From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49306C3DA7F for ; Fri, 2 Aug 2024 21:35:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3FB416B007B; Fri, 2 Aug 2024 17:35:56 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 384356B0083; Fri, 2 Aug 2024 17:35:56 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 225776B0085; Fri, 2 Aug 2024 17:35:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 028A96B007B for ; Fri, 2 Aug 2024 17:35:55 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 6D5A6813E8 for ; Fri, 2 Aug 2024 21:35:55 +0000 (UTC) X-FDA: 82408613070.23.C46A960 Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) by imf26.hostedemail.com (Postfix) with ESMTP id 9231014000F for ; Fri, 2 Aug 2024 21:35:53 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=KgfHDgRb; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf26.hostedemail.com: domain of jannh@google.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722634506; a=rsa-sha256; cv=none; b=6DNzcikp4W07cPajTtGjNd4HT+NKm6YxUPfY8aF51Uy9kGMp/QHSPL1KjPU3vpleJgxo+b Dn33ZUg4TkwB0DZAHe0uhLPr6jVIy5RWq2M51ES6O44KHW/1WHaflQa5a/hLa7UUwbAS81 wkcYI7zeWbAEm+djBbZic3bMzQMA6Fw= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=KgfHDgRb; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf26.hostedemail.com: domain of jannh@google.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722634506; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=MxX+FJ8xaCVT8A2gxdlfc9WkbMjiHVlxlmKzCUZ8Z4U=; b=09shgfmtbtdSnmMB0vetgzZ0NwWIiozYX1l6am2NA7Na7RUML+CAF9BO5jtIdDr/JM6ZUf zgxUXHZl4i/iwejVOjV6jSEbY7NFjf0+NrGqfduQZVD5l3XQufazbftWLIBltvhOp+NIpu m8uHhuc0cMV2flhYaQjZMBO4Wk1ODGI= Received: by mail-ed1-f51.google.com with SMTP id 4fb4d7f45d1cf-5a1b073d7cdso66902a12.0 for ; Fri, 02 Aug 2024 14:35:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1722634552; x=1723239352; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=MxX+FJ8xaCVT8A2gxdlfc9WkbMjiHVlxlmKzCUZ8Z4U=; b=KgfHDgRbJ/2f2eL7Q/y85uR5CJ1WdnOfm3BEM4LJLgr7EFHS32Qv954Xv7wMDwpM3l pKSwh4BUixnIY4JOoKh/jKnbsx2gLn5n09cAXlzmE//EGBH1kFE2KGtr0+tn1dlI4DCx COMS5/KsbXz4qkH+Ha7ncF6KDhUIQGkwcWmmn49xnQNkXiqCztd+OYFg03fNc24KUW+4 f0Fi9yzVmCMHrZPR32OMRMCKrKPPYfvvWSezYuvfWShDlUv2FuTRS/wDGzqFWpzAChE2 li/2LXcdO5Fey0ZpXoImsWzNkIDOeOUAXz3Vpt6KmeEwd5/N8RLlHjjD6vb1JHzTLmTX pzIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722634552; x=1723239352; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MxX+FJ8xaCVT8A2gxdlfc9WkbMjiHVlxlmKzCUZ8Z4U=; b=mrNHkGgF0fKH/tXKDbo96g2n9AjxoZDdJ3Vcju8wSbaWVpANHi4fqMZYbv8dmufSqK SXp6xgB+XP2jEzNx6xz8HoOhM8KNFlqTsUBZlSsCKhmsj2RO5vYg+n5XF2GDC4TAg+FF BKgDL9MoXRxQk2vg8tVTOHzmq263gU2s4HFaCTPJdkAYbkY7UdFL+nGsZBGZh/m2z7dN U7/GeuFD+mLgn5dJ3YF1wmdeSQNtt2h0pQ/c/dHl9eG02FD8fLB/UkCz2hHNii3EGRSB 7xUAnZgNIlMYHb3/h/h22Vsxksmf/vRfAgfKOv3kq8ysddWsSnteySgE8FqKlFa36zGp FPVw== X-Forwarded-Encrypted: i=1; AJvYcCXhj6aXP/6P6D2xKNLe6RYP4XCdxgO6BLlhGcPWc9h486Lubw6tYl2VED7ahUuv4Y4F1D/m9L73BntwRHziQJDytWc= X-Gm-Message-State: AOJu0YxjdoWOB/IaHrg1izlZYBsIxEeRnpk1w3KzKOtUN+B0wc+H1fJk Vc9FfAv7fjevLFqtfZsH/AzSV2NMbxx+9FlJUErQOkZLBi2rKkgcog222+aMSa9qfZlfkDixyzK 4B2Tg54w38saQ2UR9i0Avl0aqoRno+a2JqXoc X-Google-Smtp-Source: AGHT+IFNvqGQabPk09l984h4rHE3lku8l9wvgoyvfJJKavFHp7WF87YgfMC+utWsviQYABEnZrz9agt+LBbq5HSevro= X-Received: by 2002:a05:6402:5244:b0:57d:32ff:73ef with SMTP id 4fb4d7f45d1cf-5b9c72cadf8mr9047a12.6.1722634551325; Fri, 02 Aug 2024 14:35:51 -0700 (PDT) MIME-Version: 1.0 References: <20240802-kasan-tsbrcu-v6-0-60d86ea78416@google.com> <20240802-kasan-tsbrcu-v6-2-60d86ea78416@google.com> In-Reply-To: From: Jann Horn Date: Fri, 2 Aug 2024 23:35:14 +0200 Message-ID: Subject: Re: [PATCH v6 2/2] slub: Introduce CONFIG_SLUB_RCU_DEBUG To: Andrey Konovalov Cc: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Marco Elver , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzbot+263726e59eab6b442723@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 9231014000F X-Stat-Signature: tpqhyb3zbw7m3abpkdkxb7714hcsbtog X-Rspam-User: X-HE-Tag: 1722634553-384407 X-HE-Meta: U2FsdGVkX195NI6GdAuDUyvI8b4pJNNKmAu9kDw1uhbCqigluzjMR0b4nykTFefZ4qJVMTh9+XRp05fIeCFj3jXHQXUtYs7urUGj36T8U2HdL2R/ypOU2vWha/cHs6NAuMvD7VpFl0SV4RPTftuESa6V+QsrqL3AsX1fWg6sGHgZ/HeeTfkGBMvESsvL9h1WJuK3IDIt1lY3sLMcGo/jqEW48561OPPF/DOZSjbNpNVqEfbMQZKobkuTwxXxfMkZu9xMZUDqQMvruvS90rYogfyHn6zWhxHO8FCVtzi7Gn+p/pqxD9HN8asmkarljm5JUjc8CGb91Ytg2TULzQQ9XN4jYDi6nqs6yzSa8TeTcR3WEOFJU32qRY0PEZvjG4rdCZTNcv1/o3U9Hru4+AzA+yfn6faN+cSNnG/qF/q3dX03Ma96RxknKH9V9ATDyqYYLE/woi5SRXFn2DoaCYYW1txXETsVtzF/mS2iAPSHANzU4SS7+Hf8mfVrTRQ/xXcC7pvqUokHDAkm3TkG764ApRs1bNE4aUtuQi18HMLbQdNyy7wXF+W9hCOscaL4pHpltWnzuKapavdA9pzr98+ZetEGXyT5DUg6Dne5IvzWfEui1vXkJMwVjfN374Dw2lgVCUiNHCcDSB1ikzOcVJbSJdMrvyMNlVMg19O9rmJiBu+XLymKf5HOwseuwePpxS6RFfbGQAp/T4QFKoiz0DPVjyOear+6mzcCDenc4GzkxR9eSTPwg+m1R8zeP2uroAnZfQu4nrHBMxNOygatE4Y2gXsudK55nIdK3C9xwYIFw3hMfZsgwiGI8qe7uYdfHYR7hHeXQ2sBE5C7P//A/YzHpa11LQfSTMWIefl6Cp0b/wsFkXlCIq9Bm/vTlLJg5EjLkX9YYdSKzi5BA2wFgRc0UWCVj8zT9PZM5BthM6K57wKdet/URE0SU+1zfRoV+/9uWLBUSGGN9g6KNKuAGG6 fQ9l+oAG V6ALC2xdEsHBYdUUgPZtluEC3f2vN3Dq0DZnpXnkUTfzuCdJ9toKokoqthfXbGu1tepXp6kgz7F2oW88WVBl5DqN6n0WJUI6TntDOHuw1VWqKj1rSV9KInLj6z8GgtK1mIwA3nUwvzstSmvuspYzB3ISBBTd38xz0ojrh/fVILFANlcaHc5ZMouyq094Mc95nBhmgWxDUTLDxsnObM8yzNWGCnFhD0/o+53y1cmE0yuP+fyIiqnDgG3aAuR+jhEb6QWGRjX96BiRb3gBnz7j7XIQGicuKId29+DrpDHdSCQ3U2G4yh8b6vJtt5AJYthDtaVLhORhODtq5OD00X41BS84alFimAz3C+zZumRjGdq8GYEM= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Aug 2, 2024 at 10:54=E2=80=AFPM Andrey Konovalov wrote: > On Fri, Aug 2, 2024 at 10:32=E2=80=AFPM Jann Horn wrot= e: > > > > Currently, KASAN is unable to catch use-after-free in SLAB_TYPESAFE_BY_= RCU > > slabs because use-after-free is allowed within the RCU grace period by > > design. > > > > Add a SLUB debugging feature which RCU-delays every individual > > kmem_cache_free() before either actually freeing the object or handing = it > > off to KASAN, and change KASAN to poison freed objects as normal when t= his > > option is enabled. [...] > > diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c [...] > > +static void kmem_cache_rcu_uaf(struct kunit *test) > > +{ > > + char *p; > > + size_t size =3D 200; > > + struct kmem_cache *cache; > > + > > + KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB_RCU_DEBUG); > > Ah, notice another thing: this test might fail of someone enables > CONFIG_SLUB_RCU_DEBUG with HW_TAGS, right? I think we need another > check here. Why? I realize that HW_TAGS can't detect UAF in a TYPESAFE_BY_RCU slab after an object has been reused, but here we do no other allocations, so the object should still be free. And the kmalloc_uaf test also doesn't check for HW_TAGS. The one thing I know of that could make this test spuriously fail would be an allocation failure in the SLUB code for delayed freeing (but that'd only happen under memory pressure, which I think normally doesn't exist when kunit tests run).