From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62F5CC433E0 for ; Tue, 23 Jun 2020 07:28:27 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 0606A2073E for ; Tue, 23 Jun 2020 07:28:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="e7XzSW9B" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0606A2073E Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 5DDDE6B000A; Tue, 23 Jun 2020 03:28:26 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 58EF96B000C; Tue, 23 Jun 2020 03:28:26 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4A45D6B000D; Tue, 23 Jun 2020 03:28:26 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0019.hostedemail.com [216.40.44.19]) by kanga.kvack.org (Postfix) with ESMTP id 332746B000A for ; Tue, 23 Jun 2020 03:28:26 -0400 (EDT) Received: from smtpin05.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id E2D8E181AC9BF for ; Tue, 23 Jun 2020 07:28:25 +0000 (UTC) X-FDA: 76959648570.05.cows18_430e4bd26e39 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin05.hostedemail.com (Postfix) with ESMTP id C32DD1801E20F for ; Tue, 23 Jun 2020 07:28:25 +0000 (UTC) X-HE-Tag: cows18_430e4bd26e39 X-Filterd-Recvd-Size: 4559 Received: from mail-qv1-f73.google.com (mail-qv1-f73.google.com [209.85.219.73]) by imf26.hostedemail.com (Postfix) with ESMTP for ; Tue, 23 Jun 2020 07:28:25 +0000 (UTC) Received: by mail-qv1-f73.google.com with SMTP id x16so14393311qvp.19 for ; Tue, 23 Jun 2020 00:28:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=nTQWvepZzYSn4rQEU0+1xmqZl1OOXUog19hqREujmU4=; b=e7XzSW9BiALiACWkVQb7mFB8mq6jtD10kFJCz/zBWeoYyHB4MjXZv5mb3HDvr1j71/ cgtALbncqtn6Z0+DsYEIBUPB3KG3dfumqLm0/4nvNRqwmDe//6bQQeEsAb4EuErIDHrC F5KDujFk65s4f8WpCKGbF0Dz78AIJECom73qcL78UIZ6rRyPc+XmTX+uoaSgSOK2uipT IUnqmSkwigP7MpQJjKOKMGyC3duuOp07Kl8UaBG91ONMvc0oCODHAg7iIrmqdISI7pXg ibGwXhA9/6FTWCRR55quMDfGTB+Jv7KLEbaQ0vNx2FX6w5iBzvnoK5Gjq6ZqzQJPXj/q WbnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=nTQWvepZzYSn4rQEU0+1xmqZl1OOXUog19hqREujmU4=; b=pJHHfoNIsIA4x4iRvJsUyczXIm5jOiKiPchYAZ/TDus/qAr5JAGyBT6KfiFJp19k4g 6K/ugOATkPeYKj4k8V0gmX5UE9hJiTsjCoJqacrggD9tKYsBE2WNVUpuscxwbW6hrCpa /aXjZJWNpLQwewsN27R8/MF58qJQE1z3oS4RfC/YqXIMk16r/oZFaxa4jdjrGqnNa61d WF7AzLGD6VT2LAaxNx/7WpSfFzU01qjA9E31yYF1Fxh/CyWrNfq3x7ktg0jQhcuAL0vj O9KS77fXHTFg70vgvn1RYom/76NOlz86La+xPtG4qw+cqKuNadlHRz1pO5XfAPlzka9l gkQA== X-Gm-Message-State: AOAM530QkYHxTYUzXETGrf0TroJbsdVhhantDzZnj8gE5uiTGm0AYkHX a8tDFj20oTk8yGxhzynSwXN0bSYUCw== X-Google-Smtp-Source: ABdhPJwj2i8o0If+UymYmvMwr9/d224DtNwbNKtKbk/yUkG5UMMHuHoay3TWBfoyY2g3OwYvH8W1ykEufQ== X-Received: by 2002:a05:6214:8d1:: with SMTP id da17mr5298435qvb.62.1592897304605; Tue, 23 Jun 2020 00:28:24 -0700 (PDT) Date: Tue, 23 Jun 2020 09:26:54 +0200 Message-Id: <20200623072653.114563-1-elver@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.27.0.111.gc72c7da667-goog Subject: [PATCH v2] mm, kcsan: Instrument SLAB/SLUB free with "ASSERT_EXCLUSIVE_ACCESS" From: Marco Elver To: elver@google.com, akpm@linux-foundation.org Cc: paulmck@kernel.org, dvyukov@google.com, glider@google.com, andreyknvl@google.com, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, linux-mm@kvack.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: C32DD1801E20F X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam04 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Provide the necessary KCSAN checks to assist with debugging racy use-after-frees. While KASAN is more reliable at generally catching such use-after-frees (due to its use of a quarantine), it can be difficult to debug racy use-after-frees. If a reliable reproducer exists, KCSAN can assist in debugging such issues. Note: ASSERT_EXCLUSIVE_ACCESS is a convenience wrapper if the size is simply sizeof(var). Instead, here we just use __kcsan_check_access() explicitly to pass the correct size. Signed-off-by: Marco Elver --- v2: * SLAB_TYPESAFE_BY_RCU allows racy use after free within RCU grace period. If slab is SLAB_TYPESAFE_BY_RCU do not check access. --- mm/slab.c | 5 +++++ mm/slub.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/mm/slab.c b/mm/slab.c index 9350062ffc1a..cba71d88e89c 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -3426,6 +3426,11 @@ static __always_inline void __cache_free(struct kmem_cache *cachep, void *objp, if (kasan_slab_free(cachep, objp, _RET_IP_)) return; + /* Use KCSAN to help debug racy use-after-free. */ + if (!(cachep->flags & SLAB_TYPESAFE_BY_RCU)) + __kcsan_check_access(objp, cachep->object_size, + KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT); + ___cache_free(cachep, objp, caller); } diff --git a/mm/slub.c b/mm/slub.c index b8f798b50d44..4a9d43fda669 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1470,6 +1470,11 @@ static __always_inline bool slab_free_hook(struct kmem_cache *s, void *x) if (!(s->flags & SLAB_DEBUG_OBJECTS)) debug_check_no_obj_freed(x, s->object_size); + /* Use KCSAN to help debug racy use-after-free. */ + if (!(s->flags & SLAB_TYPESAFE_BY_RCU)) + __kcsan_check_access(x, s->object_size, + KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT); + /* KASAN might put x into memory quarantine, delaying its reuse */ return kasan_slab_free(s, x, _RET_IP_); } -- 2.27.0.111.gc72c7da667-goog