 6mzw3/jh3F+oSBHb/GcLC7mvWreJifUL2gEdssGfXhGWBo6zLS3qhgtwjay0Jl+kza1lo+Cv BB2T79D4WGdDuVa4eOrQ02TxqGN7G0Biz5ZLRSFzQSQwLn8fbwARAQABzSBWbGFzdGltaWwg QmFia2EgPHZiYWJrYUBzdXNlLmN6PsLBlAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIe AQIXgBYhBKlA1DSZLC6OmRA9UCJPp+fMgqZkBQJkBREIBQkRadznAAoJECJPp+fMgqZkNxIQ ALZRqwdUGzqL2aeSavbum/VF/+td+nZfuH0xeWiO2w8mG0+nPd5j9ujYeHcUP1edE7uQrjOC Gs9sm8+W1xYnbClMJTsXiAV88D2btFUdU1mCXURAL9wWZ8Jsmz5ZH2V6AUszvNezsS/VIT87 AmTtj31TLDGwdxaZTSYLwAOOOtyqafOEq+gJB30RxTRE3h3G1zpO7OM9K6ysLdAlwAGYWgJJ V4JqGsQ/lyEtxxFpUCjb5Pztp7cQxhlkil0oBYHkudiG8j1U3DG8iC6rnB4yJaLphKx57NuQ PIY0Bccg+r9gIQ4XeSK2PQhdXdy3UWBr913ZQ9AI2usid3s5vabo4iBvpJNFLgUmxFnr73SJ KsRh/2OBsg1XXF/wRQGBO9vRuJUAbnaIVcmGOUogdBVS9Sun/Sy4GNA++KtFZK95U7J417/J Hub2xV6Ehc7UGW6fIvIQmzJ3zaTEfuriU1P8ayfddrAgZb25JnOW7L1zdYL8rXiezOyYZ8Fm ZyXjzWdO0RpxcUEp6GsJr11Bc4F3aae9OZtwtLL/jxc7y6pUugB00PodgnQ6CMcfR/HjXlae h2VS3zl9+tQWHu6s1R58t5BuMS2FNA58wU/IazImc/ZQA+slDBfhRDGYlExjg19UXWe/gMcl De3P1kxYPgZdGE2eZpRLIbt+rYnqQKy8UxlszsBNBFsZNTUBCACfQfpSsWJZyi+SHoRdVyX5 J6rI7okc4+b571a7RXD5UhS9dlVRVVAtrU9ANSLqPTQKGVxHrqD39XSw8hxK61pw8p90pg4G /N3iuWEvyt+t0SxDDkClnGsDyRhlUyEWYFEoBrrCizbmahOUwqkJbNMfzj5Y7n7OIJOxNRkB IBOjPdF26dMP69BwePQao1M8Acrrex9sAHYjQGyVmReRjVEtv9iG4DoTsnIR3amKVk6si4Ea X/mrapJqSCcBUVYUFH8M7bsm4CSxier5ofy8jTEa/CfvkqpKThTMCQPNZKY7hke5qEq1CBk2 wxhX48ZrJEFf1v3NuV3OimgsF2odzieNABEBAAHCwXwEGAEKACYCGwwWIQSpQNQ0mSwujpkQ PVAiT6fnzIKmZAUCZAUSmwUJDK5EZgAKCRAiT6fnzIKmZOJGEACOKABgo9wJXsbWhGWYO7mD 8R8mUyJHqbvaz+yTLnvRwfe/VwafFfDMx5GYVYzMY9TWpA8psFTKTUIIQmx2scYsRBUwm5VI EurRWKqENcDRjyo+ol59j0FViYysjQQeobXBDDE31t5SBg++veI6tXfpco/UiKEsDswL1WAr tEAZaruo7254TyH+gydURl2wJuzo/aZ7Y7PpqaODbYv727Dvm5eX64HCyyAH0s6sOCyGF5/p eIhrOn24oBf67KtdAN3H9JoFNUVTYJc1VJU3R1JtVdgwEdr+NEciEfYl0O19VpLE/PZxP4wX PWnhf5WjdoNI1Xec+RcJ5p/pSel0jnvBX8L2cmniYnmI883NhtGZsEWj++wyKiS4NranDFlA HdDM3b4lUth1pTtABKQ1YuTvehj7EfoWD3bv9kuGZGPrAeFNiHPdOT7DaXKeHpW9homgtBxj 8aX/UkSvEGJKUEbFL9cVa5tzyialGkSiZJNkWgeHe+jEcfRT6pJZOJidSCdzvJpbdJmm+eED w9XOLH1IIWh7RURU7G1iOfEfmImFeC3cbbS73LQEFGe1urxvIH5K/7vX+FkNcr9ujwWuPE9b 1C2o4i/yZPLXIVy387EjA6GZMqvQUFuSTs/GeBcv0NjIQi8867H3uLjz+mQy63fAitsDwLmR EP+ylKVEKb0Q2A== In-Reply-To: <20240808-kasan-tsbrcu-v7-2-0d0590c54ae6@google.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 3D23E180014 X-Stat-Signature: eaga7c1ndz7mpk9rcpwpdfsu6ai948xn X-Rspam-User: X-HE-Tag: 1723143435-767732 X-HE-Meta: U2FsdGVkX18wSfmdL+KSoeJRhz7CssMeVEIDRLQKUNdX2zYPZjUZofH7jKZYb7i50BnnZTFJ/D0Ut5JQYBdVr4VRDFFY1cXomzUSlB35MI9pkqmIX126tmCHBgwtNGHyOetikuQRsx/3K/jXx6Uf/xvIhFO9K1yXAiCIUtDqQGK1kbbSwCx/aYfz8CqD8f7t5dSgm71miFiJYV2uc0y6N/0jEWmYzL495b0pceT+CmiyZBwnwFYzeZ6knpwmz648JBp+oapSIVWd1hI4FvVqgqgwWa75pu3mGuCxgDPQxrNwxyuCDlu8tS6k8ncTx3UhyyWU/Xhy5tWmHK6cWwGnKLa/mYKkrs0GDeGsRS1AiPqi6heocC1RLpS40Tk0BrvLNOm06GePDR24+LF4FthcRibzpdGs35/aK9qA5UWk2Zr/RdDApo8R+LumVPmLZj3jj7OVimKc8taEr/Oa6RlXI/dk87f0GKA52Uv4YPKTkNs3ps71/Jgtqx8y5WN0X2gROKG2x/YYhrq47XJLNETpyxcpNjyW6vx5orUHzEQA9j9NIg9cKyhUMTItTORQc6oI3QeUTlmNTw+mF1ubx5fKSmSFCax0Gy7M/1POYZTKCj7m97n+tww7fnZ7lwN45lvhQE6B7JBJS7VishQY1D28j+sGwVqVVQyzOk4XEYy25ZPY4DkvT9jyYHYbjnmJU7CLP3BfJICAEySxuYkl31cc2hdzsm5psCoUBlLp0MffCfoKYWXX5nEa9LO/bIlEaS+UpM/Pepu4F3ZK8bOgFkWXMFrmGafr4sfF5yWSYDQTVKptgcRYM+6H28VaPJNK6Z05RH7xa3dC/tOENCLrlMoFyu8nEEdclj0cqDKp5trwEc3Lx+lDEwbs5yuXPQ2tDYIJkuovgoKmaPZdO6OIF7/+adMUf1Gb/PGIP3FRvwvBl1PtAkrs9QZrKlGtsYXZmDNJbDHRhx8JHLmdIMyIV61 FvNs2MhD A6xERmZFC8OZqhW8pXaTd6Pl3Pj8qQN/G8AKI9Pacan6O24SB9fbIAtMygW0aZe5wLtiRcWiK0nrgv4/AqwwyXpuz9Afak+yy8TR3D+LBatX9Idiud0zR3LmqSEHxkuSL1FMt3LgUGvAEZnXmwI0myH571V1I5xmOm08K924+69Lw2SBmfQ2bxJrFxi4DD3krMEOcaRBW073lbT1t+igz4l6EjeZaL+arpVk1MnyE8bvkBxOqlphO07r+YFa5P1ZThmMlti4bEA3u5MWP3xjIKCCTrXwscKWrTHivCZPH/etOXBffwgBIl2BhVvrJpxu5XU3Ukqe8Lv9u5J4IeDL5JnjMr/ZhqswdWgNYHTx8ktn8jkvceupGmoxI1hQm+++11aoxWkueF/IZYzBU37ll26L/V3IV5Fty9yJep2oJG2G4+54HPDsXWO5L0XglFl4kG4wJfQ6a2DMFD4xDVCRnNttI4ilEhqtKkO4O9MvtvwKmhYelnLw/7dxA79noukQCE2Q59UaehB0vnZc= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 8/8/24 20:30, Jann Horn wrote: > Currently, KASAN is unable to catch use-after-free in SLAB_TYPESAFE_BY_RCU > slabs because use-after-free is allowed within the RCU grace period by > design. > > Add a SLUB debugging feature which RCU-delays every individual > kmem_cache_free() before either actually freeing the object or handing it > off to KASAN, and change KASAN to poison freed objects as normal when this > option is enabled. > > For now I've configured Kconfig.debug to default-enable this feature in the > KASAN GENERIC and SW_TAGS modes; I'm not enabling it by default in HW_TAGS > mode because I'm not sure if it might have unwanted performance degradation > effects there. > > Note that this is mostly useful with KASAN in the quarantine-based GENERIC > mode; SLAB_TYPESAFE_BY_RCU slabs are basically always also slabs with a > ->ctor, and KASAN's assign_tag() currently has to assign fixed tags for > those, reducing the effectiveness of SW_TAGS/HW_TAGS mode. > (A possible future extension of this work would be to also let SLUB call > the ->ctor() on every allocation instead of only when the slab page is > allocated; then tag-based modes would be able to assign new tags on every > reallocation.) > > Tested-by: syzbot+263726e59eab6b442723@syzkaller.appspotmail.com > Reviewed-by: Andrey Konovalov > Acked-by: Marco Elver > Signed-off-by: Jann Horn Acked-by: Vlastimil Babka [slab] Just some very minor suggestions: > --- a/mm/slab_common.c > +++ b/mm/slab_common.c > @@ -582,12 +582,24 @@ void kmem_cache_destroy(struct kmem_cache *s) > rcu_set = s->flags & SLAB_TYPESAFE_BY_RCU; > > s->refcount--; > if (s->refcount) > goto out_unlock; > > + if (IS_ENABLED(CONFIG_SLUB_RCU_DEBUG) && > + (s->flags & SLAB_TYPESAFE_BY_RCU)) { > + /* > + * Under CONFIG_SLUB_RCU_DEBUG, when objects in a > + * SLAB_TYPESAFE_BY_RCU slab are freed, SLUB will internally > + * defer their freeing with call_rcu(). > + * Wait for such call_rcu() invocations here before actually > + * destroying the cache. > + */ > + rcu_barrier(); If we wanted to be really nice and not do rcu_barrier() with the mutex held (but it's a debugging config so who cares, probably), we could do it before taking the mutex. It won't be even done unnecessarily as SLAB_TYPESAFE_BY_RCU cannot merge so refcount should always go from 1 to 0 for there. > + } > + > err = shutdown_cache(s); > WARN(err, "%s %s: Slab cache still has objects when called from %pS", > __func__, s->name, (void *)_RET_IP_); > out_unlock: > mutex_unlock(&slab_mutex); > cpus_read_unlock(); > diff --git a/mm/slub.c b/mm/slub.c > index 0c98b6a2124f..eb68f4a69f59 100644 > +#ifdef CONFIG_SLUB_RCU_DEBUG > +static void slab_free_after_rcu_debug(struct rcu_head *rcu_head) > +{ > + struct rcu_delayed_free *delayed_free = > + container_of(rcu_head, struct rcu_delayed_free, head); > + void *object = delayed_free->object; > + struct slab *slab = virt_to_slab(object); > + struct kmem_cache *s; > + > + kfree(delayed_free); > + > + if (WARN_ON(is_kfence_address(object))) > + return; > + > + /* find the object and the cache again */ > + if (WARN_ON(!slab)) > + return; > + s = slab->slab_cache; > + if (WARN_ON(!(s->flags & SLAB_TYPESAFE_BY_RCU))) > + return; > + > + /* resume freeing */ > + if (!slab_free_hook(s, object, slab_want_init_on_free(s), true)) > + return; > + do_slab_free(s, slab, object, object, 1, _THIS_IP_); Nit: at this point we could just do the more standard pattern if (slab_free_hook()) fo_slab_free()