From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4AA7AC41535 for ; Tue, 19 Dec 2023 21:22:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DD8588D0002; Tue, 19 Dec 2023 16:22:05 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D89038D0001; Tue, 19 Dec 2023 16:22:05 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C2A508D0002; Tue, 19 Dec 2023 16:22:05 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id ADA878D0001 for ; Tue, 19 Dec 2023 16:22:05 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 8549B808DF for ; Tue, 19 Dec 2023 21:22:05 +0000 (UTC) X-FDA: 81584840610.20.74E3ADF Received: from mail-ua1-f43.google.com (mail-ua1-f43.google.com [209.85.222.43]) by imf12.hostedemail.com (Postfix) with ESMTP id CE9744000C for ; Tue, 19 Dec 2023 21:22:03 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=eCKcVgIn; spf=pass (imf12.hostedemail.com: domain of elver@google.com designates 209.85.222.43 as permitted sender) smtp.mailfrom=elver@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1703020923; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8LGegP+G5PWWJJoK9xgDRxY4ivR1WBT3Si9rlrLcuhs=; b=fIOzDfACgttnwGVSCIVFxZdc8jVT6is1JxtAuF3qe7pq4ejmdPGOhxfXx++Uu1WaVIH5pK TFWH2dA96KhqDx8g+Lj2NKqFNfwR9LmwC3wSwEr/C232xt83UTJ6HfgjOxCbQwidPfx4c+ gfSuCh+LmgxYxOsBbIrKaAohtj8aREQ= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1703020923; a=rsa-sha256; cv=none; b=F6lgXSbigoTVjDHVEb/eKQwjrVxWRrT4r1EMlOyDisOMCS5YTpM4vxTlj64ZX4dZ3JCZNQ nWXtm0dJAxSjwnbVAERyTsvEg8d1e7yTJ9Wh/W6HDSqRxpKjqSMfuxFZL9IV1RhYUYC/gc brDg01qK1C/EI/uicciyIjBEmO/sBnM= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=eCKcVgIn; spf=pass (imf12.hostedemail.com: domain of elver@google.com designates 209.85.222.43 as permitted sender) smtp.mailfrom=elver@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-ua1-f43.google.com with SMTP id a1e0cc1a2514c-7cbeffc600aso594551241.1 for ; Tue, 19 Dec 2023 13:22:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1703020923; x=1703625723; darn=kvack.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8LGegP+G5PWWJJoK9xgDRxY4ivR1WBT3Si9rlrLcuhs=; b=eCKcVgIngX2+SFseBc2JTv+/hqM/eqvaGdAbNmt1kTqcAPPqiFDzAdhDYbEupPtJZF NGhjczK/+L0rud6QP1QS7alRcKDuU5cplH0TalVqBeaX9FnGLL3YQsQLTM01tB7Z3urj KImJqP9L+O/PTIuTajfBWletL+WrGVoHfZ6I7nKDv9WERbKNUQGI9mKHUee+lAUFQncP AH5WgOsXikqojtG5FfkQnJY3aVOSuwTspQWssbkuJvqvKykwVSLDe7qBx3oJCyKKIvgY 3cSwg89dJJuLtHTBa3QBhNmoniMX+40j9xwmTWO4dIMHhD3HRs6fILXO9ZYxTmXZAxQ0 V3LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703020923; x=1703625723; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8LGegP+G5PWWJJoK9xgDRxY4ivR1WBT3Si9rlrLcuhs=; b=ShiiQFcmOJDt8Lu3tGxvxkVPOBLARNQhms1Fx/8b395nWk1fBPgX+wF4I++1Q72dXT vDV/f9h4rfzq3YxZuQF7PJ6xjxHOsYST7w6NUpHqagmXUmrpVtY8GOgQdTTMzAab+Y7L 3omZgZus4Q2FUl3w84Jg4s3OdAyRmfg3TWX9DgcHoK312zZljkMGKhWVOfG1H/qlWR2N YxELGyevBJVl81iad9+bjUQm6sXESkeTq8mtnQximrFCW7Lxz23DJNh5KygGu3kfAU9z j7NgOzMyWbHnZLMi665KZMrCMve0aQ9pYH0BRlO9uktxqmPl184Ss2sM9Y80svQv9leV MMdQ== X-Gm-Message-State: AOJu0YwfH7ArCIdhPyxGUX2+1AGNnkq7XsoNgkx4ViPRIWOqjA9FxO5b UwtNxfBbMBB+I/13FH3XJIQCcz+zOY4gG8KJjIosTA== X-Google-Smtp-Source: AGHT+IHWRL7HUoJ48zzjc4DtaZvkU/8q41KHmjYkBneQNQbK6qR6g17/1aTX9jjBAw67Ydn0aFF+kLsNpG0V0YW1W58= X-Received: by 2002:a05:6102:559e:b0:466:9bec:ae53 with SMTP id dc30-20020a056102559e00b004669becae53mr2855956vsb.25.1703020922750; Tue, 19 Dec 2023 13:22:02 -0800 (PST) MIME-Version: 1.0 References: <1606b960e2f746862d1f459515972f9695bf448a.1703020707.git.andreyknvl@google.com> In-Reply-To: <1606b960e2f746862d1f459515972f9695bf448a.1703020707.git.andreyknvl@google.com> From: Marco Elver Date: Tue, 19 Dec 2023 22:21:25 +0100 Message-ID: Subject: Re: [PATCH v3 mm 2/4] kasan: handle concurrent kasan_record_aux_stack calls To: andrey.konovalov@linux.dev Cc: Andrew Morton , Andrey Konovalov , Alexander Potapenko , Dmitry Vyukov , Vlastimil Babka , kasan-dev@googlegroups.com, Evgenii Stepanov , Tetsuo Handa , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov , syzbot+186b55175d8360728234@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: CE9744000C X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: bjupip3qnp69ew998owui4ihsc9fxeim X-HE-Tag: 1703020923-979444 X-HE-Meta: U2FsdGVkX19Z4ymWeydEqHtI9smOzdb7ovWEdqZojfghCWDCylKEv3xWDh7SkoIFi74RBNtzsp0x1bRHpYwb3nGVpUQD5v+rgcM7GN5+dSfdEnGBIlc8rhCDEzk/6v8Bv5X6D9CeraSJ6ZR9Kx03B2Hs40CQc8cQtUWAOQBMg+cN+EzNYFpDvcqaOZeCQKRFt7/BPilIryS54TM3kPZDf1qJeDixQAWYfgzUnY29wwlUOjQ7WPmDNdN9SPq1iJUJ3RKWDp5gIOlQGtiRTn18J30xZyT1QzhnJn0/VnU5ORoAE1RQdmKRQ+X+15zfMUMVGovq5FU+KnIiO+GK2xnCakTvS+gOMjJViKMb0u9WZ60V1zHGtb9ICsLueKJUow5cgRr/iFsFpteAx5QXENySHA6jm9DUzbrU8hRkxyX4CaERhNHU8wdNrMtZD1Hq4MAS+uenYiu4YgqoBTXBKohFZtDOsamEohxU1NPYvOkD9U7clqBqVIfyQZHhkybr6NToCBORkHHqaSElr4I1vxRzD6KfvVJTPM9QFTH1HJXE1crgf99l6UU181InUsqpwCk615gQVKWGM4O4G0ZODdWAgRMb3Pq1/i2pN+mU2IzbXLdXLPx1W3P6M0xCqpnx/tho4y9b0t4TdEmFYAu6k45/pmGdJLgqM0GZR0ofW5YPE+6JUF1AHw+fCIf9PNJ0CSKYQoxP/WGIJ2drv1+bzcPM6DLAJmWlcZ4BLaswqiSnUfgv8Hc6EhOGNs2ZOt5XSHB3i2vcqU86Tp+4JoRuBIojTGQiBt7I1+QmlLlvIDQldQetji1iJsnBmKzRxVKRR1ncEclXl00Tvu0y/v+4zzEEbVm0OCUL04JRnYmgGPkxR3ZaDmU6+fF9qmF0GFTy3eMG0PxwTu6Q4OaN/YbX57LPZtRixv2Op6yU1wAdeNM9IHw+NXqw+SIRvPYKFhYd3EH8EqdhasP6eldXVgPF/Qz j1bZAADQ YjE/aa0xEvg+v9exn8BpZKTXop2yOp5917n/OwlGiLROAcaI/foRyT5guVTXuJ2twfe8Nr7tg5KO3xd5DMYlBdxyXdmA427Cf2pea7ty7AWQ4xAltPjmx1HspPXbzMzWuT8DYASjBSZr+lqlaJg3nIiHFISmlHGMboBJfMtuSltD+ChpmmxNlDMVn6Opn+v7QpawnDL7eSgmgB3dSs95p7LTj7GhZLOvBOLjeb1vt5TS/2A08nKImzkAWPtSudVn4cQLbmXbnvT5Mw/1SdsdP+4lc45Qt9LmR4n6vN85o1m3K5Xmc+GQgEYgrukV9Bs5w5Z8CGX40ktNd2mxLZZsG+HC+W3NLxYRj0AMkfZ0YuhX59ok4uoRyUcqM9G3jPHaNpzfTzICq5gF3zclwY34s6Jt6mGYto7/WM69qXTYJSULLsxUhQ5DZ8mndEWRl+MThmq4Tv0ebb/MjZgwkc8EGgDObsPwfY0dw8pSGpNjHku96oK87ZA29db4s/QM+5DAjqzET X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, 19 Dec 2023 at 22:19, wrote: > > From: Andrey Konovalov > > kasan_record_aux_stack can be called concurrently on the same object. > This might lead to a race condition when rotating the saved aux stack > trace handles, which in turns leads to incorrect accounting of stack > depot handles and refcount underflows in the stack depot code. > > Fix by introducing a raw spinlock to protect the aux stack trace handles > in kasan_record_aux_stack. > > Reported-by: Tetsuo Handa > Reported-by: syzbot+186b55175d8360728234@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/000000000000784b1c060b0074a2@google.com/ > Fixes: 773688a6cb24 ("kasan: use stack_depot_put for Generic mode") > Signed-off-by: Andrey Konovalov Reviewed-by: Marco Elver > --- > > Changes v2->v3: > - Use raw spinlock to avoid lockdep complaints on RT kernels. > > Changes v1->v2: > - Use per-object spinlock instead of a global one. > --- > mm/kasan/generic.c | 32 +++++++++++++++++++++++++++++--- > mm/kasan/kasan.h | 8 ++++++++ > 2 files changed, 37 insertions(+), 3 deletions(-) > > diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c > index 54e20b2bc3e1..55e6b5db2cae 100644 > --- a/mm/kasan/generic.c > +++ b/mm/kasan/generic.c > @@ -25,6 +25,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -471,8 +472,18 @@ void kasan_init_object_meta(struct kmem_cache *cache, const void *object) > struct kasan_free_meta *free_meta; > > alloc_meta = kasan_get_alloc_meta(cache, object); > - if (alloc_meta) > + if (alloc_meta) { > __memset(alloc_meta, 0, sizeof(*alloc_meta)); > + > + /* > + * Temporarily disable KASAN bug reporting to allow instrumented > + * raw_spin_lock_init to access aux_lock, which resides inside > + * of a redzone. > + */ > + kasan_disable_current(); > + raw_spin_lock_init(&alloc_meta->aux_lock); > + kasan_enable_current(); > + } > free_meta = kasan_get_free_meta(cache, object); > if (free_meta) > __memset(free_meta, 0, sizeof(*free_meta)); > @@ -502,6 +513,8 @@ static void __kasan_record_aux_stack(void *addr, depot_flags_t depot_flags) > struct kmem_cache *cache; > struct kasan_alloc_meta *alloc_meta; > void *object; > + depot_stack_handle_t new_handle, old_handle; > + unsigned long flags; > > if (is_kfence_address(addr) || !slab) > return; > @@ -512,9 +525,22 @@ static void __kasan_record_aux_stack(void *addr, depot_flags_t depot_flags) > if (!alloc_meta) > return; > > - stack_depot_put(alloc_meta->aux_stack[1]); > + new_handle = kasan_save_stack(0, depot_flags); > + > + /* > + * Temporarily disable KASAN bug reporting to allow instrumented > + * spinlock functions to access aux_lock, which resides inside of a > + * redzone. > + */ > + kasan_disable_current(); > + raw_spin_lock_irqsave(&alloc_meta->aux_lock, flags); > + old_handle = alloc_meta->aux_stack[1]; > alloc_meta->aux_stack[1] = alloc_meta->aux_stack[0]; > - alloc_meta->aux_stack[0] = kasan_save_stack(0, depot_flags); > + alloc_meta->aux_stack[0] = new_handle; > + raw_spin_unlock_irqrestore(&alloc_meta->aux_lock, flags); > + kasan_enable_current(); > + > + stack_depot_put(old_handle); > } > > void kasan_record_aux_stack(void *addr) > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index 5e298e3ac909..69e4f5e58e33 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -6,6 +6,7 @@ > #include > #include > #include > +#include > #include > > #if defined(CONFIG_KASAN_SW_TAGS) || defined(CONFIG_KASAN_HW_TAGS) > @@ -249,6 +250,13 @@ struct kasan_global { > struct kasan_alloc_meta { > struct kasan_track alloc_track; > /* Free track is stored in kasan_free_meta. */ > + /* > + * aux_lock protects aux_stack from accesses from concurrent > + * kasan_record_aux_stack calls. It is a raw spinlock to avoid sleeping > + * on RT kernels, as kasan_record_aux_stack_noalloc can be called from > + * non-sleepable contexts. > + */ > + raw_spinlock_t aux_lock; > depot_stack_handle_t aux_stack[2]; > }; > > -- > 2.25.1 >