* [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN @ 2020-08-25 1:56 Walter Wu 2020-08-25 8:26 ` Marco Elver 0 siblings, 1 reply; 6+ messages in thread From: Walter Wu @ 2020-08-25 1:56 UTC (permalink / raw) To: Marco Elver, Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, Matthias Brugger, John Stultz, Stephen Boyd, Andrew Morton, Tejun Heo, Lai Jiangshan Cc: kasan-dev, linux-mm, linux-kernel, linux-arm-kernel, wsd_upstream, linux-mediatek, Walter Wu Syzbot reports many UAF issues for workqueue or timer, see [1] and [2]. In some of these access/allocation happened in process_one_work(), we see the free stack is useless in KASAN report, it doesn't help programmers to solve UAF on workqueue. The same may stand for times. This patchset improves KASAN reports by making them to have workqueue queueing stack and timer stack information. It is useful for programmers to solve use-after-free or double-free memory issue. Generic KASAN also records the last two workqueue and timer stacks and prints them in KASAN report. It is only suitable for generic KASAN. [1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work [2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437 Walter Wu (6): timer: kasan: record timer stack workqueue: kasan: record workqueue stack kasan: print timer and workqueue stack lib/test_kasan.c: add timer test case lib/test_kasan.c: add workqueue test case kasan: update documentation for generic kasan --- Changes since v2: - modify kasan document to be more readable. Thanks for Marco suggestion. Changes since v1: - Thanks for Marco and Thomas suggestion. - Remove unnecessary code and fix commit log - reuse kasan_record_aux_stack() and aux_stack to record timer and workqueue stack. - change the aux stack title for common name. --- Documentation/dev-tools/kasan.rst | 4 ++-- kernel/time/timer.c | 3 +++ kernel/workqueue.c | 3 +++ lib/test_kasan.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ mm/kasan/report.c | 4 ++-- 5 files changed, 64 insertions(+), 4 deletions(-) ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN 2020-08-25 1:56 [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN Walter Wu @ 2020-08-25 8:26 ` Marco Elver 2020-08-26 12:30 ` Andrey Konovalov 0 siblings, 1 reply; 6+ messages in thread From: Marco Elver @ 2020-08-25 8:26 UTC (permalink / raw) To: Walter Wu Cc: Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, Matthias Brugger, John Stultz, Stephen Boyd, Andrew Morton, Tejun Heo, Lai Jiangshan, kasan-dev, Linux Memory Management List, LKML, Linux ARM, wsd_upstream, linux-mediatek On Tue, 25 Aug 2020 at 03:57, Walter Wu <walter-zh.wu@mediatek.com> wrote: > > Syzbot reports many UAF issues for workqueue or timer, see [1] and [2]. > In some of these access/allocation happened in process_one_work(), > we see the free stack is useless in KASAN report, it doesn't help > programmers to solve UAF on workqueue. The same may stand for times. > > This patchset improves KASAN reports by making them to have workqueue > queueing stack and timer stack information. It is useful for programmers > to solve use-after-free or double-free memory issue. > > Generic KASAN also records the last two workqueue and timer stacks and > prints them in KASAN report. It is only suitable for generic KASAN. > > [1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work > [2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers > [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437 > > Walter Wu (6): > timer: kasan: record timer stack > workqueue: kasan: record workqueue stack > kasan: print timer and workqueue stack > lib/test_kasan.c: add timer test case > lib/test_kasan.c: add workqueue test case > kasan: update documentation for generic kasan Acked-by: Marco Elver <elver@google.com> > --- > > Changes since v2: > - modify kasan document to be more readable. > Thanks for Marco suggestion. > > Changes since v1: > - Thanks for Marco and Thomas suggestion. > - Remove unnecessary code and fix commit log > - reuse kasan_record_aux_stack() and aux_stack > to record timer and workqueue stack. > - change the aux stack title for common name. > > --- > > Documentation/dev-tools/kasan.rst | 4 ++-- > kernel/time/timer.c | 3 +++ > kernel/workqueue.c | 3 +++ > lib/test_kasan.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ > mm/kasan/report.c | 4 ++-- > 5 files changed, 64 insertions(+), 4 deletions(-) > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200825015654.27781-1-walter-zh.wu%40mediatek.com. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN 2020-08-25 8:26 ` Marco Elver @ 2020-08-26 12:30 ` Andrey Konovalov 2020-09-13 10:17 ` Dmitry Vyukov 0 siblings, 1 reply; 6+ messages in thread From: Andrey Konovalov @ 2020-08-26 12:30 UTC (permalink / raw) To: Marco Elver Cc: Walter Wu, Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov, Matthias Brugger, John Stultz, Stephen Boyd, Andrew Morton, Tejun Heo, Lai Jiangshan, kasan-dev, Linux Memory Management List, LKML, Linux ARM, wsd_upstream, linux-mediatek On Tue, Aug 25, 2020 at 10:26 AM 'Marco Elver' via kasan-dev <kasan-dev@googlegroups.com> wrote: > > On Tue, 25 Aug 2020 at 03:57, Walter Wu <walter-zh.wu@mediatek.com> wrote: > > > > Syzbot reports many UAF issues for workqueue or timer, see [1] and [2]. > > In some of these access/allocation happened in process_one_work(), > > we see the free stack is useless in KASAN report, it doesn't help > > programmers to solve UAF on workqueue. The same may stand for times. > > > > This patchset improves KASAN reports by making them to have workqueue > > queueing stack and timer stack information. It is useful for programmers > > to solve use-after-free or double-free memory issue. > > > > Generic KASAN also records the last two workqueue and timer stacks and > > prints them in KASAN report. It is only suitable for generic KASAN. > > > > [1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work > > [2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers > > [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437 > > > > Walter Wu (6): > > timer: kasan: record timer stack > > workqueue: kasan: record workqueue stack > > kasan: print timer and workqueue stack > > lib/test_kasan.c: add timer test case > > lib/test_kasan.c: add workqueue test case > > kasan: update documentation for generic kasan > > Acked-by: Marco Elver <elver@google.com> Reviewed-by: Andrey Konovalov <andreyknvl@google.com> > > > > > --- > > > > Changes since v2: > > - modify kasan document to be more readable. > > Thanks for Marco suggestion. > > > > Changes since v1: > > - Thanks for Marco and Thomas suggestion. > > - Remove unnecessary code and fix commit log > > - reuse kasan_record_aux_stack() and aux_stack > > to record timer and workqueue stack. > > - change the aux stack title for common name. > > > > --- > > > > Documentation/dev-tools/kasan.rst | 4 ++-- > > kernel/time/timer.c | 3 +++ > > kernel/workqueue.c | 3 +++ > > lib/test_kasan.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > mm/kasan/report.c | 4 ++-- > > 5 files changed, 64 insertions(+), 4 deletions(-) > > > > -- > > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200825015654.27781-1-walter-zh.wu%40mediatek.com. > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/CANpmjNOvj%2B%3Dv7VDVDXpsUNZ9o0%2BKoJVJs0MjLhwr0XpYcYQZ5g%40mail.gmail.com. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN 2020-08-26 12:30 ` Andrey Konovalov @ 2020-09-13 10:17 ` Dmitry Vyukov 2020-09-14 12:25 ` Andrey Konovalov 0 siblings, 1 reply; 6+ messages in thread From: Dmitry Vyukov @ 2020-09-13 10:17 UTC (permalink / raw) To: Andrey Konovalov Cc: Marco Elver, Walter Wu, Andrey Ryabinin, Alexander Potapenko, Matthias Brugger, John Stultz, Stephen Boyd, Andrew Morton, Tejun Heo, Lai Jiangshan, kasan-dev, Linux Memory Management List, LKML, Linux ARM, wsd_upstream, linux-mediatek On Wed, Aug 26, 2020 at 2:30 PM 'Andrey Konovalov' via kasan-dev <kasan-dev@googlegroups.com> wrote: > > On Tue, Aug 25, 2020 at 10:26 AM 'Marco Elver' via kasan-dev > <kasan-dev@googlegroups.com> wrote: > > > > On Tue, 25 Aug 2020 at 03:57, Walter Wu <walter-zh.wu@mediatek.com> wrote: > > > > > > Syzbot reports many UAF issues for workqueue or timer, see [1] and [2]. > > > In some of these access/allocation happened in process_one_work(), > > > we see the free stack is useless in KASAN report, it doesn't help > > > programmers to solve UAF on workqueue. The same may stand for times. > > > > > > This patchset improves KASAN reports by making them to have workqueue > > > queueing stack and timer stack information. It is useful for programmers > > > to solve use-after-free or double-free memory issue. > > > > > > Generic KASAN also records the last two workqueue and timer stacks and > > > prints them in KASAN report. It is only suitable for generic KASAN. > > > > > > [1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work > > > [2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers > > > [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437 > > > > > > Walter Wu (6): > > > timer: kasan: record timer stack > > > workqueue: kasan: record workqueue stack > > > kasan: print timer and workqueue stack > > > lib/test_kasan.c: add timer test case > > > lib/test_kasan.c: add workqueue test case > > > kasan: update documentation for generic kasan > > > > Acked-by: Marco Elver <elver@google.com> > > Reviewed-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Thanks! The UAF reports with RCU stacks that I see now are just 🔥🔥🔥 > > > --- > > > > > > Changes since v2: > > > - modify kasan document to be more readable. > > > Thanks for Marco suggestion. > > > > > > Changes since v1: > > > - Thanks for Marco and Thomas suggestion. > > > - Remove unnecessary code and fix commit log > > > - reuse kasan_record_aux_stack() and aux_stack > > > to record timer and workqueue stack. > > > - change the aux stack title for common name. > > > > > > --- > > > > > > Documentation/dev-tools/kasan.rst | 4 ++-- > > > kernel/time/timer.c | 3 +++ > > > kernel/workqueue.c | 3 +++ > > > lib/test_kasan.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > mm/kasan/report.c | 4 ++-- > > > 5 files changed, 64 insertions(+), 4 deletions(-) > > > > > > -- > > > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > > > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > > > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200825015654.27781-1-walter-zh.wu%40mediatek.com. > > > > -- > > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/CANpmjNOvj%2B%3Dv7VDVDXpsUNZ9o0%2BKoJVJs0MjLhwr0XpYcYQZ5g%40mail.gmail.com. > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/CAAeHK%2ByVShDPCxVKDsO_5SwoM2ZG7x7byUJ74PtB7ekY61L2YQ%40mail.gmail.com. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN 2020-09-13 10:17 ` Dmitry Vyukov @ 2020-09-14 12:25 ` Andrey Konovalov 2020-09-15 16:06 ` Walter Wu 0 siblings, 1 reply; 6+ messages in thread From: Andrey Konovalov @ 2020-09-14 12:25 UTC (permalink / raw) To: Dmitry Vyukov Cc: Marco Elver, Walter Wu, Andrey Ryabinin, Alexander Potapenko, Matthias Brugger, John Stultz, Stephen Boyd, Andrew Morton, Tejun Heo, Lai Jiangshan, kasan-dev, Linux Memory Management List, LKML, Linux ARM, wsd_upstream, linux-mediatek [-- Attachment #1: Type: text/plain, Size: 2119 bytes --] On Sun, Sep 13, 2020 at 12:17 PM Dmitry Vyukov <dvyukov@google.com> wrote: > On Wed, Aug 26, 2020 at 2:30 PM 'Andrey Konovalov' via kasan-dev > <kasan-dev@googlegroups.com> wrote: > > > > On Tue, Aug 25, 2020 at 10:26 AM 'Marco Elver' via kasan-dev > > <kasan-dev@googlegroups.com> wrote: > > > > > > On Tue, 25 Aug 2020 at 03:57, Walter Wu <walter-zh.wu@mediatek.com> > wrote: > > > > > > > > Syzbot reports many UAF issues for workqueue or timer, see [1] and > [2]. > > > > In some of these access/allocation happened in process_one_work(), > > > > we see the free stack is useless in KASAN report, it doesn't help > > > > programmers to solve UAF on workqueue. The same may stand for times. > > > > > > > > This patchset improves KASAN reports by making them to have workqueue > > > > queueing stack and timer stack information. It is useful for > programmers > > > > to solve use-after-free or double-free memory issue. > > > > > > > > Generic KASAN also records the last two workqueue and timer stacks > and > > > > prints them in KASAN report. It is only suitable for generic KASAN. > > > > > > > > [1] > https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work > > > > [2] > https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers > > > > [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437 > > > > > > > > Walter Wu (6): > > > > timer: kasan: record timer stack > > > > workqueue: kasan: record workqueue stack > > > > kasan: print timer and workqueue stack > > > > lib/test_kasan.c: add timer test case > > > > lib/test_kasan.c: add workqueue test case > > > > kasan: update documentation for generic kasan > > > > > > Acked-by: Marco Elver <elver@google.com> > > > > Reviewed-by: Andrey Konovalov <andreyknvl@google.com> > > Reviewed-by: Dmitry Vyukov <dvyukov@google.com> > > Thanks! The UAF reports with RCU stacks that I see now are just 🔥🔥🔥 > Hi Walter, This patchset needs to be rebased onto the KASAN-KUNIT patches, which just recently went into the mm tree. Thanks! [-- Attachment #2: Type: text/html, Size: 3552 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN 2020-09-14 12:25 ` Andrey Konovalov @ 2020-09-15 16:06 ` Walter Wu 0 siblings, 0 replies; 6+ messages in thread From: Walter Wu @ 2020-09-15 16:06 UTC (permalink / raw) To: Andrey Konovalov, Dmitry Vyukov Cc: Marco Elver, Andrey Ryabinin, Alexander Potapenko, Matthias Brugger, John Stultz, Stephen Boyd, Andrew Morton, Tejun Heo, Lai Jiangshan, kasan-dev, Linux Memory Management List, LKML, Linux ARM, wsd_upstream, linux-mediatek On Mon, 2020-09-14 at 14:25 +0200, Andrey Konovalov wrote: > On Sun, Sep 13, 2020 at 12:17 PM Dmitry Vyukov <dvyukov@google.com> > wrote: > > On Wed, Aug 26, 2020 at 2:30 PM 'Andrey Konovalov' via > kasan-dev > <kasan-dev@googlegroups.com> wrote: > > > > On Tue, Aug 25, 2020 at 10:26 AM 'Marco Elver' via kasan-dev > > <kasan-dev@googlegroups.com> wrote: > > > > > > On Tue, 25 Aug 2020 at 03:57, Walter Wu > <walter-zh.wu@mediatek.com> wrote: > > > > > > > > Syzbot reports many UAF issues for workqueue or timer, > see [1] and [2]. > > > > In some of these access/allocation happened in > process_one_work(), > > > > we see the free stack is useless in KASAN report, it > doesn't help > > > > programmers to solve UAF on workqueue. The same may > stand for times. > > > > > > > > This patchset improves KASAN reports by making them to > have workqueue > > > > queueing stack and timer stack information. It is useful > for programmers > > > > to solve use-after-free or double-free memory issue. > > > > > > > > Generic KASAN also records the last two workqueue and > timer stacks and > > > > prints them in KASAN report. It is only suitable for > generic KASAN. > > > > > > > > [1]https://groups.google.com/g/syzkaller-bugs/search?q=% > 22use-after-free%22+process_one_work > > > > [2]https://groups.google.com/g/syzkaller-bugs/search?q=% > 22use-after-free%22%20expire_timers > > > > [3]https://bugzilla.kernel.org/show_bug.cgi?id=198437 > > > > > > > > Walter Wu (6): > > > > timer: kasan: record timer stack > > > > workqueue: kasan: record workqueue stack > > > > kasan: print timer and workqueue stack > > > > lib/test_kasan.c: add timer test case > > > > lib/test_kasan.c: add workqueue test case > > > > kasan: update documentation for generic kasan > > > > > > Acked-by: Marco Elver <elver@google.com> > > > > Reviewed-by: Andrey Konovalov <andreyknvl@google.com> > > Reviewed-by: Dmitry Vyukov <dvyukov@google.com> > > Thanks! The UAF reports with RCU stacks that I see now are > just 🔥🔥🔥 > > > Hi Walter, > > > This patchset needs to be rebased onto the KASAN-KUNIT patches, which > just recently went into the mm tree. > > > Thanks! Hi Dmitry, Andrey, Got it. Thanks for your review and reminder. Walter ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-09-15 16:07 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-08-25 1:56 [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN Walter Wu 2020-08-25 8:26 ` Marco Elver 2020-08-26 12:30 ` Andrey Konovalov 2020-09-13 10:17 ` Dmitry Vyukov 2020-09-14 12:25 ` Andrey Konovalov 2020-09-15 16:06 ` Walter Wu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox