From: Jann Horn <jannh@google.com>
To: Marco Elver <elver@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Alexander Potapenko <glider@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Vlastimil Babka <vbabka@suse.cz>,
Roman Gushchin <roman.gushchin@linux.dev>,
Hyeonggon Yoo <42.hyeyoo@gmail.com>,
kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
linux-mm@kvack.org,
syzbot+263726e59eab6b442723@syzkaller.appspotmail.com
Subject: Re: [PATCH v6 2/2] slub: Introduce CONFIG_SLUB_RCU_DEBUG
Date: Mon, 5 Aug 2024 13:08:50 +0200 [thread overview]
Message-ID: <CAG48ez2Jsc2V1NfN1YOnx0e3-3BaVSdac7p_y9gnYL=9VW6cOw@mail.gmail.com> (raw)
In-Reply-To: <CANpmjNNadRtLijEZLgE3HpyCGW=gkhunsFZ9FmwFZrpyWGUrnA@mail.gmail.com>
On Mon, Aug 5, 2024 at 11:02 AM Marco Elver <elver@google.com> wrote:
> On Fri, 2 Aug 2024 at 22:32, Jann Horn <jannh@google.com> wrote:
> >
> > Currently, KASAN is unable to catch use-after-free in SLAB_TYPESAFE_BY_RCU
> > slabs because use-after-free is allowed within the RCU grace period by
> > design.
> >
> > Add a SLUB debugging feature which RCU-delays every individual
> > kmem_cache_free() before either actually freeing the object or handing it
> > off to KASAN, and change KASAN to poison freed objects as normal when this
> > option is enabled.
> >
> > For now I've configured Kconfig.debug to default-enable this feature in the
> > KASAN GENERIC and SW_TAGS modes; I'm not enabling it by default in HW_TAGS
> > mode because I'm not sure if it might have unwanted performance degradation
> > effects there.
> >
> > Note that this is mostly useful with KASAN in the quarantine-based GENERIC
> > mode; SLAB_TYPESAFE_BY_RCU slabs are basically always also slabs with a
> > ->ctor, and KASAN's assign_tag() currently has to assign fixed tags for
> > those, reducing the effectiveness of SW_TAGS/HW_TAGS mode.
> > (A possible future extension of this work would be to also let SLUB call
> > the ->ctor() on every allocation instead of only when the slab page is
> > allocated; then tag-based modes would be able to assign new tags on every
> > reallocation.)
> >
> > Tested-by: syzbot+263726e59eab6b442723@syzkaller.appspotmail.com
> > Signed-off-by: Jann Horn <jannh@google.com>
>
> Acked-by: Marco Elver <elver@google.com>
Thanks!
> Looks good - let's see what the fuzzers will find with it. :-)
>
> Feel free to ignore the below comments if there isn't a v+1.
[...]
> > +config SLUB_RCU_DEBUG
> > + bool "Enable UAF detection in TYPESAFE_BY_RCU caches (for KASAN)"
> > + depends on SLUB_DEBUG
> > + depends on KASAN # not a real dependency; currently useless without KASAN
>
> This comment is odd. If it's useless without KASAN then it definitely
> depends on KASAN. I suppose the code compiles without KASAN, but I
> think that's secondary.
In my mind, SLUB_RCU_DEBUG is a mechanism on top of which you could
build several things - and currently only the KASAN integration is
built on top of it, but more stuff could be added in the future, like
some SLUB poisoning. So it's currently not useful unless you also
enable KASAN, but SLUB_RCU_DEBUG doesn't really depend on KASAN - it's
the other way around, KASAN has an optional dependency on
SLUB_RCU_DEBUG.
[...]
> > +#ifdef CONFIG_SLUB_RCU_DEBUG
> > +static void slab_free_after_rcu_debug(struct rcu_head *rcu_head)
> > +{
> > + struct rcu_delayed_free *delayed_free =
> > + container_of(rcu_head, struct rcu_delayed_free, head);
>
> Minor: Some of these line breaks are unnecessary (kernel allows 100+
> cols) - but up to you if you want to change it.
https://www.kernel.org/doc/html/latest/process/coding-style.html#breaking-long-lines-and-strings
says 80 columns is still preferred unless that makes the code less
readable, that's why I'm still usually breaking at 80 columns.
prev parent reply other threads:[~2024-08-05 11:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 20:31 [PATCH v6 0/2] allow KASAN to detect UAF in SLAB_TYPESAFE_BY_RCU slabs Jann Horn
2024-08-02 20:31 ` [PATCH v6 1/2] kasan: catch invalid free before SLUB reinitializes the object Jann Horn
2024-08-02 20:31 ` [PATCH v6 2/2] slub: Introduce CONFIG_SLUB_RCU_DEBUG Jann Horn
2024-08-02 20:54 ` Andrey Konovalov
2024-08-02 21:35 ` Jann Horn
2024-08-02 22:40 ` Andrey Konovalov
2024-08-05 9:01 ` Marco Elver
2024-08-05 11:08 ` Jann Horn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG48ez2Jsc2V1NfN1YOnx0e3-3BaVSdac7p_y9gnYL=9VW6cOw@mail.gmail.com' \
--to=jannh@google.com \
--cc=42.hyeyoo@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=cl@linux.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=ryabinin.a.a@gmail.com \
--cc=syzbot+263726e59eab6b442723@syzkaller.appspotmail.com \
--cc=vbabka@suse.cz \
--cc=vincenzo.frascino@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox