From patchwork Tue Jun 23 07:26:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Elver X-Patchwork-Id: 11619915 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6B3D16C1 for ; Tue, 23 Jun 2020 07:28:27 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 373282077D for ; Tue, 23 Jun 2020 07:28:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="e7XzSW9B" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 373282077D Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 5DDDE6B000A; Tue, 23 Jun 2020 03:28:26 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 58EF96B000C; Tue, 23 Jun 2020 03:28:26 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4A45D6B000D; Tue, 23 Jun 2020 03:28:26 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0019.hostedemail.com [216.40.44.19]) by kanga.kvack.org (Postfix) with ESMTP id 332746B000A for ; Tue, 23 Jun 2020 03:28:26 -0400 (EDT) Received: from smtpin05.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id E2D8E181AC9BF for ; Tue, 23 Jun 2020 07:28:25 +0000 (UTC) X-FDA: 76959648570.05.cows18_430e4bd26e39 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin05.hostedemail.com (Postfix) with ESMTP id C32DD1801E20F for ; Tue, 23 Jun 2020 07:28:25 +0000 (UTC) X-Spam-Summary: 1,0,0,81d1c5bb2cd42482,d41d8cd98f00b204,3gk_xxgukcdsbisbodlldib.zljifkru-jjhsxzh.lod@flex--elver.bounces.google.com,,RULES_HIT:41:152:355:379:541:800:960:965:966:973:988:989:1260:1277:1313:1314:1345:1437:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:2194:2196:2199:2200:2393:2559:2562:2901:3138:3139:3140:3141:3142:3152:3353:3865:3866:3867:3870:3871:3872:4250:4321:4385:4390:4395:5007:6261:6653:6742:7904:8603:9969:10004:10400:11026:11473:11658:11914:12114:12296:12297:12438:12555:12679:12895:12986:13069:13180:13229:13311:13357:14096:14097:14181:14394:14659:14721:21080:21444:21451:21627:21796:21990:30036:30054:30070,0,RBL:209.85.219.73:@flex--elver.bounces.google.com:.lbl8.mailshell.net-66.100.201.100 62.18.0.100;04yr5sk9ignw7jtjxj54jmixkeyznoc74wx7j918zwzsnmiuif8ijinjc8k343u.d3hr3s4odmssfgwezjujys4qgg4jmctfw1d9gwidi9u45pi5tajj6n4p53ntaws.o-lbl8.mailshell.net-223.238.255.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp, MSBL:0,D X-HE-Tag: cows18_430e4bd26e39 X-Filterd-Recvd-Size: 4559 Received: from mail-qv1-f73.google.com (mail-qv1-f73.google.com [209.85.219.73]) by imf26.hostedemail.com (Postfix) with ESMTP for ; Tue, 23 Jun 2020 07:28:25 +0000 (UTC) Received: by mail-qv1-f73.google.com with SMTP id x16so14393311qvp.19 for ; Tue, 23 Jun 2020 00:28:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=nTQWvepZzYSn4rQEU0+1xmqZl1OOXUog19hqREujmU4=; b=e7XzSW9BiALiACWkVQb7mFB8mq6jtD10kFJCz/zBWeoYyHB4MjXZv5mb3HDvr1j71/ cgtALbncqtn6Z0+DsYEIBUPB3KG3dfumqLm0/4nvNRqwmDe//6bQQeEsAb4EuErIDHrC F5KDujFk65s4f8WpCKGbF0Dz78AIJECom73qcL78UIZ6rRyPc+XmTX+uoaSgSOK2uipT IUnqmSkwigP7MpQJjKOKMGyC3duuOp07Kl8UaBG91ONMvc0oCODHAg7iIrmqdISI7pXg ibGwXhA9/6FTWCRR55quMDfGTB+Jv7KLEbaQ0vNx2FX6w5iBzvnoK5Gjq6ZqzQJPXj/q WbnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=nTQWvepZzYSn4rQEU0+1xmqZl1OOXUog19hqREujmU4=; b=pJHHfoNIsIA4x4iRvJsUyczXIm5jOiKiPchYAZ/TDus/qAr5JAGyBT6KfiFJp19k4g 6K/ugOATkPeYKj4k8V0gmX5UE9hJiTsjCoJqacrggD9tKYsBE2WNVUpuscxwbW6hrCpa /aXjZJWNpLQwewsN27R8/MF58qJQE1z3oS4RfC/YqXIMk16r/oZFaxa4jdjrGqnNa61d WF7AzLGD6VT2LAaxNx/7WpSfFzU01qjA9E31yYF1Fxh/CyWrNfq3x7ktg0jQhcuAL0vj O9KS77fXHTFg70vgvn1RYom/76NOlz86La+xPtG4qw+cqKuNadlHRz1pO5XfAPlzka9l gkQA== X-Gm-Message-State: AOAM530QkYHxTYUzXETGrf0TroJbsdVhhantDzZnj8gE5uiTGm0AYkHX a8tDFj20oTk8yGxhzynSwXN0bSYUCw== X-Google-Smtp-Source: ABdhPJwj2i8o0If+UymYmvMwr9/d224DtNwbNKtKbk/yUkG5UMMHuHoay3TWBfoyY2g3OwYvH8W1ykEufQ== X-Received: by 2002:a05:6214:8d1:: with SMTP id da17mr5298435qvb.62.1592897304605; Tue, 23 Jun 2020 00:28:24 -0700 (PDT) Date: Tue, 23 Jun 2020 09:26:54 +0200 Message-Id: <20200623072653.114563-1-elver@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.27.0.111.gc72c7da667-goog Subject: [PATCH v2] mm, kcsan: Instrument SLAB/SLUB free with "ASSERT_EXCLUSIVE_ACCESS" From: Marco Elver To: elver@google.com, akpm@linux-foundation.org Cc: paulmck@kernel.org, dvyukov@google.com, glider@google.com, andreyknvl@google.com, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, linux-mm@kvack.org X-Rspamd-Queue-Id: C32DD1801E20F X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam04 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Provide the necessary KCSAN checks to assist with debugging racy use-after-frees. While KASAN is more reliable at generally catching such use-after-frees (due to its use of a quarantine), it can be difficult to debug racy use-after-frees. If a reliable reproducer exists, KCSAN can assist in debugging such issues. Note: ASSERT_EXCLUSIVE_ACCESS is a convenience wrapper if the size is simply sizeof(var). Instead, here we just use __kcsan_check_access() explicitly to pass the correct size. Signed-off-by: Marco Elver --- v2: * SLAB_TYPESAFE_BY_RCU allows racy use after free within RCU grace period. If slab is SLAB_TYPESAFE_BY_RCU do not check access. --- mm/slab.c | 5 +++++ mm/slub.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/mm/slab.c b/mm/slab.c index 9350062ffc1a..cba71d88e89c 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -3426,6 +3426,11 @@ static __always_inline void __cache_free(struct kmem_cache *cachep, void *objp, if (kasan_slab_free(cachep, objp, _RET_IP_)) return; + /* Use KCSAN to help debug racy use-after-free. */ + if (!(cachep->flags & SLAB_TYPESAFE_BY_RCU)) + __kcsan_check_access(objp, cachep->object_size, + KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT); + ___cache_free(cachep, objp, caller); } diff --git a/mm/slub.c b/mm/slub.c index b8f798b50d44..4a9d43fda669 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1470,6 +1470,11 @@ static __always_inline bool slab_free_hook(struct kmem_cache *s, void *x) if (!(s->flags & SLAB_DEBUG_OBJECTS)) debug_check_no_obj_freed(x, s->object_size); + /* Use KCSAN to help debug racy use-after-free. */ + if (!(s->flags & SLAB_TYPESAFE_BY_RCU)) + __kcsan_check_access(x, s->object_size, + KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT); + /* KASAN might put x into memory quarantine, delaying its reuse */ return kasan_slab_free(s, x, _RET_IP_); }