From patchwork Wed Sep 11 13:01:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Walter Wu X-Patchwork-Id: 11141049 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 90E0217E6 for ; Wed, 11 Sep 2019 13:02:14 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6F49B206A1 for ; Wed, 11 Sep 2019 13:02:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="RQhg33sK" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6F49B206A1 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=mediatek.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=cloKPI9x7IpqKew1Od84UDEUcicnlrGvncTSnE4o9fs=; b=RQhg33sKx5p9ny laMLZFiJOhygZ1ty3V1plE2TwD4qtA59OeKMWI/zHwL44NuY2dVMA/Xa/zNosHFJZWrE8oeuI5wn1 1VLM5fChvHtRnv7ybbimK6hEoRhleTRl7b1x7GigB9k008U8Oi5eSJM+TvCxaDAiPZckgsukMQtHm rYwfBq3ksdBpwe60nrLxlMQ86+Y7terhqEYplkrDGzS/VTfh2XzIN3AaOtp6kKumMfawfBZVB64JM GGqSSXkcR81ZLiXmNP4ptcwMgVncg5mEfT3Gat2Qt+eEVg6rhyCDNZrUUSsRU3/ouVYJ/+Sp9frB2 I6zU/7qiNRU2SnimbIXQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.2 #3 (Red Hat Linux)) id 1i82GD-0007Qm-9R; Wed, 11 Sep 2019 13:02:13 +0000 Received: from mailgw01.mediatek.com ([216.200.240.184]) by bombadil.infradead.org with esmtps (Exim 4.92.2 #3 (Red Hat Linux)) id 1i82G7-0007PW-RQ; Wed, 11 Sep 2019 13:02:09 +0000 X-UUID: e3271ab8dc1a4ec49e2259ad1f15b1f2-20190911 X-UUID: e3271ab8dc1a4ec49e2259ad1f15b1f2-20190911 Received: from mtkcas68.mediatek.inc [(172.29.94.19)] by mailgw01.mediatek.com (envelope-from ) (musrelay.mediatek.com ESMTP with TLS) with ESMTP id 529136661; Wed, 11 Sep 2019 05:02:01 -0800 Received: from MTKMBS07N2.mediatek.inc (172.21.101.141) by MTKMBS62N1.mediatek.inc (172.29.193.41) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 11 Sep 2019 06:01:59 -0700 Received: from mtkcas08.mediatek.inc (172.21.101.126) by mtkmbs07n2.mediatek.inc (172.21.101.141) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 11 Sep 2019 21:01:58 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas08.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1395.4 via Frontend Transport; Wed, 11 Sep 2019 21:01:58 +0800 From: Walter Wu To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Matthias Brugger , Andrew Morton , "Martin Schwidefsky" , Andrey Konovalov , Qian Cai , Vlastimil Babka , Arnd Bergmann Subject: [PATCH v4] mm/kasan: dump alloc and free stack for page allocator Date: Wed, 11 Sep 2019 21:01:56 +0800 Message-ID: <20190911130156.12628-1-walter-zh.wu@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 X-MTK: N X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190911_060207_893663_B9ED328A X-CRM114-Status: GOOD ( 11.96 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [216.200.240.184 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Walter Wu , wsd_upstream@mediatek.com, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-mediatek@lists.infradead.org, linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org This patch is KASAN's report adds the alloc/free stack for page allocator in order to help programmer to see memory corruption caused by the page. By default, KASAN doesn't record alloc or free stack for page allocator. It is difficult to fix up the page use-after-free or double-free issue. We add the following changing: 1) KASAN enable PAGE_OWNER by default to get the alloc stack of the page. 2) Add new feature option to get the free stack of the page. The new feature KASAN_DUMP_PAGE depends on DEBUG_PAGEALLOC, it will help to record free stack of the page, it is very helpful for solving the page use-after-free or double-free issue. When KASAN_DUMP_PAGE is enabled then KASAN's report will show the last alloc and free stack of the page, it should be: BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0x70/0x80 Write of size 1 at addr ffffffc0d60e4000 by task cat/115 ... prep_new_page+0x1c8/0x218 get_page_from_freelist+0x1ba0/0x28d0 __alloc_pages_nodemask+0x1d4/0x1978 kmalloc_order+0x28/0x58 kmalloc_order_trace+0x28/0xe0 kmalloc_pagealloc_uaf+0x2c/0x80 page last free stack trace: __free_pages_ok+0x116c/0x1630 __free_pages+0x50/0x78 kfree+0x1c4/0x250 kmalloc_pagealloc_uaf+0x38/0x80 Changes since v1: - slim page_owner and move it into kasan - enable the feature by default Changes since v2: - enable PAGE_OWNER by default - use DEBUG_PAGEALLOC to get page information Changes since v3: - correct typo cc: Andrey Ryabinin cc: Vlastimil Babka cc: Andrey Konovalov Signed-off-by: Walter Wu --- lib/Kconfig.kasan | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 4fafba1a923b..a3683e952b10 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -41,6 +41,7 @@ config KASAN_GENERIC select SLUB_DEBUG if SLUB select CONSTRUCTORS select STACKDEPOT + select PAGE_OWNER help Enables generic KASAN mode. Supported in both GCC and Clang. With GCC it requires version 4.9.2 @@ -63,6 +64,7 @@ config KASAN_SW_TAGS select SLUB_DEBUG if SLUB select CONSTRUCTORS select STACKDEPOT + select PAGE_OWNER help Enables software tag-based KASAN mode. This mode requires Top Byte Ignore support by the CPU and therefore @@ -135,6 +137,19 @@ config KASAN_S390_4_LEVEL_PAGING to 3TB of RAM with KASan enabled). This options allows to force 4-level paging instead. +config KASAN_DUMP_PAGE + bool "Dump the last allocation and freeing stack of the page" + depends on KASAN + select DEBUG_PAGEALLOC + help + By default, KASAN enable PAGE_OWNER only to record alloc stack + for page allocator. It is difficult to fix up page use-after-free + or double-free issue. + The feature depends on DEBUG_PAGEALLOC, it will extra record + free stack of the page. It is very helpful for solving the page + use-after-free or double-free issue. + The feature will have a small memory overhead. + config TEST_KASAN tristate "Module for testing KASAN for bug detection" depends on m && KASAN