From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E550CC433FE for ; Fri, 14 Jan 2022 22:04:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7331C6B00CB; Fri, 14 Jan 2022 17:04:57 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6BACC6B00CD; Fri, 14 Jan 2022 17:04:57 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 55B766B00CE; Fri, 14 Jan 2022 17:04:57 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0071.hostedemail.com [216.40.44.71]) by kanga.kvack.org (Postfix) with ESMTP id 3EEFA6B00CB for ; Fri, 14 Jan 2022 17:04:57 -0500 (EST) Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id F2C7996F0E for ; Fri, 14 Jan 2022 22:04:56 +0000 (UTC) X-FDA: 79030273392.15.D9D5902 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf14.hostedemail.com (Postfix) with ESMTP id 7B1C010000C for ; Fri, 14 Jan 2022 22:04:56 +0000 (UTC) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CF0A361FF6; Fri, 14 Jan 2022 22:04:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C0990C36AE9; Fri, 14 Jan 2022 22:04:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1642197895; bh=mkkkJ35mbtCFnAHFKOtKZhQFffsv0tDMjABiOPOBwlg=; h=Date:From:To:Subject:In-Reply-To:From; b=WsF6aaTBa7eRAoVxgyPiZp+99D5a2VdUbmWx4eJC++XLfdfRb1CAgklrXFhpfeZOC sg9wiOb6w3XCfCmRhWK9nQb8xYnO+BKFbipz07nx1+ZM7iGuldn2JSwhxu18rsZPyQ dOHOILNmGX16Oo8njYabzS+0Neb2jR8NNsDrDaN4= Date: Fri, 14 Jan 2022 14:04:54 -0800 From: Andrew Morton To: akpm@linux-foundation.org, andreyknvl@gmail.com, cl@linux.com, dvyukov@google.com, elver@google.com, glider@google.com, iamjoonsoo.kim@lge.com, linux-mm@kvack.org, mm-commits@vger.kernel.org, penberg@kernel.org, rientjes@google.com, ryabinin.a.a@gmail.com, torvalds@linux-foundation.org, vbabka@suse.cz Subject: [patch 037/146] kasan: add ability to detect double-kmem_cache_destroy() Message-ID: <20220114220454._y_b0o7I7%akpm@linux-foundation.org> In-Reply-To: <20220114140222.6b14f0061194d3200000c52d@linux-foundation.org> User-Agent: s-nail v14.8.16 X-Stat-Signature: gedrsrsoz4n1kecp6fmn5w8ethwsdpgu Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=WsF6aaTB; dmarc=none; spf=pass (imf14.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 7B1C010000C X-HE-Tag: 1642197896-422529 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Marco Elver Subject: kasan: add ability to detect double-kmem_cache_destroy() Because mm/slab_common.c is not instrumented with software KASAN modes, it is not possible to detect use-after-free of the kmem_cache passed into kmem_cache_destroy(). In particular, because of the s->refcount-- and subsequent early return if non-zero, KASAN would never be able to see the double-free via kmem_cache_free(kmem_cache, s). To be able to detect a double-kmem_cache_destroy(), check accessibility of the kmem_cache, and in case of failure return early. While KASAN_HW_TAGS is able to detect such bugs, by checking accessibility and returning early we fail more gracefully and also avoid corrupting reused objects (where tags mismatch). A recent case of a double-kmem_cache_destroy() was detected by KFENCE: https://lkml.kernel.org/r/0000000000003f654905c168b09d@google.com, which was not detectable by software KASAN modes. Link: https://lkml.kernel.org/r/20211119142219.1519617-1-elver@google.com Signed-off-by: Marco Elver Acked-by: Vlastimil Babka Reviewed-by: Andrey Konovalov Cc: Alexander Potapenko Cc: Andrey Ryabinin Cc: Christoph Lameter Cc: David Rientjes Cc: Dmitry Vyukov Cc: Joonsoo Kim Cc: Pekka Enberg Signed-off-by: Andrew Morton --- mm/slab_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/slab_common.c~kasan-add-ability-to-detect-double-kmem_cache_destroy +++ a/mm/slab_common.c @@ -489,7 +489,7 @@ void slab_kmem_cache_release(struct kmem void kmem_cache_destroy(struct kmem_cache *s) { - if (unlikely(!s)) + if (unlikely(!s) || !kasan_check_byte(s)) return; cpus_read_lock(); _