From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88B09C3DA4A for ; Fri, 26 Jul 2024 14:12:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F209E6B0098; Fri, 26 Jul 2024 10:12:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ED06D6B009A; Fri, 26 Jul 2024 10:12:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D984C6B009C; Fri, 26 Jul 2024 10:12:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id BC10C6B0098 for ; Fri, 26 Jul 2024 10:12:58 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 5C0858187B for ; Fri, 26 Jul 2024 14:12:58 +0000 (UTC) X-FDA: 82382095236.14.901E29D Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) by imf19.hostedemail.com (Postfix) with ESMTP id 7E90C1A0026 for ; Fri, 26 Jul 2024 14:12:56 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=eRbxpTPU; spf=pass (imf19.hostedemail.com: domain of jannh@google.com designates 209.85.208.45 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722003126; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=QsYsv/ZNLS2uwAP6W4x6DqGmZNcJZ9nt2gTTMFgcvkc=; b=CAdptbMo6C9Ar8Yab/ZOBTiCxjprfTz6FO0xyhTFjb4rJ+Hz0gifir32Kwcm3zKAOM7QZd ojGvszat9HNgD6AoAZGPtAMpqs7kcvu4asBrqlLdcIOzASDaem1Vr/EKEjC0e8Wr5KosRp ticDoXmuwhm4cPVeGuCrGEXOdMk11Ws= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722003126; a=rsa-sha256; cv=none; b=qo1+tYs/K5FfwuNFaOSwfPZjenE7W7Kqx/v/V3H8sh9jJlOkxr632Cor/qIV5iFlGokoq6 7lfGfeIuZySIJ7FoVGkeOc6XJnXioAqoCpTOa4OhmfPWHxPpzZri4JhsgC2amA1ncvNIWJ N/UGCvITgXHMBh1EzIs8BEyIqz5ioM0= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=eRbxpTPU; spf=pass (imf19.hostedemail.com: domain of jannh@google.com designates 209.85.208.45 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-5a1b073d7cdso15700a12.0 for ; Fri, 26 Jul 2024 07:12:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1722003175; x=1722607975; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=QsYsv/ZNLS2uwAP6W4x6DqGmZNcJZ9nt2gTTMFgcvkc=; b=eRbxpTPUvVdlyafee7OvIRTrTQRFRNjGOpHMNVqpW427yJ0hw1bRKOLIKCf+eDG6jh rTuZ6tOngeyK8cjloD50c5kuSk6pwMFBP8y39qk7AEzJLBphSsAUzp23Vc+pu1A/tNGK Ix86EKuA1Lgt4sNfYwx4Piwoxlq/rXlbmGTob+iQWQ9rerePloUY16tesAvAXmzN14ym dJIzOQ37jo5VTD+vidxuctcK8DRrrhR7Qrc5HAwiugAZm7KwGGR7PS141tHhnyWyvHG6 uKLSGVzuLMhb8cDWIrqiTvh9NvvVcfODe6fNENCUmm91mhm9VSMiWK72z5fmSLqFj8uH PltA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722003175; x=1722607975; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QsYsv/ZNLS2uwAP6W4x6DqGmZNcJZ9nt2gTTMFgcvkc=; b=vpay0sbW7LAuhjcjDBWa5RuRST5M10hHBT0ouQzpVhinKCodQbYNYZD6Z+lGpZVINU stJcTm3oca/oSJfP+T0Ucuj5NyA/rWfyYftLhjUFO1WQPjNokU6mEPCCQ04flGKpQBtA d5iJX33J1x1lonIyZrl7vlXxCbr5tl4OSUxKEGJGZd8Kqb4G5cdg1ILMEaxnfIz9w477 hGaTpZwGh/eueQU9A8kJFmj9opgDR/QTEQuxjKRIFKFkxRmf5g6gYENnN3QnYkKNhWNn 1C7e9fv3zE+rmLp9VGBK89kDMGnnDNSOuilsOZXhRWI4fzd1nfZh8pI+8qzFayQyxAKd DrvA== X-Forwarded-Encrypted: i=1; AJvYcCXBX/LwFwLT57geh6vOAHKwgvVsMyTeDZJgwU7ZSB319kxqIAE9aM7aEjjdtd0Nl10gjB4m9bGjUCSEczhwSVG2Vo4= X-Gm-Message-State: AOJu0YzsKqIZZHxwHeHzvMKx4blqmog0RDpGhiHxB64bpivEyYFDs9u5 pRHoQ96Vaf1xqVACfr0SMbW3oMM7OI0/maUcw2tjLtfaRf3BKRF1ea8Mq4BOH96MsQdWIUfuF0/ zheqi0Hm6anm8mTLQs3wJA7V0PRs+Ofh/DzpF X-Google-Smtp-Source: AGHT+IGQM+S7/Pvgl2FgYdhY/QyheJVe+2Xoiu0HnyHJ18V5CG9DOaEw2COqLsG8dtIutZKeCjes9PINpZtnTUadhKM= X-Received: by 2002:a05:6402:524f:b0:59f:9f59:9b07 with SMTP id 4fb4d7f45d1cf-5aed9392d97mr171742a12.4.1722003174333; Fri, 26 Jul 2024 07:12:54 -0700 (PDT) MIME-Version: 1.0 References: <20240725-kasan-tsbrcu-v3-0-51c92f8f1101@google.com> <20240725-kasan-tsbrcu-v3-2-51c92f8f1101@google.com> In-Reply-To: From: Jann Horn Date: Fri, 26 Jul 2024 16:12:17 +0200 Message-ID: Subject: Re: [PATCH v3 2/2] slub: Introduce CONFIG_SLUB_RCU_DEBUG To: Andrey Konovalov Cc: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Marco Elver , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 7E90C1A0026 X-Stat-Signature: 94qk13yodpeqdqcit9cr7sukoamkp3ej X-HE-Tag: 1722003176-318172 X-HE-Meta: U2FsdGVkX1+n7IiJI68HZib9xU3DoquoHxB2kpCJfvGxTo61ZButN1Nb2LHZ3p9Oj0UBqyTUE2C21B/NTqIs1kjRbzxPy4IzSVZcssOnpVANUjWvGbY5o0LdVpYmqp9IY/if25hJcqy2tnZbmniGEn0o2rlUANad+2huzEdaNhv/h9D6u/QltStqnG+nMsFq8XEfkSsfieKuxIzh6j5zg8xJbJXx+U85sUEHu7CIxwD3oOtdfYEhx7+m10pWSg8hLaLtzpleZkJu41JtImVeuOiL5kxMb50/TD7HFwROHeyOvEmaXd+BAMJtFG8Kz7vk6JQvrPDUzVkIfK+PPNctcr9DOYhpLUtfGXak15rYjVHpwk4S7O/z5V11pvNIdZHxwAm9WoBJ6eUnu1nmQA7XuhXzdpXVCrZEhknjcMv6m5oyTKOFkely50s3a5hbPa2CDxm5PS9dXE3uLiVWvVQCZQjCaIUgX/HF+WREFgCHO+GxV00HQrCs/At0l75bPCpB2E9GRMmsLdqk/0r74Kw/ka8Z18gKKgtB03q40/pwBCxnz2Q7nQCxr+iWLveG+dB05Rvq4BTCOuPpj6pqIvD2zqSa65Cc/YCVhOz4niFR9/4/np7UmwQsKbv+Hs4y+B9Mv9ctAGCXhdn/wH8bYAXidfuSVP8Zd6+SWdED+XQS9Xboy46MNPj9uWWeTj4tP0JSzCPojmR6BhaF9tSleHUapziMmuH2wowk6DBwVUd8qkjTcy+Y31DEjmF1DTqSp0rn2dQV4taYzA1KE5a1L+9o959ch3qw+RWe5W46hC0F9KmOpIozAFW5AUa3V8ilhbvWOXGLtwX/9yumhvGgugWQByJUVmU/QKVGkeO41b0XaSs5fpsBpf/FsbtS26bKyStwqxNxCYWnCm/LEJicSbyAUMm54ah9p+c4eNIEghcFJkPynO95JCNfSPGfaea4GoX5FCI7BeiS0GvBsdPU+3U qdxRCIyI 3QYIIKlX1FbK40yNtnSw0ArwIxbi5lJnlF20x+odUVV7xFkOxGvSXfpEVXPS6utDu/N6DsSWZIz9yS7x0xFWwjRm92DqQnIki5MuADC2mm5wPQYW7EHDQ6NsVK6j1KO3EB9iUQIbZ5Ak1cI5hCyay5CxG6aZDopY4+bN2ZsiFYgh7SqLWrISbeyBESue6KYWvxeOx9ZjNvJE7D1HWfohtmpboWbnwDQJvbH4EL/WrirO9jRHnzl6fTm/qn4kZwOFIStjPKdYzfnp1q3BOwYrzU8r/7sOxGWS5cLOEaaSNn4x6Y4Ws/hvGuP8vgNzuxK3S8khitsx9R/jmJn/ziMf9kPKItJM+GlU3NkRf381bDtJdXzjvjIIts64bo/FAqWa2XB+oFn/eQVouHk0x7yUwaZ2AADPba6dkyDeqU04zQIC9KQavU3Vzku2DMMuyj/0RoVxVuAoEQnzqVdM= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Jul 26, 2024 at 2:44=E2=80=AFAM Andrey Konovalov wrote: > On Thu, Jul 25, 2024 at 5:32=E2=80=AFPM Jann Horn wrot= e: > > > > Currently, KASAN is unable to catch use-after-free in SLAB_TYPESAFE_BY_= RCU > > slabs because use-after-free is allowed within the RCU grace period by > > design. > > > > Add a SLUB debugging feature which RCU-delays every individual > > kmem_cache_free() before either actually freeing the object or handing = it > > off to KASAN, and change KASAN to poison freed objects as normal when t= his > > option is enabled. [...] > > diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug > > index afc72fde0f03..0c088532f5a7 100644 > > --- a/mm/Kconfig.debug > > +++ b/mm/Kconfig.debug > > @@ -70,6 +70,35 @@ config SLUB_DEBUG_ON > > off in a kernel built with CONFIG_SLUB_DEBUG_ON by specifying > > "slab_debug=3D-". > > > > +config SLUB_RCU_DEBUG > > + bool "Make use-after-free detection possible in TYPESAFE_BY_RCU= caches" > > Perhaps, it makes sense to point out that is related to KASAN's > use-after-free detection in the option description. Hmm, yeah, maybe I'll change it to "Enable UAF detection in TYPESAFE_BY_RCU caches (for KASAN)" and then we can change that in the future if the feature becomes usable with other SLUB stuff. > > + depends on SLUB_DEBUG > > Do we need depends on KASAN? My original thinking was: The feature is supposed to work basically independently of KASAN. It doesn't currently do anything useful without KASAN, but if we do something about constructor slabs in the future, this should make it possible to let SLUB poison freed objects. (Though that might also require going back to deterministically RCU-delaying the freeing of objects in the future...) But yeah, I guess for now the config option is useless without KASAN, so it's reasonable to make it depend on KASAN for now. I'll change it that way. > > + default KASAN_GENERIC || KASAN_SW_TAGS > > + help > > + Make SLAB_TYPESAFE_BY_RCU caches behave approximately as if t= he cache > > + was not marked as SLAB_TYPESAFE_BY_RCU and every caller used > > + kfree_rcu() instead. > > + > > + This is intended for use in combination with KASAN, to enable= KASAN to > > + detect use-after-free accesses in such caches. > > + (KFENCE is able to do that independent of this flag.) > > + > > + This might degrade performance. > > + Unfortunately this also prevents a very specific bug pattern = from > > + triggering (insufficient checks against an object being recyc= led > > + within the RCU grace period); so this option can be turned of= f even on > > + KASAN builds, in case you want to test for such a bug. > > + > > + If you're using this for testing bugs / fuzzing and care abou= t > > + catching all the bugs WAY more than performance, you might wa= nt to > > + also turn on CONFIG_RCU_STRICT_GRACE_PERIOD. > > + > > + WARNING: > > + This is designed as a debugging feature, not a security featu= re. > > + Objects are sometimes recycled without RCU delay under memory= pressure. > > + > > + If unsure, say N. > > + > > config PAGE_OWNER > > bool "Track page owner" > > depends on DEBUG_KERNEL && STACKTRACE_SUPPORT > > diff --git a/mm/kasan/common.c b/mm/kasan/common.c > > index 7c7fc6ce7eb7..d92cb2e9189d 100644 > > --- a/mm/kasan/common.c > > +++ b/mm/kasan/common.c > > @@ -238,7 +238,8 @@ static enum free_validation_result check_slab_free(= struct kmem_cache *cache, > > } > > > > static inline bool poison_slab_object(struct kmem_cache *cache, void *= object, > > - unsigned long ip, bool init) > > + unsigned long ip, bool init, > > + bool after_rcu_delay) > > { > > void *tagged_object =3D object; > > enum free_validation_result valid =3D check_slab_free(cache, ob= ject, ip); > > @@ -251,7 +252,8 @@ static inline bool poison_slab_object(struct kmem_c= ache *cache, void *object, > > object =3D kasan_reset_tag(object); > > > > /* RCU slabs could be legally used after free within the RCU pe= riod. */ > > - if (unlikely(cache->flags & SLAB_TYPESAFE_BY_RCU)) > > + if (unlikely(cache->flags & SLAB_TYPESAFE_BY_RCU) && > > + !after_rcu_delay) > > This can be kept on the same line. ack, I'll change that [...] > > + /* Free the object - this will internally schedule an RCU callb= ack. */ > > + kmem_cache_free(cache, p); > > + > > + /* We should still be allowed to access the object at this poin= t because > > Empty line after /* here and below. ack, I'll change that