From patchwork Mon Aug 24 08:07:06 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Walter Wu <walter-zh.wu@mediatek.com>
X-Patchwork-Id: 11732307
Return-Path: <SRS0=JPLW=CC=kvack.org=owner-linux-mm@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3BDAA1392
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Mon, 24 Aug 2020 08:07:19 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id E8C882072D
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Mon, 24 Aug 2020 08:07:18 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com
 header.b="VHJf/G5t"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E8C882072D
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=mediatek.com
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 1CD776B0002; Mon, 24 Aug 2020 04:07:18 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 157C56B0005; Mon, 24 Aug 2020 04:07:18 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 01FC56B0006; Mon, 24 Aug 2020 04:07:17 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0173.hostedemail.com
 [216.40.44.173])
	by kanga.kvack.org (Postfix) with ESMTP id DC52A6B0002
	for <linux-mm@kvack.org>; Mon, 24 Aug 2020 04:07:17 -0400 (EDT)
Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 9163D362A
	for <linux-mm@kvack.org>; Mon, 24 Aug 2020 08:07:17 +0000 (UTC)
X-FDA: 77184732114.01.wool29_5416f2727051
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin01.hostedemail.com (Postfix) with ESMTP id 5951810046460
	for <linux-mm@kvack.org>; Mon, 24 Aug 2020 08:07:17 +0000 (UTC)
X-Spam-Summary: 
 1,0,0,e004414bd2fc735f,d41d8cd98f00b204,walter-zh.wu@mediatek.com,,RULES_HIT:41:355:379:541:966:967:968:973:988:989:1185:1260:1277:1311:1313:1314:1345:1437:1514:1515:1516:1518:1534:1541:1585:1711:1719:1730:1747:1777:1792:1978:1981:2194:2196:2198:2199:2200:2201:2393:2525:2553:2559:2565:2682:2685:2693:2859:2892:2895:2901:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3353:3865:3866:3867:3868:3870:3871:3872:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4250:4385:4605:5007:6119:6261:6653:7875:7903:9025:9707:10004:10400:11026:11232:11658:11914:12043:12048:12291:12296:12297:12438:12521:12555:12679:12683:12698:12737:13069:13200:13229:13311:13357:14095:14096:14181:14394:14721:21080:21451:21627:21740:30012:30029:30054:30070:30075:30090,0,RBL:210.61.82.183:@mediatek.com:.lbl8.mailshell.net-64.201.201.201
 62.14.12.100;04yfwoc7mu67a6semmicb4npx5hz5oc375y14s7zkxsooyh6ukz3b4saz4mwsib.ypsaptcjh4dx1e55zpo95juar364b7qfjt6hasoxkkgg76ep4dunnrd64xu9ufm.
 o-lbl8.m
X-HE-Tag: wool29_5416f2727051
X-Filterd-Recvd-Size: 4792
Received: from mailgw01.mediatek.com (unknown [210.61.82.183])
	by imf32.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Mon, 24 Aug 2020 08:07:14 +0000 (UTC)
X-UUID: 65827033c7fa4ed9be0c8c45bc777b51-20200824
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=mediatek.com; s=dk;
	h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From;
 bh=Ws+o5UOYVh6zo1fhqEVNgTGjFEJeI4HICegFEkqKmwA=;
	b=VHJf/G5tfTuvjMvpwsJE0QKIC1uZINdkgBOHAmp8bJ5BUndZUXULuUQpSpxyXkaQT4VCVJ7TRp23IcBsu2UupMlU/A+kDwo3AngagdmDTfQS5yqaCHTtxwRRGy+gACvudA2IyupolbTNRH/+5sfm1mt9ybSlJsTe8oz7COapQeU=;
X-UUID: 65827033c7fa4ed9be0c8c45bc777b51-20200824
Received: from mtkcas07.mediatek.inc [(172.21.101.84)] by
 mailgw01.mediatek.com
	(envelope-from <walter-zh.wu@mediatek.com>)
	(Cellopoint E-mail Firewall v4.1.10 Build 0809 with TLS)
	with ESMTP id 1135189248; Mon, 24 Aug 2020 16:07:10 +0800
Received: from MTKCAS06.mediatek.inc (172.21.101.30) by
 mtkmbs01n2.mediatek.inc (172.21.101.79) with Microsoft SMTP Server (TLS) id
 15.0.1497.2; Mon, 24 Aug 2020 16:07:06 +0800
Received: from mtksdccf07.mediatek.inc (172.21.84.99) by MTKCAS06.mediatek.inc
 (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend
 Transport; Mon, 24 Aug 2020 16:07:06 +0800
From: Walter Wu <walter-zh.wu@mediatek.com>
To: Marco Elver <elver@google.com>, Andrey Ryabinin <aryabinin@virtuozzo.com>,
	Alexander Potapenko <glider@google.com>, Dmitry Vyukov <dvyukov@google.com>,
	Matthias Brugger <matthias.bgg@gmail.com>, John Stultz
	<john.stultz@linaro.org>, Stephen Boyd <sboyd@kernel.org>, Andrew Morton
	<akpm@linux-foundation.org>, Tejun Heo <tj@kernel.org>, Lai Jiangshan
	<jiangshanlai@gmail.com>
CC: <kasan-dev@googlegroups.com>, <linux-mm@kvack.org>,
	<linux-kernel@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>,
	wsd_upstream <wsd_upstream@mediatek.com>,
	<linux-mediatek@lists.infradead.org>, Walter Wu <walter-zh.wu@mediatek.com>
Subject: [PATCH v2 0/6] kasan: add workqueue and timer stack for generic KASAN
Date: Mon, 24 Aug 2020 16:07:06 +0800
Message-ID: <20200824080706.24704-1-walter-zh.wu@mediatek.com>
X-Mailer: git-send-email 2.18.0
MIME-Version: 1.0
X-TM-SNTS-SMTP: 
	3CA77E6D371981748F1B9D271F7149CE6182270AF73BF62DA9C780BF27EE73342000:8
X-MTK: N
X-Rspamd-Queue-Id: 5951810046460
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam04
X-Bogosity: Ham, tests=bogofilter, spamicity=0.078793, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Syzbot reports many UAF issues for workqueue or timer, see [1] and [2].
In some of these access/allocation happened in process_one_work(),
we see the free stack is useless in KASAN report, it doesn't help
programmers to solve UAF on workqueue. The same may stand for times.

This patchset improves KASAN reports by making them to have workqueue
queueing stack and timer queueing stack information. It is useful for
programmers to solve use-after-free or double-free memory issue.

Generic KASAN will record the last two workqueue and timer stacks,
print them in KASAN report. It is only suitable for generic KASAN.

[1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work
[2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers
[3]https://bugzilla.kernel.org/show_bug.cgi?id=198437

Walter Wu (6):
timer: kasan: record timer stack
workqueue: kasan: record workqueue stack
kasan: print timer and workqueue stack
lib/test_kasan.c: add timer test case
lib/test_kasan.c: add workqueue test case
kasan: update documentation for generic kasan
Acked-by: Marco Elver <elver@google.com>
---

Changes since v1:
- Thanks for Marco and Thomas suggestion.
- Remove unnecessary code and fix commit log
- reuse kasan_record_aux_stack() and aux_stack
  to record timer and workqueue stack.
- change the aux stack title for common name.

---

Documentation/dev-tools/kasan.rst |  4 ++--
kernel/time/timer.c               |  3 +++
kernel/workqueue.c                |  3 +++
lib/test_kasan.c                  | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
mm/kasan/report.c                 |  4 ++--
5 files changed, 64 insertions(+), 4 deletions(-)