From patchwork Fri Nov 19 14:22:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Elver X-Patchwork-Id: 12629015 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1737C433EF for ; Fri, 19 Nov 2021 14:22:57 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 4B49F61502 for ; Fri, 19 Nov 2021 14:22:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 4B49F61502 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id C80936B00A6; Fri, 19 Nov 2021 09:22:46 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C592C6B00A8; Fri, 19 Nov 2021 09:22:46 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B49056B00A9; Fri, 19 Nov 2021 09:22:46 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0065.hostedemail.com [216.40.44.65]) by kanga.kvack.org (Postfix) with ESMTP id A7C796B00A6 for ; Fri, 19 Nov 2021 09:22:46 -0500 (EST) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 6EA338A9C9 for ; Fri, 19 Nov 2021 14:22:36 +0000 (UTC) X-FDA: 78825895512.09.DF516E1 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) by imf11.hostedemail.com (Postfix) with ESMTP id 1BF05F00020E for ; Fri, 19 Nov 2021 14:22:35 +0000 (UTC) Received: by mail-wm1-f73.google.com with SMTP id j25-20020a05600c1c1900b00332372c252dso4825284wms.1 for ; Fri, 19 Nov 2021 06:22:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=X7iq6ptC+Z8R2N/iJA3x0lSwxpZSVZxJX+z9qBEEm6o=; b=kyZ4PLG/XYsiyQbRGghuZw+BAVravwngY/VRQtxVLKLZZvzcaWvS4E8novlr+MaNPI TRjoSAUN/Hmf6Gy82UOkIZc2u8aByAYf2Oh9xVQVpdMi0yZIXeHg1w0xYvUixbp05XcE Rzu7/vDnOtTfG58KRt0bmgW3MaUK/0UATmTPCRosCmRPtHO2JD/xpJwOMtwianRLuARC VDQHa2z8445T116+IPcdscTplzNaR7NOhaaaYZZ0o3q5+4tYiqjcTogH6nXZv6d0jDhC f0V79MDUnzP9eu6qw0V/sG0LvqNUHUnkP8Otejo7chXrcDJhZoC/K1nko32Y36+cWz0i rjKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=X7iq6ptC+Z8R2N/iJA3x0lSwxpZSVZxJX+z9qBEEm6o=; b=Q/h4DovkxkqSFEfyKfyIxQPWYM8/xgEp82PTapUUlNcce+CF83nqKGB84n78JBcOnc vHLw2Y0NMcZMQunawOx+eeTqlqSlXxnsUrscQ+uQ6XV/UwTEKHpW+u/t9L6Go3XhCh7U NBk71bROmnG68jxBa+zNqVrf8+IcDcmsL6ixRDiIEYkrI3crJRAsEDeLzlXMeUoyE06j jMHATenKokh5t3u/8+fCYcqI+St1FpY9nYQbG346KfF4NjQrT2s4OyCgIIoaHe1u4LwC qO+SrGlzVXiTl1GyWPfbq31dqF5PQ5XaeRrwaqA7d8bxwDeF6wepVbbskaf8DxRSvTGi FfRQ== X-Gm-Message-State: AOAM530R+vMiytdKDZemheK7/bVHu2YK1JwWz4FrT7oIf3BhzWq7Xw4r L8lgD+XlIK57+bcM6uofaeywy3wuyQ== X-Google-Smtp-Source: ABdhPJyutIT3rm9nEOyXN9YN3OjryYyPQtrUVjbpIa6PH4X20PBXJKWvLP+impTG/0LVMRqNVnrr+AkhDg== X-Received: from elver.muc.corp.google.com ([2a00:79e0:15:13:24a0:cdec:f386:83d0]) (user=elver job=sendgmr) by 2002:a1c:9d48:: with SMTP id g69mr3458wme.188.1637331754628; Fri, 19 Nov 2021 06:22:34 -0800 (PST) Date: Fri, 19 Nov 2021 15:22:18 +0100 Message-Id: <20211119142219.1519617-1-elver@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.34.0.rc2.393.gf8c9666880-goog Subject: [PATCH 1/2] kasan: add ability to detect double-kmem_cache_destroy() From: Marco Elver To: elver@google.com, Andrew Morton Cc: Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 1BF05F00020E X-Stat-Signature: em5xa9i6e63ck9tkit5qagr4gko7wbdf Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b="kyZ4PLG/"; spf=pass (imf11.hostedemail.com: domain of 3KrOXYQUKCAMhoyhujrrjoh.frpolqx0-ppnydfn.ruj@flex--elver.bounces.google.com designates 209.85.128.73 as permitted sender) smtp.mailfrom=3KrOXYQUKCAMhoyhujrrjoh.frpolqx0-ppnydfn.ruj@flex--elver.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com X-HE-Tag: 1637331755-843317 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Because mm/slab_common.c is not instrumented with software KASAN modes, it is not possible to detect use-after-free of the kmem_cache passed into kmem_cache_destroy(). In particular, because of the s->refcount-- and subsequent early return if non-zero, KASAN would never be able to see the double-free via kmem_cache_free(kmem_cache, s). To be able to detect a double-kmem_cache_destroy(), check accessibility of the kmem_cache, and in case of failure return early. While KASAN_HW_TAGS is able to detect such bugs, by checking accessibility and returning early we fail more gracefully and also avoid corrupting reused objects (where tags mismatch). A recent case of a double-kmem_cache_destroy() was detected by KFENCE: https://lkml.kernel.org/r/0000000000003f654905c168b09d@google.com , which was not detectable by software KASAN modes. Signed-off-by: Marco Elver Acked-by: Vlastimil Babka Reviewed-by: Andrey Konovalov --- mm/slab_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index e5d080a93009..4bef4b6a2c76 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -491,7 +491,7 @@ void kmem_cache_destroy(struct kmem_cache *s) { int err; - if (unlikely(!s)) + if (unlikely(!s || !kasan_check_byte(s))) return; cpus_read_lock();