From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E5146C433E0 for ; Tue, 16 Mar 2021 02:45:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BBE9D6503B for ; Tue, 16 Mar 2021 02:45:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234727AbhCPCol (ORCPT ); Mon, 15 Mar 2021 22:44:41 -0400 Received: from mailgw01.mediatek.com ([210.61.82.183]:55143 "EHLO mailgw01.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S234637AbhCPCoR (ORCPT ); Mon, 15 Mar 2021 22:44:17 -0400 X-UUID: c747895dedf149ee8043bffd5a27bc42-20210316 X-UUID: c747895dedf149ee8043bffd5a27bc42-20210316 Received: from mtkcas11.mediatek.inc [(172.21.101.40)] by mailgw01.mediatek.com (envelope-from ) (Cellopoint E-mail Firewall v4.1.14 Build 0819 with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 859541587; Tue, 16 Mar 2021 10:44:12 +0800 Received: from mtkcas07.mediatek.inc (172.21.101.84) by mtkmbs01n1.mediatek.inc (172.21.101.68) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 16 Mar 2021 10:44:11 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas07.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Tue, 16 Mar 2021 10:44:11 +0800 From: Walter Wu To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Matthias Brugger , Andrey Konovalov , Andrew Morton , Jens Axboe , Oleg Nesterov CC: , , , , wsd_upstream , , Walter Wu Subject: [PATCH v2] task_work: kasan: record task_work_add() call stack Date: Tue, 16 Mar 2021 10:44:10 +0800 Message-ID: <20210316024410.19967-1-walter-zh.wu@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 Content-Type: text/plain X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Why record task_work_add() call stack? Syzbot reports many use-after-free issues for task_work, see [1]. After see the free stack and the current auxiliary stack, we think they are useless, we don't know where register the work, this work may be the free call stack, so that we miss the root cause and don't solve the use-after-free. Add task_work_add() call stack into KASAN auxiliary stack in order to improve KASAN report. It is useful for programmers to solve use-after-free issues. [1]: https://groups.google.com/g/syzkaller-bugs/search?q=kasan%20use-after-free%20task_work_run Signed-off-by: Walter Wu Suggested-by: Dmitry Vyukov Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Alexander Potapenko Cc: Andrew Morton Cc: Matthias Brugger Cc: Jens Axboe Cc: Oleg Nesterov --- v2: Fix kasan_record_aux_stack() calling sequence issue. Thanks for Dmitry's suggestion --- kernel/task_work.c | 3 +++ mm/kasan/kasan.h | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/task_work.c b/kernel/task_work.c index 9cde961875c0..3d4852891fa8 100644 --- a/kernel/task_work.c +++ b/kernel/task_work.c @@ -34,6 +34,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work, { struct callback_head *head; + /* record the work call stack in order to print it in KASAN reports */ + kasan_record_aux_stack(work); + do { head = READ_ONCE(task->task_works); if (unlikely(head == &work_exited)) diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index 3436c6bf7c0c..e4629a971a3c 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -146,7 +146,7 @@ struct kasan_alloc_meta { struct kasan_track alloc_track; #ifdef CONFIG_KASAN_GENERIC /* - * call_rcu() call stack is stored into struct kasan_alloc_meta. + * The auxiliary stack is stored into struct kasan_alloc_meta. * The free stack is stored into struct kasan_free_meta. */ depot_stack_handle_t aux_stack[2]; -- 2.18.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY, URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1647FC433E0 for ; Tue, 16 Mar 2021 02:54:55 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8D88C65044 for ; Tue, 16 Mar 2021 02:54:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8D88C65044 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=mediatek.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:CC:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=dUOAzsfj9xUSSGUlVl5xyd5PxgnE/dKuGAp+0or0wds=; b=fBJ3UaerM4TBf3F8R9ANFdvBZI iVWJGupThZHkXaMgsyHM5g6csWnOXvGU82hRWxGksbRvqVLA1fVBSaCdbL6qHZXJw6Y8Ka9000hA3 yfg4GIdO3hiaBQim+n0unfB2zCqjnahrDBHGBZA0xz9EN3Gjhc7Ex+0SpjblqBzU4Qr/L6qEavX68 /EGLabLI7uJOwOkYfPBWI38gZEQD7vDugd6WSJXVer2NYiClND0HqyWzaGdVMxMo6VAkd3lY4uKEG Ig6vTWXIaVX4ayLtgt8RS14m4sC3rzpDo1Gah0DLmK3ozBimfLu12ITPvZZRaYFBof3z6pF+x5T87 9vNZOxUw==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lLzqw-00HHBF-L8; Tue, 16 Mar 2021 02:54:38 +0000 Received: from mailgw02.mediatek.com ([216.200.240.185]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lLzqi-00HHA3-PG; Tue, 16 Mar 2021 02:54:28 +0000 X-UUID: e27d40f0248049ae83dee1def0c3385b-20210315 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=84rV64nRGVrv24wzMy0iKC5ILnmHah135nD/p3eSshY=; b=Nujw8i6V0kPTIBhiFex+DFhGZ0WYIo1rVkCgr+mqvQBcHtpUhmVIsZQkXH7CsvFcyLWwpVEUDfJvo1FMbh1b2MHb4PKuAli62QrHFt25UZCUhoKLXu8P73U1Y5CDQrY6fUrSDjJNMA1uXzl24KoZicvd0BHKkFNcoPCoP6O9ExQ=; X-UUID: e27d40f0248049ae83dee1def0c3385b-20210315 Received: from mtkcas66.mediatek.inc [(172.29.193.44)] by mailgw02.mediatek.com (envelope-from ) (musrelay.mediatek.com ESMTP with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 1744907061; Mon, 15 Mar 2021 18:54:16 -0800 Received: from MTKMBS01N1.mediatek.inc (172.21.101.68) by MTKMBS62N1.mediatek.inc (172.29.193.41) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 15 Mar 2021 19:44:13 -0700 Received: from mtkcas07.mediatek.inc (172.21.101.84) by mtkmbs01n1.mediatek.inc (172.21.101.68) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 16 Mar 2021 10:44:11 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas07.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Tue, 16 Mar 2021 10:44:11 +0800 From: Walter Wu To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Matthias Brugger , Andrey Konovalov , "Andrew Morton" , Jens Axboe , "Oleg Nesterov" CC: , , , , wsd_upstream , , Walter Wu Subject: [PATCH v2] task_work: kasan: record task_work_add() call stack Date: Tue, 16 Mar 2021 10:44:10 +0800 Message-ID: <20210316024410.19967-1-walter-zh.wu@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 X-MTK: N X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210316_025425_444039_3A09DB86 X-CRM114-Status: GOOD ( 16.84 ) X-BeenThere: linux-mediatek@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Linux-mediatek" Errors-To: linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org Why record task_work_add() call stack? Syzbot reports many use-after-free issues for task_work, see [1]. After see the free stack and the current auxiliary stack, we think they are useless, we don't know where register the work, this work may be the free call stack, so that we miss the root cause and don't solve the use-after-free. Add task_work_add() call stack into KASAN auxiliary stack in order to improve KASAN report. It is useful for programmers to solve use-after-free issues. [1]: https://groups.google.com/g/syzkaller-bugs/search?q=kasan%20use-after-free%20task_work_run Signed-off-by: Walter Wu Suggested-by: Dmitry Vyukov Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Alexander Potapenko Cc: Andrew Morton Cc: Matthias Brugger Cc: Jens Axboe Cc: Oleg Nesterov --- v2: Fix kasan_record_aux_stack() calling sequence issue. Thanks for Dmitry's suggestion --- kernel/task_work.c | 3 +++ mm/kasan/kasan.h | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/task_work.c b/kernel/task_work.c index 9cde961875c0..3d4852891fa8 100644 --- a/kernel/task_work.c +++ b/kernel/task_work.c @@ -34,6 +34,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work, { struct callback_head *head; + /* record the work call stack in order to print it in KASAN reports */ + kasan_record_aux_stack(work); + do { head = READ_ONCE(task->task_works); if (unlikely(head == &work_exited)) diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index 3436c6bf7c0c..e4629a971a3c 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -146,7 +146,7 @@ struct kasan_alloc_meta { struct kasan_track alloc_track; #ifdef CONFIG_KASAN_GENERIC /* - * call_rcu() call stack is stored into struct kasan_alloc_meta. + * The auxiliary stack is stored into struct kasan_alloc_meta. * The free stack is stored into struct kasan_free_meta. */ depot_stack_handle_t aux_stack[2]; -- 2.18.0 _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY, URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3055C433DB for ; Tue, 16 Mar 2021 02:57:45 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 156AD6506B for ; Tue, 16 Mar 2021 02:57:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 156AD6506B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=mediatek.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:CC:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=s8kwlOyODoCkrOoeta9GpforeoLED6YMwp49SOXSn9k=; b=GzxrBtCPBq/DdL2MkHWGxrzmw1 EVv70nia0swHuMJXw+j6FMaEsKcuF+i7SOcDbSm6LcmIPewz/N2NqcrLfHis95RXWsNueEAF9SKwB jgbbYdkzWY2cKVLWxZRTg0sMhVbhXlxuTLEG8pdNAVk1X5zEbDnAblpyvRiNdQDu3o76GWhA+RA7t 8jTLWGoQoVB670qVqaRm1oA3d88/jOWDJEkhkG/NHmfy9We4N9xP36u5KNnOia39YyLgjffi32uPk qi/A29OYj5DOKszbfWJBde5EqsqeuJbRlIjM6pxFlSrn3xYUVgHr0qHrJbKxB7qIBuw25AO798GAS 6IWj6NVg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lLzqp-00HHAy-TM; Tue, 16 Mar 2021 02:54:32 +0000 Received: from mailgw02.mediatek.com ([216.200.240.185]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lLzqi-00HHA3-PG; Tue, 16 Mar 2021 02:54:28 +0000 X-UUID: e27d40f0248049ae83dee1def0c3385b-20210315 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=84rV64nRGVrv24wzMy0iKC5ILnmHah135nD/p3eSshY=; b=Nujw8i6V0kPTIBhiFex+DFhGZ0WYIo1rVkCgr+mqvQBcHtpUhmVIsZQkXH7CsvFcyLWwpVEUDfJvo1FMbh1b2MHb4PKuAli62QrHFt25UZCUhoKLXu8P73U1Y5CDQrY6fUrSDjJNMA1uXzl24KoZicvd0BHKkFNcoPCoP6O9ExQ=; X-UUID: e27d40f0248049ae83dee1def0c3385b-20210315 Received: from mtkcas66.mediatek.inc [(172.29.193.44)] by mailgw02.mediatek.com (envelope-from ) (musrelay.mediatek.com ESMTP with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 1744907061; Mon, 15 Mar 2021 18:54:16 -0800 Received: from MTKMBS01N1.mediatek.inc (172.21.101.68) by MTKMBS62N1.mediatek.inc (172.29.193.41) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 15 Mar 2021 19:44:13 -0700 Received: from mtkcas07.mediatek.inc (172.21.101.84) by mtkmbs01n1.mediatek.inc (172.21.101.68) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 16 Mar 2021 10:44:11 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas07.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Tue, 16 Mar 2021 10:44:11 +0800 From: Walter Wu To: Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Matthias Brugger , Andrey Konovalov , "Andrew Morton" , Jens Axboe , "Oleg Nesterov" CC: , , , , wsd_upstream , , Walter Wu Subject: [PATCH v2] task_work: kasan: record task_work_add() call stack Date: Tue, 16 Mar 2021 10:44:10 +0800 Message-ID: <20210316024410.19967-1-walter-zh.wu@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 X-MTK: N X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210316_025425_444039_3A09DB86 X-CRM114-Status: GOOD ( 16.84 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Why record task_work_add() call stack? Syzbot reports many use-after-free issues for task_work, see [1]. After see the free stack and the current auxiliary stack, we think they are useless, we don't know where register the work, this work may be the free call stack, so that we miss the root cause and don't solve the use-after-free. Add task_work_add() call stack into KASAN auxiliary stack in order to improve KASAN report. It is useful for programmers to solve use-after-free issues. [1]: https://groups.google.com/g/syzkaller-bugs/search?q=kasan%20use-after-free%20task_work_run Signed-off-by: Walter Wu Suggested-by: Dmitry Vyukov Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Alexander Potapenko Cc: Andrew Morton Cc: Matthias Brugger Cc: Jens Axboe Cc: Oleg Nesterov --- v2: Fix kasan_record_aux_stack() calling sequence issue. Thanks for Dmitry's suggestion --- kernel/task_work.c | 3 +++ mm/kasan/kasan.h | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/task_work.c b/kernel/task_work.c index 9cde961875c0..3d4852891fa8 100644 --- a/kernel/task_work.c +++ b/kernel/task_work.c @@ -34,6 +34,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work, { struct callback_head *head; + /* record the work call stack in order to print it in KASAN reports */ + kasan_record_aux_stack(work); + do { head = READ_ONCE(task->task_works); if (unlikely(head == &work_exited)) diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index 3436c6bf7c0c..e4629a971a3c 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -146,7 +146,7 @@ struct kasan_alloc_meta { struct kasan_track alloc_track; #ifdef CONFIG_KASAN_GENERIC /* - * call_rcu() call stack is stored into struct kasan_alloc_meta. + * The auxiliary stack is stored into struct kasan_alloc_meta. * The free stack is stored into struct kasan_free_meta. */ depot_stack_handle_t aux_stack[2]; -- 2.18.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel