From: Marco Elver <elver@google.com>
To: andrey.konovalov@linux.dev
Cc: Alexander Potapenko <glider@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
kasan-dev@googlegroups.com, Peter Collingbourne <pcc@google.com>,
Evgenii Stepanov <eugenis@google.com>,
Florian Mayer <fmayer@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Andrey Konovalov <andreyknvl@google.com>
Subject: Re: [PATCH mm v2 30/33] kasan: implement stack ring for tag-based modes
Date: Tue, 19 Jul 2022 13:41:04 +0200 [thread overview]
Message-ID: <CANpmjNMrwXxU0YCwvHo59RFDkoxA-MtdrRCSPoRW+KYG2ez-NQ@mail.gmail.com> (raw)
In-Reply-To: <0e910197bfbcf505122f6dae2ee9b90ff8ee31f7.1658189199.git.andreyknvl@google.com>
On Tue, 19 Jul 2022 at 02:15, <andrey.konovalov@linux.dev> wrote:
>
> From: Andrey Konovalov <andreyknvl@google.com>
>
> Implement storing stack depot handles for alloc/free stack traces for
> slab objects for the tag-based KASAN modes in a ring buffer.
>
> This ring buffer is referred to as the stack ring.
>
> On each alloc/free of a slab object, the tagged address of the object and
> the current stack trace are recorded in the stack ring.
>
> On each bug report, if the accessed address belongs to a slab object, the
> stack ring is scanned for matching entries. The newest entries are used to
> print the alloc/free stack traces in the report: one entry for alloc and
> one for free.
>
> The number of entries in the stack ring is fixed in this patch, but one of
> the following patches adds a command-line argument to control it.
>
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
>
> ---
>
> Changes v1->v2:
> - Only use the atomic type for pos, use READ/WRITE_ONCE() for the rest.
> - Rename KASAN_STACK_RING_ENTRIES to KASAN_STACK_RING_SIZE.
> - Rename object local variable in kasan_complete_mode_report_info() to
> ptr to match the name in kasan_stack_ring_entry.
> - Detect stack ring entry slots that are being written to.
> - Use read-write lock to disallow reading half-written stack ring entries.
> - Add a comment about the stack ring being best-effort.
> ---
> mm/kasan/kasan.h | 21 ++++++++++++
> mm/kasan/report_tags.c | 76 ++++++++++++++++++++++++++++++++++++++++++
> mm/kasan/tags.c | 50 +++++++++++++++++++++++++++
> 3 files changed, 147 insertions(+)
>
> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
> index 7df107dc400a..cfff81139d67 100644
> --- a/mm/kasan/kasan.h
> +++ b/mm/kasan/kasan.h
> @@ -2,6 +2,7 @@
> #ifndef __MM_KASAN_KASAN_H
> #define __MM_KASAN_KASAN_H
>
> +#include <linux/atomic.h>
> #include <linux/kasan.h>
> #include <linux/kasan-tags.h>
> #include <linux/kfence.h>
> @@ -233,6 +234,26 @@ struct kasan_free_meta {
>
> #endif /* CONFIG_KASAN_GENERIC */
>
> +#if defined(CONFIG_KASAN_SW_TAGS) || defined(CONFIG_KASAN_HW_TAGS)
> +
> +struct kasan_stack_ring_entry {
> + void *ptr;
> + size_t size;
> + u32 pid;
> + depot_stack_handle_t stack;
> + bool is_free;
> +};
> +
> +#define KASAN_STACK_RING_SIZE (32 << 10)
> +
> +struct kasan_stack_ring {
> + rwlock_t lock;
> + atomic64_t pos;
> + struct kasan_stack_ring_entry entries[KASAN_STACK_RING_SIZE];
> +};
> +
> +#endif /* CONFIG_KASAN_SW_TAGS || CONFIG_KASAN_HW_TAGS */
> +
> #if IS_ENABLED(CONFIG_KASAN_KUNIT_TEST)
> /* Used in KUnit-compatible KASAN tests. */
> struct kunit_kasan_status {
> diff --git a/mm/kasan/report_tags.c b/mm/kasan/report_tags.c
> index 5cbac2cdb177..a996489e6dac 100644
> --- a/mm/kasan/report_tags.c
> +++ b/mm/kasan/report_tags.c
> @@ -4,8 +4,12 @@
> * Copyright (c) 2020 Google, Inc.
> */
>
> +#include <linux/atomic.h>
> +
> #include "kasan.h"
>
> +extern struct kasan_stack_ring stack_ring;
> +
> static const char *get_bug_type(struct kasan_report_info *info)
> {
> /*
> @@ -24,5 +28,77 @@ static const char *get_bug_type(struct kasan_report_info *info)
>
> void kasan_complete_mode_report_info(struct kasan_report_info *info)
> {
> + unsigned long flags;
> + u64 pos;
> + struct kasan_stack_ring_entry *entry;
> + void *ptr;
> + u32 pid;
> + depot_stack_handle_t stack;
> + bool is_free;
> + bool alloc_found = false, free_found = false;
> +
> info->bug_type = get_bug_type(info);
> +
> + if (!info->cache || !info->object)
> + return;
> + }
> +
> + write_lock_irqsave(&stack_ring.lock, flags);
> +
> + pos = atomic64_read(&stack_ring.pos);
> +
> + /*
> + * The loop below tries to find stack ring entries relevant to the
> + * buggy object. This is a best-effort process.
> + *
> + * First, another object with the same tag can be allocated in place of
> + * the buggy object. Also, since the number of entries is limited, the
> + * entries relevant to the buggy object can be overwritten.
> + */
> +
> + for (u64 i = pos - 1; i != pos - 1 - KASAN_STACK_RING_SIZE; i--) {
> + if (alloc_found && free_found)
> + break;
> +
> + entry = &stack_ring.entries[i % KASAN_STACK_RING_SIZE];
> +
> + /* Paired with smp_store_release() in save_stack_info(). */
> + ptr = (void *)smp_load_acquire(&entry->ptr);
> +
> + if (kasan_reset_tag(ptr) != info->object ||
> + get_tag(ptr) != get_tag(info->access_addr))
> + continue;
> +
> + pid = READ_ONCE(entry->pid);
> + stack = READ_ONCE(entry->stack);
> + is_free = READ_ONCE(entry->is_free);
> +
> + /* Try detecting if the entry was changed while being read. */
> + smp_mb();
> + if (ptr != (void *)READ_ONCE(entry->ptr))
> + continue;
I thought the re-validation is no longer needed because of the rwlock
protection?
The rest looks fine now.
> + if (is_free) {
> + /*
> + * Second free of the same object.
> + * Give up on trying to find the alloc entry.
> + */
> + if (free_found)
> + break;
> +
> + info->free_track.pid = pid;
> + info->free_track.stack = stack;
> + free_found = true;
> + } else {
> + /* Second alloc of the same object. Give up. */
> + if (alloc_found)
> + break;
> +
> + info->alloc_track.pid = pid;
> + info->alloc_track.stack = stack;
> + alloc_found = true;
> + }
> + }
> +
> + write_unlock_irqrestore(&stack_ring.lock, flags);
> }
> diff --git a/mm/kasan/tags.c b/mm/kasan/tags.c
> index 39a0481e5228..07828021c1f5 100644
> --- a/mm/kasan/tags.c
> +++ b/mm/kasan/tags.c
> @@ -6,6 +6,7 @@
> * Copyright (c) 2020 Google, Inc.
> */
>
> +#include <linux/atomic.h>
> #include <linux/init.h>
> #include <linux/kasan.h>
> #include <linux/kernel.h>
> @@ -16,11 +17,60 @@
> #include <linux/types.h>
>
> #include "kasan.h"
> +#include "../slab.h"
> +
> +/* Non-zero, as initial pointer values are 0. */
> +#define STACK_RING_BUSY_PTR ((void *)1)
> +
> +struct kasan_stack_ring stack_ring;
> +
> +static void save_stack_info(struct kmem_cache *cache, void *object,
> + gfp_t gfp_flags, bool is_free)
> +{
> + unsigned long flags;
> + depot_stack_handle_t stack;
> + u64 pos;
> + struct kasan_stack_ring_entry *entry;
> + void *old_ptr;
> +
> + stack = kasan_save_stack(gfp_flags, true);
> +
> + /*
> + * Prevent save_stack_info() from modifying stack ring
> + * when kasan_complete_mode_report_info() is walking it.
> + */
> + read_lock_irqsave(&stack_ring.lock, flags);
> +
> +next:
> + pos = atomic64_fetch_add(1, &stack_ring.pos);
> + entry = &stack_ring.entries[pos % KASAN_STACK_RING_SIZE];
> +
> + /* Detect stack ring entry slots that are being written to. */
> + old_ptr = READ_ONCE(entry->ptr);
> + if (old_ptr == STACK_RING_BUSY_PTR)
> + goto next; /* Busy slot. */
> + if (!try_cmpxchg(&entry->ptr, &old_ptr, STACK_RING_BUSY_PTR))
> + goto next; /* Busy slot. */
> +
> + WRITE_ONCE(entry->size, cache->object_size);
> + WRITE_ONCE(entry->pid, current->pid);
> + WRITE_ONCE(entry->stack, stack);
> + WRITE_ONCE(entry->is_free, is_free);
> +
> + /*
> + * Paired with smp_load_acquire() in kasan_complete_mode_report_info().
> + */
> + smp_store_release(&entry->ptr, (s64)object);
> +
> + read_unlock_irqrestore(&stack_ring.lock, flags);
> +}
>
> void kasan_save_alloc_info(struct kmem_cache *cache, void *object, gfp_t flags)
> {
> + save_stack_info(cache, object, flags, false);
> }
>
> void kasan_save_free_info(struct kmem_cache *cache, void *object)
> {
> + save_stack_info(cache, object, GFP_NOWAIT, true);
> }
> --
> 2.25.1
>
next prev parent reply other threads:[~2022-07-19 11:41 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-19 0:09 [PATCH mm v2 00/33] kasan: switch tag-based modes to stack ring from per-object metadata andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 01/33] kasan: check KASAN_NO_FREE_META in __kasan_metadata_size andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 02/33] kasan: rename kasan_set_*_info to kasan_save_*_info andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 03/33] kasan: move is_kmalloc check out of save_alloc_info andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 04/33] kasan: split save_alloc_info implementations andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 05/33] kasan: drop CONFIG_KASAN_TAGS_IDENTIFY andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 06/33] kasan: introduce kasan_print_aux_stacks andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 07/33] kasan: introduce kasan_get_alloc_track andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 08/33] kasan: introduce kasan_init_object_meta andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 09/33] kasan: clear metadata functions for tag-based modes andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 10/33] kasan: move kasan_get_*_meta to generic.c andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 11/33] kasan: introduce kasan_requires_meta andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 12/33] kasan: introduce kasan_init_cache_meta andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 13/33] kasan: drop CONFIG_KASAN_GENERIC check from kasan_init_cache_meta andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 14/33] kasan: only define kasan_metadata_size for Generic mode andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 15/33] kasan: only define kasan_never_merge " andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 16/33] kasan: only define metadata offsets " andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 17/33] kasan: only define metadata structs " andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 18/33] kasan: only define kasan_cache_create " andrey.konovalov
2022-07-19 0:09 ` [PATCH mm v2 19/33] kasan: pass tagged pointers to kasan_save_alloc/free_info andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 20/33] kasan: move kasan_get_alloc/free_track definitions andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 21/33] kasan: cosmetic changes in report.c andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 22/33] kasan: use virt_addr_valid in kasan_addr_to_page/slab andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 23/33] kasan: use kasan_addr_to_slab in print_address_description andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 24/33] kasan: make kasan_addr_to_page static andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 25/33] kasan: simplify print_report andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 26/33] kasan: introduce complete_report_info andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 27/33] kasan: fill in cache and object in complete_report_info andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 28/33] kasan: rework function arguments in report.c andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 29/33] kasan: introduce kasan_complete_mode_report_info andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 30/33] kasan: implement stack ring for tag-based modes andrey.konovalov
2022-07-19 11:41 ` Marco Elver [this message]
2022-07-21 20:41 ` Andrey Konovalov
2022-08-02 20:45 ` Andrey Konovalov
2022-08-03 20:28 ` Marco Elver
2022-09-05 20:40 ` Andrey Konovalov
2022-07-19 0:10 ` [PATCH mm v2 31/33] kasan: support kasan.stacktrace for SW_TAGS andrey.konovalov
2022-07-19 0:10 ` [PATCH mm v2 32/33] kasan: dynamically allocate stack ring entries andrey.konovalov
2022-08-03 20:09 ` Marco Elver
2022-09-05 20:34 ` Andrey Konovalov
2022-07-19 0:10 ` [PATCH mm v2 33/33] kasan: better identify bug types for tag-based modes andrey.konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANpmjNMrwXxU0YCwvHo59RFDkoxA-MtdrRCSPoRW+KYG2ez-NQ@mail.gmail.com \
--to=elver@google.com \
--cc=akpm@linux-foundation.org \
--cc=andrey.konovalov@linux.dev \
--cc=andreyknvl@gmail.com \
--cc=andreyknvl@google.com \
--cc=dvyukov@google.com \
--cc=eugenis@google.com \
--cc=fmayer@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pcc@google.com \
--cc=ryabinin.a.a@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.