From patchwork Tue Aug 25 01:56:54 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Walter Wu <walter-zh.wu@mediatek.com>
X-Patchwork-Id: 11734661
Return-Path: <SRS0=AAJG=CD=kvack.org=owner-linux-mm@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 488EB138A
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue, 25 Aug 2020 01:57:04 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 151DF20706
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue, 25 Aug 2020 01:57:04 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com
 header.b="vIAQSCJL"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 151DF20706
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=mediatek.com
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 397AD6B00BC; Mon, 24 Aug 2020 21:57:03 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 329CD8D0002; Mon, 24 Aug 2020 21:57:03 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 20F986B00BE; Mon, 24 Aug 2020 21:57:03 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0144.hostedemail.com
 [216.40.44.144])
	by kanga.kvack.org (Postfix) with ESMTP id 082926B00BC
	for <linux-mm@kvack.org>; Mon, 24 Aug 2020 21:57:03 -0400 (EDT)
Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id B97E7180AD817
	for <linux-mm@kvack.org>; Tue, 25 Aug 2020 01:57:02 +0000 (UTC)
X-FDA: 77187427884.30.wheel95_2900e5b27058
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin30.hostedemail.com (Postfix) with ESMTP id 8A2A4180B3AA7
	for <linux-mm@kvack.org>; Tue, 25 Aug 2020 01:57:02 +0000 (UTC)
X-Spam-Summary: 
 1,0,0,112d27873f78cb48,d41d8cd98f00b204,walter-zh.wu@mediatek.com,,RULES_HIT:41:355:379:541:966:967:968:973:988:989:1185:1260:1277:1311:1313:1314:1345:1437:1514:1515:1516:1518:1534:1541:1585:1711:1719:1730:1747:1777:1792:1978:1981:2194:2196:2198:2199:2200:2201:2393:2525:2553:2559:2565:2682:2685:2859:2892:2895:2901:2907:2924:2926:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3353:3865:3866:3867:3868:3870:3871:3872:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4250:4385:4605:5007:6119:6261:6653:7875:7903:9025:9707:10004:10400:11026:11232:11658:11914:12043:12048:12291:12296:12297:12438:12521:12555:12679:12683:12698:12737:13069:13200:13229:13311:13357:14095:14096:14181:14394:14721:21080:21451:21627:21740:30012:30029:30054:30070:30075:30090,0,RBL:210.61.82.184:@mediatek.com:.lbl8.mailshell.net-62.14.12.100
 64.201.201.201;04yrt56jdit5z9qwgagg8etmhwwk4ocdbchdtgtp9wc6yno685qyw9bkeq7kjim.9kcouehjh4dx1e549mf5kk6wro7sn5wfggtsjdizegkse1j7waf9y1
 a8if6gb3
X-HE-Tag: wheel95_2900e5b27058
X-Filterd-Recvd-Size: 4924
Received: from mailgw02.mediatek.com (unknown [210.61.82.184])
	by imf14.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue, 25 Aug 2020 01:57:01 +0000 (UTC)
X-UUID: d2c409b765f64f23a75f83bc153bfba3-20200825
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=mediatek.com; s=dk;
	h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From;
 bh=dui2EisGgR0+t0THBhS3OAXFKeQaKCwjzNylFyfsynE=;
	b=vIAQSCJL2GMmOBhY1FXjNbDc0jvqU73eR4Jrjw+GvFGcspFaq8vu1mXNKn1Deij8FXbf3N4t0XoB3x1SwDmfR1M0v1tT22xDaTdnpafXrpuW5pWSHMD6IH9A/eAs5G7D9UKLkyk4PpHK6so5CMYy3sjFB79O7fbbX86D8qz+ehs=;
X-UUID: d2c409b765f64f23a75f83bc153bfba3-20200825
Received: from mtkexhb01.mediatek.inc [(172.21.101.102)] by
 mailgw02.mediatek.com
	(envelope-from <walter-zh.wu@mediatek.com>)
	(Cellopoint E-mail Firewall v4.1.10 Build 0809 with TLS)
	with ESMTP id 2031445678; Tue, 25 Aug 2020 09:56:57 +0800
Received: from mtkcas07.mediatek.inc (172.21.101.84) by
 mtkmbs01n2.mediatek.inc (172.21.101.79) with Microsoft SMTP Server (TLS) id
 15.0.1497.2; Tue, 25 Aug 2020 09:56:54 +0800
Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas07.mediatek.inc
 (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend
 Transport; Tue, 25 Aug 2020 09:56:55 +0800
From: Walter Wu <walter-zh.wu@mediatek.com>
To: Marco Elver <elver@google.com>, Andrey Ryabinin <aryabinin@virtuozzo.com>,
	Alexander Potapenko <glider@google.com>, Dmitry Vyukov <dvyukov@google.com>,
	Matthias Brugger <matthias.bgg@gmail.com>, John Stultz
	<john.stultz@linaro.org>, Stephen Boyd <sboyd@kernel.org>, Andrew Morton
	<akpm@linux-foundation.org>, Tejun Heo <tj@kernel.org>, Lai Jiangshan
	<jiangshanlai@gmail.com>
CC: <kasan-dev@googlegroups.com>, <linux-mm@kvack.org>,
	<linux-kernel@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>,
	wsd_upstream <wsd_upstream@mediatek.com>,
	<linux-mediatek@lists.infradead.org>, Walter Wu <walter-zh.wu@mediatek.com>
Subject: [PATCH v3 0/6] kasan: add workqueue and timer stack for generic KASAN
Date: Tue, 25 Aug 2020 09:56:54 +0800
Message-ID: <20200825015654.27781-1-walter-zh.wu@mediatek.com>
X-Mailer: git-send-email 2.18.0
MIME-Version: 1.0
X-TM-SNTS-SMTP: 
	A71BEAAB700B14FB398E93913C82E2C0D2E251B57762600FE97A0A54DAEC618C2000:8
X-MTK: N
X-Rspamd-Queue-Id: 8A2A4180B3AA7
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam05
X-Bogosity: Ham, tests=bogofilter, spamicity=0.050927, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Syzbot reports many UAF issues for workqueue or timer, see [1] and [2].
In some of these access/allocation happened in process_one_work(),
we see the free stack is useless in KASAN report, it doesn't help
programmers to solve UAF on workqueue. The same may stand for times.

This patchset improves KASAN reports by making them to have workqueue
queueing stack and timer stack information. It is useful for programmers
to solve use-after-free or double-free memory issue.

Generic KASAN also records the last two workqueue and timer stacks and
prints them in KASAN report. It is only suitable for generic KASAN.

[1]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22+process_one_work
[2]https://groups.google.com/g/syzkaller-bugs/search?q=%22use-after-free%22%20expire_timers
[3]https://bugzilla.kernel.org/show_bug.cgi?id=198437

Walter Wu (6):
timer: kasan: record timer stack
workqueue: kasan: record workqueue stack
kasan: print timer and workqueue stack
lib/test_kasan.c: add timer test case
lib/test_kasan.c: add workqueue test case
kasan: update documentation for generic kasan
Acked-by: Marco Elver <elver@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
---

Changes since v2:
- modify kasan document to be more readable.
  Thanks for Marco suggestion.

Changes since v1:
- Thanks for Marco and Thomas suggestion.
- Remove unnecessary code and fix commit log
- reuse kasan_record_aux_stack() and aux_stack
  to record timer and workqueue stack.
- change the aux stack title for common name.

---

Documentation/dev-tools/kasan.rst |  4 ++--
kernel/time/timer.c               |  3 +++
kernel/workqueue.c                |  3 +++
lib/test_kasan.c                  | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
mm/kasan/report.c                 |  4 ++--
5 files changed, 64 insertions(+), 4 deletions(-)