From patchwork Mon Aug 10 07:21:15 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Walter Wu <walter-zh.wu@mediatek.com>
X-Patchwork-Id: 11707031
Return-Path: <SRS0=Y13L=BU=kvack.org=owner-linux-mm@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C152E13B6
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Mon, 10 Aug 2020 07:21:30 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 830372073E
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Mon, 10 Aug 2020 07:21:30 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com
 header.b="SMQ+HDqc"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 830372073E
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=mediatek.com
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 690C96B0003; Mon, 10 Aug 2020 03:21:29 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 640346B0005; Mon, 10 Aug 2020 03:21:29 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 557F76B0006; Mon, 10 Aug 2020 03:21:29 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0195.hostedemail.com
 [216.40.44.195])
	by kanga.kvack.org (Postfix) with ESMTP id 3CF956B0003
	for <linux-mm@kvack.org>; Mon, 10 Aug 2020 03:21:29 -0400 (EDT)
Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id E595E181AC9CC
	for <linux-mm@kvack.org>; Mon, 10 Aug 2020 07:21:28 +0000 (UTC)
X-FDA: 77133813456.20.beam97_1a12c9526fd8
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin20.hostedemail.com (Postfix) with ESMTP id B42B3180C07AB
	for <linux-mm@kvack.org>; Mon, 10 Aug 2020 07:21:28 +0000 (UTC)
X-Spam-Summary: 
 10,1,0,e7a46ac8792ca3c1,d41d8cd98f00b204,walter-zh.wu@mediatek.com,,RULES_HIT:41:355:379:541:966:967:973:988:989:1185:1260:1277:1311:1313:1314:1345:1437:1514:1515:1516:1518:1535:1542:1585:1711:1719:1730:1747:1777:1792:1978:1981:2194:2196:2198:2199:2200:2201:2393:2525:2553:2559:2565:2682:2685:2693:2731:2859:2892:2895:2901:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3353:3865:3866:3867:3868:3870:3871:3872:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4250:4385:4605:5007:6119:6261:6653:7903:8603:9025:9707:10004:10400:11026:11658:11914:12043:12048:12291:12297:12521:12555:12679:12683:12698:12737:13200:13229:14096:14097:14157:14181:14394:14721:21080:21451:21627:21740:21972:30034:30054:30070:30075:30090,0,RBL:210.61.82.183:@mediatek.com:.lbl8.mailshell.net-64.201.201.201
 62.14.12.100;04yfzc7k3rmaf39trmpszukq4r5neypa4f531y4nnxsooyh6ukdegb98d91cr8s.q3pn8isp6bbm5wsmoi1pdg36eqtehdqnz1suenotwfrn91fbdwj7766cfgc8hjw.6-lbl8.mailshell.net-22
 3.238.25
X-HE-Tag: beam97_1a12c9526fd8
X-Filterd-Recvd-Size: 5153
Received: from mailgw01.mediatek.com (unknown [210.61.82.183])
	by imf07.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Mon, 10 Aug 2020 07:21:27 +0000 (UTC)
X-UUID: 9ef467e8e3c44a80abe745e271563427-20200810
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=mediatek.com; s=dk;
	h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From;
 bh=8hb1XmCOYYfoHO2INc2JsSa/wZHmidgJRDdB3egeX9U=;
	b=SMQ+HDqc9JZ3FaxSewQJaEBxCuE2aLVL/LY32B9mIdtH7TldvAJw0kksEXpoORisUxJU0rqFiysRM95qk12M1qJ7FoYRDti/B3QK4LK40GZjEa8EDF2epUmuERB+BuUur64cCu8nn9VO/NCGsGoAQllAC0loyzK2wTsx3CH/Ioo=;
X-UUID: 9ef467e8e3c44a80abe745e271563427-20200810
Received: from mtkexhb02.mediatek.inc [(172.21.101.103)] by
 mailgw01.mediatek.com
	(envelope-from <walter-zh.wu@mediatek.com>)
	(Cellopoint E-mail Firewall v4.1.10 Build 0809 with TLS)
	with ESMTP id 1691687393; Mon, 10 Aug 2020 15:21:18 +0800
Received: from mtkcas08.mediatek.inc (172.21.101.126) by
 mtkmbs01n1.mediatek.inc (172.21.101.68) with Microsoft SMTP Server (TLS) id
 15.0.1497.2; Mon, 10 Aug 2020 15:21:15 +0800
Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas08.mediatek.inc
 (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend
 Transport; Mon, 10 Aug 2020 15:21:15 +0800
From: Walter Wu <walter-zh.wu@mediatek.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>, Alexander Potapenko
	<glider@google.com>, Dmitry Vyukov <dvyukov@google.com>, Matthias Brugger
	<matthias.bgg@gmail.com>, John Stultz <john.stultz@linaro.org>, Stephen Boyd
	<sboyd@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Tejun Heo
	<tj@kernel.org>, Lai Jiangshan <jiangshanlai@gmail.com>
CC: <kasan-dev@googlegroups.com>, <linux-mm@kvack.org>,
	<linux-kernel@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>,
	wsd_upstream <wsd_upstream@mediatek.com>,
	<linux-mediatek@lists.infradead.org>, Walter Wu <walter-zh.wu@mediatek.com>
Subject: [PATCH 0/5] kasan: add workqueue and timer stack for generic KASAN
Date: Mon, 10 Aug 2020 15:21:15 +0800
Message-ID: <20200810072115.429-1-walter-zh.wu@mediatek.com>
X-Mailer: git-send-email 2.18.0
MIME-Version: 1.0
X-MTK: N
X-Rspamd-Queue-Id: B42B3180C07AB
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam01
X-Bogosity: Ham, tests=bogofilter, spamicity=0.015860, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Syzbot reports many UAF issues for workqueue or timer, see [1] and [2].
In some of these access/allocation happened in process_one_work(),
we see the free stack is useless in KASAN report, it doesn't help
programmers to solve UAF on workqueue. The same may stand for times.

This patchset improves KASAN reports by making them to have workqueue
queueing stack and timer queueing stack information. It is useful for
programmers to solve use-after-free or double-free memory issue.

Generic KASAN will record the last two workqueue and timer stacks,
print them in KASAN report. It is only suitable for generic KASAN.

In order to print the last two workqueue and timer stacks, so that
we add new members in struct kasan_alloc_meta.
- two workqueue queueing work stacks, total size is 8 bytes.
- two timer queueing stacks, total size is 8 bytes.

Orignial struct kasan_alloc_meta size is 16 bytes. After add new
members, then the struct kasan_alloc_meta total size is 32 bytes,
It is a good number of alignment. Let it get better memory consumption.

[1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work
[2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers
[3]https://bugzilla.kernel.org/show_bug.cgi?id=198437

Walter Wu (5):
timer: kasan: record and print timer stack
workqueue: kasan: record and print workqueue stack
lib/test_kasan.c: add timer test case
lib/test_kasan.c: add workqueue test case
kasan: update documentation for generic kasan

Documentation/dev-tools/kasan.rst |  4 ++--
include/linux/kasan.h             |  4 ++++
kernel/time/timer.c               |  2 ++
kernel/workqueue.c                |  3 +++
lib/test_kasan.c                  | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
mm/kasan/generic.c                | 42 ++++++++++++++++++++++++++++++++++++++++++
mm/kasan/kasan.h                  |  6 +++++-
mm/kasan/report.c                 | 22 ++++++++++++++++++++++
8 files changed, 134 insertions(+), 3 deletions(-)