From patchwork Thu Nov 12 06:24:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?S3Vhbi1ZaW5nIExlZSAo5p2O5Yag56mOKQ==?= X-Patchwork-Id: 11899163 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9379A14C0 for ; Thu, 12 Nov 2020 06:31:54 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4FE992084C for ; Thu, 12 Nov 2020 06:31:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="T8F6yxU7"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b="OrBJOBZi" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4FE992084C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=mediatek.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-mediatek-bounces+patchwork-linux-mediatek=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-ID:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=664kEh+fMAfSavM0CslvxX33HmqjyjnTbK6kf4hTq/U=; b=T8F6yxU7y0Zu+3bZVikONLZ7R 6FCwVA61va07wbfRwBLGbUNUFQDxWyjpb0W8regXzbX+Mhyyzox3gwysRxEl7imaRlFlkeelUd0bo d489YMaQ5+Rup5H0HISqPet6v7AKQnwiv366PEQZ8G76ZkdRF6hfH7p7QVDBjmbTjRRHei1LFy2xk sgsgzW7hdk5FrADZHTzULuFzYXmuPFmw7sWXsi7vkucTjOloJPuDJouJzkMsu4EQljsMCUgFzZg9P bAzyqmyWktjWtHUCu0r0+8aD7ZPWbDaoqo3j1Umu+SzvFKXmYeQfHFz3w9XdOZUflFfklrtMgLOp3 dPJH5Ot6g==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kd699-0001W3-Uy; Thu, 12 Nov 2020 06:31:52 +0000 Received: from mailgw01.mediatek.com ([216.200.240.184]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kd695-0001V1-1l; Thu, 12 Nov 2020 06:31:48 +0000 X-UUID: 1b6751a50dec4f54b4299e602739ca43-20201111 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:CC:To:From; bh=kubNuzqcJZgPN6Oc4cSD8+cXnmFMSui0xuxweDGHNSo=; b=OrBJOBZihwUO4X9k2R8l1+e7zTqdSISyyb22kxa2AK/tzZzRRhIaUXJHoAMnMa3VObfrNE+4X94ceV+z9kLx2BOwBzaukI6Zv8ue4eFAynx0Qs9RZoj0OjijicHu6kbTMophYZcTL97LUOHhVo9sn5KsPqShEwMmrzikzMithQU=; X-UUID: 1b6751a50dec4f54b4299e602739ca43-20201111 Received: from mtkcas66.mediatek.inc [(172.29.193.44)] by mailgw01.mediatek.com (envelope-from ) (musrelay.mediatek.com ESMTP with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 596837711; Wed, 11 Nov 2020 22:31:38 -0800 Received: from MTKMBS02N2.mediatek.inc (172.21.101.101) by MTKMBS62N2.mediatek.inc (172.29.193.42) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 11 Nov 2020 22:24:56 -0800 Received: from mtkcas08.mediatek.inc (172.21.101.126) by mtkmbs02n2.mediatek.inc (172.21.101.101) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 12 Nov 2020 14:24:54 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas08.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Thu, 12 Nov 2020 14:24:54 +0800 From: Kuan-Ying Lee To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Andrew Morton , Matthias Brugger Subject: [PATCH 1/1] kasan: fix object remain in offline per-cpu quarantine Date: Thu, 12 Nov 2020 14:24:12 +0800 Message-ID: <1605162252-23886-2-git-send-email-Kuan-Ying.Lee@mediatek.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1605162252-23886-1-git-send-email-Kuan-Ying.Lee@mediatek.com> References: <1605162252-23886-1-git-send-email-Kuan-Ying.Lee@mediatek.com> MIME-Version: 1.0 X-TM-SNTS-SMTP: 67384A22CCD6B964F43E25ACEF468208F53342DEE61F90588F13A8A98858F2982000:8 X-MTK: N X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201112_013147_268852_3FF82D2A X-CRM114-Status: GOOD ( 18.05 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines X-BeenThere: linux-mediatek@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: wsd_upstream@mediatek.com, Kuan-Ying Lee , nicholas.tang@mediatek.com, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, miles.chen@mediatek.com, linux-mediatek@lists.infradead.org, linux-arm-kernel@lists.infradead.org Sender: "Linux-mediatek" Errors-To: linux-mediatek-bounces+patchwork-linux-mediatek=patchwork.kernel.org@lists.infradead.org We hit this issue in our internal test. When enabling generic kasan, a kfree()'d object is put into per-cpu quarantine first. If the cpu goes offline, object still remains in the per-cpu quarantine. If we call kmem_cache_destroy() now, slub will report "Objects remaining" error. [ 74.982625] ============================================================================= [ 74.983380] BUG test_module_slab (Not tainted): Objects remaining in test_module_slab on __kmem_cache_shutdown() [ 74.984145] ----------------------------------------------------------------------------- [ 74.984145] [ 74.984883] Disabling lock debugging due to kernel taint [ 74.985561] INFO: Slab 0x(____ptrval____) objects=34 used=1 fp=0x(____ptrval____) flags=0x2ffff00000010200 [ 74.986638] CPU: 3 PID: 176 Comm: cat Tainted: G B 5.10.0-rc1-00007-g4525c8781ec0-dirty #10 [ 74.987262] Hardware name: linux,dummy-virt (DT) [ 74.987606] Call trace: [ 74.987924] dump_backtrace+0x0/0x2b0 [ 74.988296] show_stack+0x18/0x68 [ 74.988698] dump_stack+0xfc/0x168 [ 74.989030] slab_err+0xac/0xd4 [ 74.989346] __kmem_cache_shutdown+0x1e4/0x3c8 [ 74.989779] kmem_cache_destroy+0x68/0x130 [ 74.990176] test_version_show+0x84/0xf0 [ 74.990679] module_attr_show+0x40/0x60 [ 74.991218] sysfs_kf_seq_show+0x128/0x1c0 [ 74.991656] kernfs_seq_show+0xa0/0xb8 [ 74.992059] seq_read+0x1f0/0x7e8 [ 74.992415] kernfs_fop_read+0x70/0x338 [ 74.993051] vfs_read+0xe4/0x250 [ 74.993498] ksys_read+0xc8/0x180 [ 74.993825] __arm64_sys_read+0x44/0x58 [ 74.994203] el0_svc_common.constprop.0+0xac/0x228 [ 74.994708] do_el0_svc+0x38/0xa0 [ 74.995088] el0_sync_handler+0x170/0x178 [ 74.995497] el0_sync+0x174/0x180 [ 74.996050] INFO: Object 0x(____ptrval____) @offset=15848 [ 74.996752] INFO: Allocated in test_version_show+0x98/0xf0 age=8188 cpu=6 pid=172 [ 75.000802] stack_trace_save+0x9c/0xd0 [ 75.002420] set_track+0x64/0xf0 [ 75.002770] alloc_debug_processing+0x104/0x1a0 [ 75.003171] ___slab_alloc+0x628/0x648 [ 75.004213] __slab_alloc.isra.0+0x2c/0x58 [ 75.004757] kmem_cache_alloc+0x560/0x588 [ 75.005376] test_version_show+0x98/0xf0 [ 75.005756] module_attr_show+0x40/0x60 [ 75.007035] sysfs_kf_seq_show+0x128/0x1c0 [ 75.007433] kernfs_seq_show+0xa0/0xb8 [ 75.007800] seq_read+0x1f0/0x7e8 [ 75.008128] kernfs_fop_read+0x70/0x338 [ 75.008507] vfs_read+0xe4/0x250 [ 75.008990] ksys_read+0xc8/0x180 [ 75.009462] __arm64_sys_read+0x44/0x58 [ 75.010085] el0_svc_common.constprop.0+0xac/0x228 [ 75.011006] kmem_cache_destroy test_module_slab: Slab cache still has objects Register a cpu hotplug function to remove all objects in the offline per-cpu quarantine when cpu is going offline. Set a per-cpu variable to indicate this cpu is offline. Signed-off-by: Kuan-Ying Lee --- mm/kasan/quarantine.c | 59 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) diff --git a/mm/kasan/quarantine.c b/mm/kasan/quarantine.c index 4c5375810449..67fb91ae2bd0 100644 --- a/mm/kasan/quarantine.c +++ b/mm/kasan/quarantine.c @@ -29,6 +29,7 @@ #include #include #include +#include #include "../slab.h" #include "kasan.h" @@ -97,6 +98,7 @@ static void qlist_move_all(struct qlist_head *from, struct qlist_head *to) * guarded by quarantine_lock. */ static DEFINE_PER_CPU(struct qlist_head, cpu_quarantine); +static DEFINE_PER_CPU(int, cpu_quarantine_offline); /* Round-robin FIFO array of batches. */ static struct qlist_head global_quarantine[QUARANTINE_BATCHES]; @@ -176,6 +178,8 @@ void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache) unsigned long flags; struct qlist_head *q; struct qlist_head temp = QLIST_INIT; + int *offline; + struct qlist_head q_offline = QLIST_INIT; /* * Note: irq must be disabled until after we move the batch to the @@ -187,8 +191,16 @@ void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache) */ local_irq_save(flags); - q = this_cpu_ptr(&cpu_quarantine); - qlist_put(q, &info->quarantine_link, cache->size); + offline = this_cpu_ptr(&cpu_quarantine_offline); + if (*offline == 0) { + q = this_cpu_ptr(&cpu_quarantine); + qlist_put(q, &info->quarantine_link, cache->size); + } else { + qlist_put(&q_offline, &info->quarantine_link, cache->size); + qlist_free_all(&q_offline, cache); + local_irq_restore(flags); + return; + } if (unlikely(q->bytes > QUARANTINE_PERCPU_SIZE)) { qlist_move_all(q, &temp); @@ -328,3 +340,46 @@ void quarantine_remove_cache(struct kmem_cache *cache) synchronize_srcu(&remove_cache_srcu); } + +static int kasan_cpu_online(unsigned int cpu) +{ + int *offline; + unsigned long flags; + + local_irq_save(flags); + offline = this_cpu_ptr(&cpu_quarantine_offline); + *offline = 0; + local_irq_restore(flags); + return 0; +} + +static int kasan_cpu_offline(unsigned int cpu) +{ + struct kmem_cache *s; + int *offline; + unsigned long flags; + + local_irq_save(flags); + offline = this_cpu_ptr(&cpu_quarantine_offline); + *offline = 1; + local_irq_restore(flags); + + mutex_lock(&slab_mutex); + list_for_each_entry(s, &slab_caches, list) { + per_cpu_remove_cache(s); + } + mutex_unlock(&slab_mutex); + return 0; +} + +static int __init kasan_cpu_offline_quarantine_init(void) +{ + int ret = 0; + + ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "mm/kasan:online", + kasan_cpu_online, kasan_cpu_offline); + if (ret) + pr_err("kasan offline cpu quarantine register failed [%d]\n", ret); + return ret; +} +late_initcall(kasan_cpu_offline_quarantine_init);