From: huangshaobo <huangshaobo6@huawei.com>

when writing out of bounds to the red zone, it can only be detected at
kfree. However, there were many scenarios before kfree that caused this
out-of-bounds write to not be detected. Therefore, it is necessary to
provide a method for actively detecting out-of-bounds writing to the red
zone, so that users can actively detect, and can be detected in the
system reboot or panic.

for example, if the application memory is out of bounds and written to
the red zone in the kfence object, the system suddenly panics, and the
following log can be seen during system reset:
BUG: KFENCE: memory corruption in atomic_notifier_call_chain+0x49/0x70

Corrupted memory at 0x(____ptrval____) [ ! ] (in kfence-#59):
 atomic_notifier_call_chain+0x49/0x70
 panic+0x134/0x278
 sysrq_handle_crash+0x11/0x20
 __handle_sysrq+0x99/0x160
 write_sysrq_trigger+0x26/0x30
 proc_reg_write+0x51/0x70
 vfs_write+0xb6/0x290
 ksys_write+0x9c/0xd0
 __do_fast_syscall_32+0x67/0xe0
 do_fast_syscall_32+0x2f/0x70
 entry_SYSCALL_compat_after_hwframe+0x45/0x4d

kfence-#59: 0x(____ptrval____)-0x(____ptrval____),size=100,cache=kmalloc-128
 allocated by task 77 on cpu 0 at 28.018073s:
 0xffffffffc007703d
 do_one_initcall+0x3c/0x1e0
 do_init_module+0x46/0x1d8
 load_module+0x2397/0x2860
 __do_sys_init_module+0x160/0x190
 __do_fast_syscall_32+0x67/0xe0
 do_fast_syscall_32+0x2f/0x70
 entry_SYSCALL_compat_after_hwframe+0x45/0x4d

Suggested-by: chenzefeng <chenzefeng2@huawei.com>
Signed-off-by: huangshaobo <huangshaobo6@huawei.com>
---
 mm/kfence/core.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/mm/kfence/core.c b/mm/kfence/core.c
index 9b2b5f56f4ae..85cc3ca4b71c 100644
--- a/mm/kfence/core.c
+++ b/mm/kfence/core.c
@@ -29,6 +29,9 @@
 #include <linux/slab.h>
 #include <linux/spinlock.h>
 #include <linux/string.h>
+#include <linux/notifier.h>
+#include <linux/reboot.h>
+#include <linux/panic_notifier.h>

 #include <asm/kfence.h>

@@ -716,6 +719,29 @@ static const struct file_operations objects_fops = {
        .release = seq_release,
 };

+static void kfence_check_all_canary(void)
+{
+       int i;
+
+       for (i = 0; i < CONFIG_KFENCE_NUM_OBJECTS; i++) {
+               struct kfence_metadata *meta = &kfence_metadata[i];
+
+               if (meta->state == KFENCE_OBJECT_ALLOCATED)
+                       for_each_canary(meta, check_canary_byte);
+       }
+}
+
+static int kfence_check_canary_callback(struct notifier_block *nb,
+                                       unsigned long reason, void *arg)
+{
+       kfence_check_all_canary();
+       return NOTIFY_OK;
+}
+
+static struct notifier_block kfence_check_canary_notifier = {
+       .notifier_call = kfence_check_canary_callback,
+};
+
 static int __init kfence_debugfs_init(void)
 {
        struct dentry *kfence_dir = debugfs_create_dir("kfence", NULL);
@@ -806,6 +832,8 @@ static void kfence_init_enable(void)

        WRITE_ONCE(kfence_enabled, true);
        queue_delayed_work(system_unbound_wq, &kfence_timer, 0);
+       register_reboot_notifier(&kfence_check_canary_notifier);
+       atomic_notifier_chain_register(&panic_notifier_list, &kfence_check_canary_notifier);

        pr_info("initialized - using %lu bytes for %d objects at 0x%p-0x%p\n", KFENCE_POOL_SIZE,
                CONFIG_KFENCE_NUM_OBJECTS, (void *)__kfence_pool,
--
2.12.3