From patchwork Fri Nov 18 15:22:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Elver X-Patchwork-Id: 13048386 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71EE4C433FE for ; Fri, 18 Nov 2022 15:22:24 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C80C28E0001; Fri, 18 Nov 2022 10:22:23 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C310B6B0073; Fri, 18 Nov 2022 10:22:23 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AF8548E0001; Fri, 18 Nov 2022 10:22:23 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id A192E6B0072 for ; Fri, 18 Nov 2022 10:22:23 -0500 (EST) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 7B3CF81257 for ; Fri, 18 Nov 2022 15:22:23 +0000 (UTC) X-FDA: 80146929366.09.D6F1813 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) by imf27.hostedemail.com (Postfix) with ESMTP id 05CE04000D for ; Fri, 18 Nov 2022 15:22:22 +0000 (UTC) Received: by mail-ed1-f74.google.com with SMTP id f17-20020a056402355100b00466481256f6so3161510edd.19 for ; Fri, 18 Nov 2022 07:22:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=PXs9oQxTshLyON7VsLwg1Sxn4Bm1fEFFQRofp2aAizY=; b=s8dI+I16xOEuDRsdf4jECwVTSX53sIE6vf0opOeUrkxo9ZQ7kt8qURebrLB39xuPpy oIvI36NbtUXmE9TmXxhhkyxfWZoRqkPYmkL7eedoNbia2Uk6z9P95RDl1QrWFdtbNiRz P5C22iiBvcecS8Akf5SMvRKUNYeSTXKQUXJN7s3nlIqlZmGfaTb1MWZ6xo4kLoBQvtZP tE73/bJFXmnqcH2qI/7zOzicZ5YMN6pZKcLnCmColPwRxGPFT79KtP4waHTCVdAj50FO XlAyrMxA3dW5B3XUIU2gSZ8QxB0JNno13lFk89nlQlotG9nGc3mztDMZrjO7Nc+NHfAs ZSTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=PXs9oQxTshLyON7VsLwg1Sxn4Bm1fEFFQRofp2aAizY=; b=1QVKa1OS0mNdTicUyFVS2LaUg2OILCzKLFJtU2lLeb6DXHk2YkQHojS3DbuvpzkbZl E+0oh2u7KAhTqMKSSocnk6BUBYTaI4FsrYi1YWKbVdOrSXVwwBEyEYhageuEIASgIGLN yn2wJ3jefiXvkwbfA5AkSSsw33VLTClRqzypeHiNY0PcG58tbLOu4BviP8g8wkrpqXjz rTF6tV9NPq5F1UnQ/SbgTr6TzFsaiVHV3nXgO6KRxnFIXY7W+oB9E6AqiScmoQTY5kMD 3y/xgVOEfxzVLJnBjuP19vqfaEzA6wKutH35tFY0B07H5o6hMGtlnQUDDaGfH7eL/1/I mrPA== X-Gm-Message-State: ANoB5pkZchydEG1OK2d135xhy8+QvvHnhNWRuQ/2PnaruIXQeF1p1IF0 0mKJhUj7Wi9OHpca+i+X+WksOThTnw== X-Google-Smtp-Source: AA0mqf6YMzqdbjEDOHFYJxLody0tJqiMo1GC59oUVha1/zglgOtJjcdY+JRvmhio/ZOtjQubIof6cJu/jA== X-Received: from elver.muc.corp.google.com ([2a00:79e0:9c:201:4799:a943:410e:976]) (user=elver job=sendgmr) by 2002:a05:6402:f11:b0:467:8813:cab5 with SMTP id i17-20020a0564020f1100b004678813cab5mr6512139eda.369.1668784941290; Fri, 18 Nov 2022 07:22:21 -0800 (PST) Date: Fri, 18 Nov 2022 16:22:16 +0100 Mime-Version: 1.0 X-Mailer: git-send-email 2.38.1.584.g0f3c55d4c2-goog Message-ID: <20221118152216.3914899-1-elver@google.com> Subject: [PATCH] kfence: fix stack trace pruning From: Marco Elver To: elver@google.com, Andrew Morton Cc: Alexander Potapenko , Dmitry Vyukov , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Hyeonggon Yoo <42.hyeyoo@gmail.com>, Feng Tang ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1668784943; a=rsa-sha256; cv=none; b=rmW8maXoc/dW9YtB+KoaUVcV5Wh06/+oBji9Bz3c5cyLXhoKoSIB0lShagc98mxMTAj7J6 rELcR2qsdaO6Ps0k9HptkFT9brM7GSac281bF9adK+vxi7G3A3cpXegWPOMKDzRSO5BEbK tDT1Bhqdh46nmkhsV7qY1JElFriW7kA= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=s8dI+I16; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf27.hostedemail.com: domain of 3LaN3YwUKCHQWdnWjYggYdW.Ugedafmp-eecnSUc.gjY@flex--elver.bounces.google.com designates 209.85.208.74 as permitted sender) smtp.mailfrom=3LaN3YwUKCHQWdnWjYggYdW.Ugedafmp-eecnSUc.gjY@flex--elver.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1668784943; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=PXs9oQxTshLyON7VsLwg1Sxn4Bm1fEFFQRofp2aAizY=; b=x0BTLiYkU9Sz2TV6w0gq2sZNXT/EBFOEkbeX0wPtqOHt+WEAFxkMR99HNL3zWa6/Uxvtxg MZjcWLcnEbnIgfHdW1NWxi8XduVicjf/gFHvSlPmap/aI17uHQ0ZqWvU9aFY/tOY1eRO5e EaGAyD4pAhynw3WEr8Z1o0ZrAAIs9Sk= X-Stat-Signature: t953dh3f8jt5xk13yyf7bucs883tjrk4 X-Rspamd-Queue-Id: 05CE04000D Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=s8dI+I16; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf27.hostedemail.com: domain of 3LaN3YwUKCHQWdnWjYggYdW.Ugedafmp-eecnSUc.gjY@flex--elver.bounces.google.com designates 209.85.208.74 as permitted sender) smtp.mailfrom=3LaN3YwUKCHQWdnWjYggYdW.Ugedafmp-eecnSUc.gjY@flex--elver.bounces.google.com X-Rspam-User: X-Rspamd-Server: rspam12 X-HE-Tag: 1668784942-719116 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Commit b14051352465 ("mm/sl[au]b: generalize kmalloc subsystem") refactored large parts of the kmalloc subsystem, resulting in the stack trace pruning logic done by KFENCE to no longer work. While b14051352465 attempted to fix the situation by including '__kmem_cache_free' in the list of functions KFENCE should skip through, this only works when the compiler actually optimized the tail call from kfree() to __kmem_cache_free() into a jump (and thus kfree() _not_ appearing in the full stack trace to begin with). In some configurations, the compiler no longer optimizes the tail call into a jump, and __kmem_cache_free() appears in the stack trace. This means that the pruned stack trace shown by KFENCE would include kfree() which is not intended - for example: | BUG: KFENCE: invalid free in kfree+0x7c/0x120 | | Invalid free of 0xffff8883ed8fefe0 (in kfence-#126): | kfree+0x7c/0x120 | test_double_free+0x116/0x1a9 | kunit_try_run_case+0x90/0xd0 | [...] Fix it by moving __kmem_cache_free() to the list of functions that may be tail called by an allocator entry function, making the pruning logic work in both the optimized and unoptimized tail call cases. Fixes: b14051352465 ("mm/sl[au]b: generalize kmalloc subsystem") Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: Feng Tang Signed-off-by: Marco Elver Reviewed-by: Alexander Potapenko --- mm/kfence/report.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/mm/kfence/report.c b/mm/kfence/report.c index 7e496856c2eb..46ecea18c4ca 100644 --- a/mm/kfence/report.c +++ b/mm/kfence/report.c @@ -75,18 +75,23 @@ static int get_stack_skipnr(const unsigned long stack_entries[], int num_entries if (str_has_prefix(buf, ARCH_FUNC_PREFIX "kfence_") || str_has_prefix(buf, ARCH_FUNC_PREFIX "__kfence_") || + str_has_prefix(buf, ARCH_FUNC_PREFIX "__kmem_cache_free") || !strncmp(buf, ARCH_FUNC_PREFIX "__slab_free", len)) { /* - * In case of tail calls from any of the below - * to any of the above. + * In case of tail calls from any of the below to any of + * the above, optimized by the compiler such that the + * stack trace would omit the initial entry point below. */ fallback = skipnr + 1; } - /* Also the *_bulk() variants by only checking prefixes. */ + /* + * The below list should only include the initial entry points + * into the slab allocators. Includes the *_bulk() variants by + * checking prefixes. + */ if (str_has_prefix(buf, ARCH_FUNC_PREFIX "kfree") || str_has_prefix(buf, ARCH_FUNC_PREFIX "kmem_cache_free") || - str_has_prefix(buf, ARCH_FUNC_PREFIX "__kmem_cache_free") || str_has_prefix(buf, ARCH_FUNC_PREFIX "__kmalloc") || str_has_prefix(buf, ARCH_FUNC_PREFIX "kmem_cache_alloc")) goto found;