From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A19BC3DA4A for ; Fri, 2 Aug 2024 20:54:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8E5256B007B; Fri, 2 Aug 2024 16:54:42 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 894E06B0083; Fri, 2 Aug 2024 16:54:42 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 70EA16B0085; Fri, 2 Aug 2024 16:54:42 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 484B76B007B for ; Fri, 2 Aug 2024 16:54:42 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id E0F53140B13 for ; Fri, 2 Aug 2024 20:54:41 +0000 (UTC) X-FDA: 82408509162.03.9DDD48A Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by imf02.hostedemail.com (Postfix) with ESMTP id CEEC08000F for ; Fri, 2 Aug 2024 20:54:39 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=ljeZ7LMK; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf02.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.221.42 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722632032; a=rsa-sha256; cv=none; b=twjVzenXZ6ma/NRh8tvbbJfgbPZwbN2DAgCNhb1uC/144Ygb6NaXGqZSJCgOVPgGuzITK1 D0nyRRadspJCOZU7PAyPn4OOszXrrLadQl4xzVM+zrVALE7Qr/49saUClglEBrawny+VJx 6ogSb3WXxqu7SSmwz9LC4lz03+Ms5rQ= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=ljeZ7LMK; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf02.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.221.42 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722632032; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=xf8GJ1zLNQJB8KzN1/W/mx1wF5oK7IkwRl10EcOWGNo=; b=w2WHLwfb7Q2EuQkGHY4fhnQWAiIVinwpYU9tfhU4hyKcw7IwwXW/8rMA6y3BPaOgt/iRVp VRROBzAJ43KMCOaPyUpEkF9lZsLTFf4mhU9PRaQZxyjlVHEva/LhEbd27madDHgLKQTdZK ZVzoj2VpGCBVfGVqt2bvehUxdFcRG1Q= Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-36bb2047bf4so1224390f8f.2 for ; Fri, 02 Aug 2024 13:54:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722632078; x=1723236878; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xf8GJ1zLNQJB8KzN1/W/mx1wF5oK7IkwRl10EcOWGNo=; b=ljeZ7LMKTlEK1dXo6Nxoo6qtxhAOlJhNqdsBaUuSXwofVgpMCBPYMTTXmegdjMyBM0 j/dgM1t9F0vGwHPCqnlrTDJzd98M09EboDXo29oFKe2IyxBZ7CYXJ0CiWMhjAb+5Ez/0 ECHC3KyNZZNp4IrA5/Je3M2JsBy35tg5zc9qobEIoXs3LBkiG5m7+Yw0MkWJ2r9JVLJR SQHJ+D5AWGnl3gy7V0tlnrQKis1BoskHxdGs39z9Nd+WDNncp9y79Xg/MSnBuVLq3hxF uXg21gfWQ28FK4V7Ie4qCkmijpRzbzUZjG7hhJt6fIHY2Oid7SwQqZ8+0LvzhR6EwrBW h5Zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722632078; x=1723236878; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xf8GJ1zLNQJB8KzN1/W/mx1wF5oK7IkwRl10EcOWGNo=; b=viVFH1qsgXvuCAsnEbNgtoEMEsg/9x2OyvrOotOsgG94neUwWjjYwRJaqNFRXH3ruY gOMvePf5+xjO+NpIExrA3R0qvbAH6PQjS3pqVV09VRf1BX0WjmiFHJf5rt+9I1/Y5RBg USrKCYkkrhies0TzXAwFV43JY6b4ZgmP2+U/lIXEykMWHTvoWzQF1nBBopyv1UEx3Dpp AYnikJ02cr5DMGaHzCMKji0pkyEEACr/vAShTZB8MEGvoZDncN/kii0m0pbLCLS2stn1 IsUZ53OfUPMpeAfp8B/V51y8gDVyVhv31S1pCxJqeozmHK3gCpRCPwAakWIDiYoxedzG vLDg== X-Forwarded-Encrypted: i=1; AJvYcCXm9OAsdFxBJ4pez3700GzG1cg00DNaf99Iiul8Ta8curLj5f0MeBmp1vaNdSE+DRMclmxQtAfhZdmT2R2YCkSm7sA= X-Gm-Message-State: AOJu0YznMrKdUcgid/s/g962ecL2gpIjDuFKtcoUWdAMKbM9O/kqNGB4 9RAdIVt7/YzBmANI8Elfj8d4oBdj3Wl4dDpbPcjG4RWgPc4vTCECMLkU6s8g2U8H2gUe6ZARGq8 3sazYSYyah10auh0NQI/F7P1nF4c= X-Google-Smtp-Source: AGHT+IGiadScY5JXQIWnVOjHlFpUntk4YVOiKv3kj6tj85YM8LPI/BcepYNQgv5+EzOB9pZbLAoIoyF/iWUeAMo5dU4= X-Received: by 2002:a5d:47ce:0:b0:367:9828:f42d with SMTP id ffacd0b85a97d-36bbc190693mr3711275f8f.53.1722632077654; Fri, 02 Aug 2024 13:54:37 -0700 (PDT) MIME-Version: 1.0 References: <20240802-kasan-tsbrcu-v6-0-60d86ea78416@google.com> <20240802-kasan-tsbrcu-v6-2-60d86ea78416@google.com> In-Reply-To: <20240802-kasan-tsbrcu-v6-2-60d86ea78416@google.com> From: Andrey Konovalov Date: Fri, 2 Aug 2024 22:54:26 +0200 Message-ID: Subject: Re: [PATCH v6 2/2] slub: Introduce CONFIG_SLUB_RCU_DEBUG To: Jann Horn Cc: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Marco Elver , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzbot+263726e59eab6b442723@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: CEEC08000F X-Stat-Signature: 1r1w5iptj5hrop6so3i6tcw1mzcwsr9b X-Rspam-User: X-HE-Tag: 1722632079-989916 X-HE-Meta: U2FsdGVkX19ivabPFZ2Px7ej/o+5f9JyD4GVTivFG7DTKzFhsLwKxKvhHhJN762VAWv7zLwgzVSQgCoCDBsyGJ3O7YW1ZupJa5mCzyRWGSvXAskaunF4dx1IXzb5wViEklWMfr5nm7cRND56pS+3sC1idb50RXzzYr1IJB0B1e1/87oBEYM1ZLwYmS2VYOZs0kpzADDMmTaWKp7moQrbbBUH1of2bWANEXq6mYUatA9T7Yuvy2SvnGsDtcWuNp463cgtC1YSFmSaJ58rY/k66K40wBTHLbLgfHys3aLw5uajmYxBXLyS8P+fAsL/RI1NZMhI9XlaQbrbpDTdldvQCDiwZ5e86BNhgG06tVY/s2mSZXkJzA1uRSKhkku4kqxckMMp++lS1YBZhbbfVZx14UeIgJ9u+c6H+1MZsEUs7v5N63Ue6qZcJgssG0H5qUjDm2PqmOld0w2ZMmEYkE+dXg6KvDy1b7/G6itkwcC0M7nxrqGwMEDYug8vluP9w1x8SBExZeU2xr7no0qAo2EQym6OZuXXukLQ/hIZ4MDvN640tuT4s2NtSnZF1tsz4PBSEvMD9OaM4oBvbecDoJFheiN46e1L42lFEZ8pa3xNJvhqAh9aGSis6GoZOwdsRBUj028/BfgNCHeDwK3Agk9i1kN8mAVd3Co6X27wJfL4Ry0qy7W0XB1oUaht04M1tCUnZ/+XY5hcp/g4iEMHBp2otaQxMzP9tCEAjBFGA+HKSE6NMGVJtQFPL4H8ueVfjaLZDUYVuzgrb0/59a6Aze65uUJ8dW1RTGmfUbVaV2OejDGeSAQPlCWwymhZhFFd35SzPaBZ0+/4i5I1ih5847lcmjD40QgTXKLpGh28WpiZJ13H/gWncbQdFkiIibTlUwaRgyr3Rqj/G5qv/8T0BajGO6tL9eB8ZGYPLRA+OsjJ7v7IAS04pSyQNp4iH36TIV8S5rllkfW5lS74N0OMPnI sbnfZJEQ ufwsyLIQx7x8zyONjCKZOPzc7oRgKH52qajMeQFMxxGoNrn23Rz9mMt/9vG71cR8/8ZOMfeRuGoVGcV+Gk3WIcF9B2se42edViNBlvN8YJbPUU152okulDgmeGrxwuiZeet0jZ7yO84yUKAqkLfDsGbmtAkgk0nPE1KPXeG4bvLYnU2EhdH4qBzJP92Inn2jcPHJVtGit1XNgzQXpjIOhoBS9Np6vkN2olLHyGpD2LLMAwZ5Jr9b7tjXlmbYK76ATmhtUMR4n5ZAjhucJLdLi7qShVRiUKvdoehLzl0+NdbqulVTUPpuGfPNU8Ex5uH92avrl9+QN7z7rqmP5ZG0tIhaa1uWuGSP9v6gBoqeOjLnkaxDWQYJCQJ2EjqWheKzINdb6pQazDDdNyNGaDBXwssJkAkbypI0RuA4kMswnLDNRK2H0kGCuvTiMwKrFN58e0l7Rv+X46ZgsKhJdnLsh8rAlFc6EAhFjW/4sUaWcv3syjBqUJ2xQqcK/pEWLaAuuPk2a3UpLOtM8heWsdnIfGHxn6WeWJaIjQXwhY0/ETSYQr7ESM7GEuiitnpblem00kTP6 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Aug 2, 2024 at 10:32=E2=80=AFPM Jann Horn wrote: > > Currently, KASAN is unable to catch use-after-free in SLAB_TYPESAFE_BY_RC= U > slabs because use-after-free is allowed within the RCU grace period by > design. > > Add a SLUB debugging feature which RCU-delays every individual > kmem_cache_free() before either actually freeing the object or handing it > off to KASAN, and change KASAN to poison freed objects as normal when thi= s > option is enabled. > > For now I've configured Kconfig.debug to default-enable this feature in t= he > KASAN GENERIC and SW_TAGS modes; I'm not enabling it by default in HW_TAG= S > mode because I'm not sure if it might have unwanted performance degradati= on > effects there. > > Note that this is mostly useful with KASAN in the quarantine-based GENERI= C > mode; SLAB_TYPESAFE_BY_RCU slabs are basically always also slabs with a > ->ctor, and KASAN's assign_tag() currently has to assign fixed tags for > those, reducing the effectiveness of SW_TAGS/HW_TAGS mode. > (A possible future extension of this work would be to also let SLUB call > the ->ctor() on every allocation instead of only when the slab page is > allocated; then tag-based modes would be able to assign new tags on every > reallocation.) > > Tested-by: syzbot+263726e59eab6b442723@syzkaller.appspotmail.com > Signed-off-by: Jann Horn > --- > include/linux/kasan.h | 17 +++++++---- > mm/Kconfig.debug | 30 +++++++++++++++++++ > mm/kasan/common.c | 11 +++---- > mm/kasan/kasan_test.c | 46 ++++++++++++++++++++++++++++++ > mm/slab_common.c | 12 ++++++++ > mm/slub.c | 79 +++++++++++++++++++++++++++++++++++++++++++++= ------ > 6 files changed, 176 insertions(+), 19 deletions(-) > > diff --git a/include/linux/kasan.h b/include/linux/kasan.h > index 1570c7191176..00a3bf7c0d8f 100644 > --- a/include/linux/kasan.h > +++ b/include/linux/kasan.h > @@ -193,40 +193,44 @@ static __always_inline bool kasan_slab_pre_free(str= uct kmem_cache *s, > { > if (kasan_enabled()) > return __kasan_slab_pre_free(s, object, _RET_IP_); > return false; > } > > -bool __kasan_slab_free(struct kmem_cache *s, void *object, bool init); > +bool __kasan_slab_free(struct kmem_cache *s, void *object, bool init, > + bool still_accessible); > /** > * kasan_slab_free - Poison, initialize, and quarantine a slab object. > * @object: Object to be freed. > * @init: Whether to initialize the object. > + * @still_accessible: Whether the object contents are still accessible. > * > * This function informs that a slab object has been freed and is not > - * supposed to be accessed anymore, except for objects in > - * SLAB_TYPESAFE_BY_RCU caches. > + * supposed to be accessed anymore, except when @still_accessible is set > + * (indicating that the object is in a SLAB_TYPESAFE_BY_RCU cache and an= RCU > + * grace period might not have passed yet). > * > * For KASAN modes that have integrated memory initialization > * (kasan_has_integrated_init() =3D=3D true), this function also initial= izes > * the object's memory. For other modes, the @init argument is ignored. > * > * This function might also take ownership of the object to quarantine i= t. > * When this happens, KASAN will defer freeing the object to a later > * stage and handle it internally until then. The return value indicates > * whether KASAN took ownership of the object. > * > * This function is intended only for use by the slab allocator. > * > * @Return true if KASAN took ownership of the object; false otherwise. > */ > static __always_inline bool kasan_slab_free(struct kmem_cache *s, > - void *object, bool init) > + void *object, bool init, > + bool still_accessible) > { > if (kasan_enabled()) > - return __kasan_slab_free(s, object, init); > + return __kasan_slab_free(s, object, init, still_accessibl= e); > return false; > } > > void __kasan_kfree_large(void *ptr, unsigned long ip); > static __always_inline void kasan_kfree_large(void *ptr) > { > @@ -416,13 +420,14 @@ static inline void *kasan_init_slab_obj(struct kmem= _cache *cache, > > static inline bool kasan_slab_pre_free(struct kmem_cache *s, void *objec= t) > { > return false; > } > > -static inline bool kasan_slab_free(struct kmem_cache *s, void *object, b= ool init) > +static inline bool kasan_slab_free(struct kmem_cache *s, void *object, > + bool init, bool still_accessible) > { > return false; > } > static inline void kasan_kfree_large(void *ptr) {} > static inline void *kasan_slab_alloc(struct kmem_cache *s, void *object, > gfp_t flags, bool init) > diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug > index afc72fde0f03..8e440214aac8 100644 > --- a/mm/Kconfig.debug > +++ b/mm/Kconfig.debug > @@ -67,12 +67,42 @@ config SLUB_DEBUG_ON > equivalent to specifying the "slab_debug" parameter on boot. > There is no support for more fine grained debug control like > possible with slab_debug=3Dxxx. SLUB debugging may be switched > off in a kernel built with CONFIG_SLUB_DEBUG_ON by specifying > "slab_debug=3D-". > > +config SLUB_RCU_DEBUG > + bool "Enable UAF detection in TYPESAFE_BY_RCU caches (for KASAN)" > + depends on SLUB_DEBUG > + depends on KASAN # not a real dependency; currently useless witho= ut KASAN > + default KASAN_GENERIC || KASAN_SW_TAGS > + help > + Make SLAB_TYPESAFE_BY_RCU caches behave approximately as if the= cache > + was not marked as SLAB_TYPESAFE_BY_RCU and every caller used > + kfree_rcu() instead. > + > + This is intended for use in combination with KASAN, to enable K= ASAN to > + detect use-after-free accesses in such caches. > + (KFENCE is able to do that independent of this flag.) > + > + This might degrade performance. > + Unfortunately this also prevents a very specific bug pattern fr= om > + triggering (insufficient checks against an object being recycle= d > + within the RCU grace period); so this option can be turned off = even on > + KASAN builds, in case you want to test for such a bug. > + > + If you're using this for testing bugs / fuzzing and care about > + catching all the bugs WAY more than performance, you might want= to > + also turn on CONFIG_RCU_STRICT_GRACE_PERIOD. > + > + WARNING: > + This is designed as a debugging feature, not a security feature= . > + Objects are sometimes recycled without RCU delay under memory p= ressure. > + > + If unsure, say N. > + > config PAGE_OWNER > bool "Track page owner" > depends on DEBUG_KERNEL && STACKTRACE_SUPPORT > select DEBUG_FS > select STACKTRACE > select STACKDEPOT > diff --git a/mm/kasan/common.c b/mm/kasan/common.c > index f26bbc087b3b..ed4873e18c75 100644 > --- a/mm/kasan/common.c > +++ b/mm/kasan/common.c > @@ -227,43 +227,44 @@ static bool check_slab_allocation(struct kmem_cache= *cache, void *object, > } > > return false; > } > > static inline void poison_slab_object(struct kmem_cache *cache, void *ob= ject, > - bool init) > + bool init, bool still_accessible) > { > void *tagged_object =3D object; > > object =3D kasan_reset_tag(object); > > /* RCU slabs could be legally used after free within the RCU peri= od. */ > - if (unlikely(cache->flags & SLAB_TYPESAFE_BY_RCU)) > + if (unlikely(still_accessible)) > return; > > kasan_poison(object, round_up(cache->object_size, KASAN_GRANULE_S= IZE), > KASAN_SLAB_FREE, init); > > if (kasan_stack_collection_enabled()) > kasan_save_free_info(cache, tagged_object); > } > > bool __kasan_slab_pre_free(struct kmem_cache *cache, void *object, > unsigned long ip) > { > if (!kasan_arch_is_ready() || is_kfence_address(object)) > return false; > return check_slab_allocation(cache, object, ip); > } > > -bool __kasan_slab_free(struct kmem_cache *cache, void *object, bool init= ) > +bool __kasan_slab_free(struct kmem_cache *cache, void *object, bool init= , > + bool still_accessible) > { > if (!kasan_arch_is_ready() || is_kfence_address(object)) > return false; > > - poison_slab_object(cache, object, init); > + poison_slab_object(cache, object, init, still_accessible); > > /* > * If the object is put into quarantine, do not let slab put the = object > * onto the freelist for now. The object's metadata is kept until= the > * object gets evicted from quarantine. > */ > @@ -515,13 +516,13 @@ bool __kasan_mempool_poison_object(void *ptr, unsig= ned long ip) > > slab =3D folio_slab(folio); > > if (check_slab_allocation(slab->slab_cache, ptr, ip)) > return false; > > - poison_slab_object(slab->slab_cache, ptr, false); > + poison_slab_object(slab->slab_cache, ptr, false, false); > return true; > } > > void __kasan_mempool_unpoison_object(void *ptr, size_t size, unsigned lo= ng ip) > { > struct slab *slab; > diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c > index 7b32be2a3cf0..567d33b493e2 100644 > --- a/mm/kasan/kasan_test.c > +++ b/mm/kasan/kasan_test.c > @@ -993,12 +993,57 @@ static void kmem_cache_invalid_free(struct kunit *t= est) > */ > kmem_cache_free(cache, p); > > kmem_cache_destroy(cache); > } > > +static void kmem_cache_rcu_uaf(struct kunit *test) > +{ > + char *p; > + size_t size =3D 200; > + struct kmem_cache *cache; > + > + KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB_RCU_DEBUG); Ah, notice another thing: this test might fail of someone enables CONFIG_SLUB_RCU_DEBUG with HW_TAGS, right? I think we need another check here. > + > + cache =3D kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_= BY_RCU, > + NULL); > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); > + > + p =3D kmem_cache_alloc(cache, GFP_KERNEL); > + if (!p) { > + kunit_err(test, "Allocation failed: %s\n", __func__); > + kmem_cache_destroy(cache); > + return; > + } > + *p =3D 1; > + > + rcu_read_lock(); > + > + /* Free the object - this will internally schedule an RCU callbac= k. */ > + kmem_cache_free(cache, p); > + > + /* > + * We should still be allowed to access the object at this point = because > + * the cache is SLAB_TYPESAFE_BY_RCU and we've been in an RCU rea= d-side > + * critical section since before the kmem_cache_free(). > + */ > + READ_ONCE(*p); > + > + rcu_read_unlock(); > + > + /* > + * Wait for the RCU callback to execute; after this, the object s= hould > + * have actually been freed from KASAN's perspective. > + */ > + rcu_barrier(); > + > + KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*p)); > + > + kmem_cache_destroy(cache); > +} > + > static void empty_cache_ctor(void *object) { } > > static void kmem_cache_double_destroy(struct kunit *test) > { > struct kmem_cache *cache; > > @@ -1934,12 +1979,13 @@ static struct kunit_case kasan_kunit_test_cases[]= =3D { > KUNIT_CASE(workqueue_uaf), > KUNIT_CASE(kfree_via_page), > KUNIT_CASE(kfree_via_phys), > KUNIT_CASE(kmem_cache_oob), > KUNIT_CASE(kmem_cache_double_free), > KUNIT_CASE(kmem_cache_invalid_free), > + KUNIT_CASE(kmem_cache_rcu_uaf), > KUNIT_CASE(kmem_cache_double_destroy), > KUNIT_CASE(kmem_cache_accounted), > KUNIT_CASE(kmem_cache_bulk), > KUNIT_CASE(mempool_kmalloc_oob_right), > KUNIT_CASE(mempool_kmalloc_large_oob_right), > KUNIT_CASE(mempool_slab_oob_right), > diff --git a/mm/slab_common.c b/mm/slab_common.c > index 40b582a014b8..df09066d56fe 100644 > --- a/mm/slab_common.c > +++ b/mm/slab_common.c > @@ -539,12 +539,24 @@ static void slab_caches_to_rcu_destroy_workfn(struc= t work_struct *work) > kmem_cache_release(s); > } > } > > static int shutdown_cache(struct kmem_cache *s) > { > + if (IS_ENABLED(CONFIG_SLUB_RCU_DEBUG) && > + (s->flags & SLAB_TYPESAFE_BY_RCU)) { > + /* > + * Under CONFIG_SLUB_RCU_DEBUG, when objects in a > + * SLAB_TYPESAFE_BY_RCU slab are freed, SLUB will interna= lly > + * defer their freeing with call_rcu(). > + * Wait for such call_rcu() invocations here before actua= lly > + * destroying the cache. > + */ > + rcu_barrier(); > + } > + > /* free asan quarantined objects */ > kasan_cache_shutdown(s); > > if (__kmem_cache_shutdown(s) !=3D 0) > return -EBUSY; > > diff --git a/mm/slub.c b/mm/slub.c > index 0c98b6a2124f..a89f2006d46e 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -2197,45 +2197,81 @@ static inline bool memcg_slab_post_alloc_hook(str= uct kmem_cache *s, > static inline void memcg_slab_free_hook(struct kmem_cache *s, struct sla= b *slab, > void **p, int objects) > { > } > #endif /* CONFIG_MEMCG */ > > +#ifdef CONFIG_SLUB_RCU_DEBUG > +static void slab_free_after_rcu_debug(struct rcu_head *rcu_head); > + > +struct rcu_delayed_free { > + struct rcu_head head; > + void *object; > +}; > +#endif > + > /* > * Hooks for other subsystems that check memory allocations. In a typica= l > * production configuration these hooks all should produce no code at al= l. > * > * Returns true if freeing of the object can proceed, false if its reuse > - * was delayed by KASAN quarantine, or it was returned to KFENCE. > + * was delayed by CONFIG_SLUB_RCU_DEBUG or KASAN quarantine, or it was r= eturned > + * to KFENCE. > */ > static __always_inline > -bool slab_free_hook(struct kmem_cache *s, void *x, bool init) > +bool slab_free_hook(struct kmem_cache *s, void *x, bool init, > + bool after_rcu_delay) > { > + /* Are the object contents still accessible? */ > + bool still_accessible =3D (s->flags & SLAB_TYPESAFE_BY_RCU) && !a= fter_rcu_delay; > + > kmemleak_free_recursive(x, s->flags); > kmsan_slab_free(s, x); > > debug_check_no_locks_freed(x, s->object_size); > > if (!(s->flags & SLAB_DEBUG_OBJECTS)) > debug_check_no_obj_freed(x, s->object_size); > > /* Use KCSAN to help debug racy use-after-free. */ > - if (!(s->flags & SLAB_TYPESAFE_BY_RCU)) > + if (!still_accessible) > __kcsan_check_access(x, s->object_size, > KCSAN_ACCESS_WRITE | KCSAN_ACCESS_AS= SERT); > > if (kfence_free(x)) > return false; > > /* > * Give KASAN a chance to notice an invalid free operation before= we > * modify the object. > */ > if (kasan_slab_pre_free(s, x)) > return false; > > +#ifdef CONFIG_SLUB_RCU_DEBUG > + if (still_accessible) { > + struct rcu_delayed_free *delayed_free; > + > + delayed_free =3D kmalloc(sizeof(*delayed_free), GFP_NOWAI= T); > + if (delayed_free) { > + /* > + * Let KASAN track our call stack as a "related w= ork > + * creation", just like if the object had been fr= eed > + * normally via kfree_rcu(). > + * We have to do this manually because the rcu_he= ad is > + * not located inside the object. > + */ > + kasan_record_aux_stack_noalloc(x); > + > + delayed_free->object =3D x; > + call_rcu(&delayed_free->head, slab_free_after_rcu= _debug); > + return false; > + } > + } > +#endif /* CONFIG_SLUB_RCU_DEBUG */ > + > /* > * As memory initialization might be integrated into KASAN, > * kasan_slab_free and initialization memset's must be > * kept together to avoid discrepancies in behavior. > * > * The initialization memset's clear the object and the metadata, > @@ -2253,42 +2289,42 @@ bool slab_free_hook(struct kmem_cache *s, void *x= , bool init) > memset(kasan_reset_tag(x), 0, s->object_size); > rsize =3D (s->flags & SLAB_RED_ZONE) ? s->red_left_pad : = 0; > memset((char *)kasan_reset_tag(x) + inuse, 0, > s->size - inuse - rsize); > } > /* KASAN might put x into memory quarantine, delaying its reuse. = */ > - return !kasan_slab_free(s, x, init); > + return !kasan_slab_free(s, x, init, still_accessible); > } > > static __fastpath_inline > bool slab_free_freelist_hook(struct kmem_cache *s, void **head, void **t= ail, > int *cnt) > { > > void *object; > void *next =3D *head; > void *old_tail =3D *tail; > bool init; > > if (is_kfence_address(next)) { > - slab_free_hook(s, next, false); > + slab_free_hook(s, next, false, false); > return false; > } > > /* Head and tail of the reconstructed freelist */ > *head =3D NULL; > *tail =3D NULL; > > init =3D slab_want_init_on_free(s); > > do { > object =3D next; > next =3D get_freepointer(s, object); > > /* If object's reuse doesn't have to be delayed */ > - if (likely(slab_free_hook(s, object, init))) { > + if (likely(slab_free_hook(s, object, init, false))) { > /* Move object to the new freelist */ > set_freepointer(s, object, *head); > *head =3D object; > if (!*tail) > *tail =3D object; > } else { > @@ -4474,40 +4510,67 @@ static __fastpath_inline > void slab_free(struct kmem_cache *s, struct slab *slab, void *object, > unsigned long addr) > { > memcg_slab_free_hook(s, slab, &object, 1); > alloc_tagging_slab_free_hook(s, slab, &object, 1); > > - if (likely(slab_free_hook(s, object, slab_want_init_on_free(s)))) > + if (likely(slab_free_hook(s, object, slab_want_init_on_free(s), f= alse))) > do_slab_free(s, slab, object, object, 1, addr); > } > > #ifdef CONFIG_MEMCG > /* Do not inline the rare memcg charging failed path into the allocation= path */ > static noinline > void memcg_alloc_abort_single(struct kmem_cache *s, void *object) > { > - if (likely(slab_free_hook(s, object, slab_want_init_on_free(s)))) > + if (likely(slab_free_hook(s, object, slab_want_init_on_free(s), f= alse))) > do_slab_free(s, virt_to_slab(object), object, object, 1, = _RET_IP_); > } > #endif > > static __fastpath_inline > void slab_free_bulk(struct kmem_cache *s, struct slab *slab, void *head, > void *tail, void **p, int cnt, unsigned long addr) > { > memcg_slab_free_hook(s, slab, p, cnt); > alloc_tagging_slab_free_hook(s, slab, p, cnt); > /* > * With KASAN enabled slab_free_freelist_hook modifies the freeli= st > * to remove objects, whose reuse must be delayed. > */ > if (likely(slab_free_freelist_hook(s, &head, &tail, &cnt))) > do_slab_free(s, slab, head, tail, cnt, addr); > } > > +#ifdef CONFIG_SLUB_RCU_DEBUG > +static void slab_free_after_rcu_debug(struct rcu_head *rcu_head) > +{ > + struct rcu_delayed_free *delayed_free =3D > + container_of(rcu_head, struct rcu_delayed_free, h= ead); > + void *object =3D delayed_free->object; > + struct slab *slab =3D virt_to_slab(object); > + struct kmem_cache *s; > + > + if (WARN_ON(is_kfence_address(object))) > + return; > + > + /* find the object and the cache again */ > + if (WARN_ON(!slab)) > + return; > + s =3D slab->slab_cache; > + if (WARN_ON(!(s->flags & SLAB_TYPESAFE_BY_RCU))) > + return; > + > + /* resume freeing */ > + if (!slab_free_hook(s, object, slab_want_init_on_free(s), true)) > + return; > + do_slab_free(s, slab, object, object, 1, _THIS_IP_); > + kfree(delayed_free); > +} > +#endif /* CONFIG_SLUB_RCU_DEBUG */ > + > #ifdef CONFIG_KASAN_GENERIC > void ___cache_free(struct kmem_cache *cache, void *x, unsigned long addr= ) > { > do_slab_free(cache, virt_to_slab(x), x, x, 1, addr); > } > #endif > > -- > 2.46.0.rc2.264.g509ed76dc8-goog > Otherwise: Reviewed-by: Andrey Konovalov Let's see if syzbot finds something new with this change :) Thank you!