From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 570D3C433E6 for ; Tue, 16 Mar 2021 06:35:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 17CEF65175 for ; Tue, 16 Mar 2021 06:35:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232399AbhCPGfV (ORCPT ); Tue, 16 Mar 2021 02:35:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230118AbhCPGez (ORCPT ); Tue, 16 Mar 2021 02:34:55 -0400 Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 26233C061756 for ; Mon, 15 Mar 2021 23:34:52 -0700 (PDT) Received: by mail-qv1-xf36.google.com with SMTP id l15so9021506qvl.4 for ; Mon, 15 Mar 2021 23:34:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=s+uLqyFrjkMmW5YeJaqvGeFwM5DpyLE4ZA0G18plRKW6nkBDny7Y1Hg1jB6l1VviZs iVQoYuy06c2imtqXONxNojwDzI11L8Qa06mrjwRw6EcTYvUlMhR+8Lp+oxxpVoz2r6MV HCP6FzftAUKiF/AxuYU1jXZbpbdmmwlN9PG7xFbZmfgZdYL+bi74iBxGEJEqwnRK4pu9 Fe9EJOMXK2UxSnubdPd0khIQUofJ3iqj6+JDqsiJeis2fVUrcTajpg9ImNlmjB0Trox9 sLfwQf7pNCciXu7qXbTOgcWM9gefBhaZEvrcyCTLdK787ft3FfHDgyoYYOzozCIKWYfd QtFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=DJs7X165n4lUPTtDw2BTv531DEkJ1bxDgA93bhCEBsYjAWCDzYlEUpcS+7LXAlHCk/ wbCBnvHwhl7NoBJtBwQRssAjqH/LletvtpMrAzPFY1RpgR0TdgixadmkewJ7OwiLkboK KQR5La1AJrF2V6GXAzjFF3zYW5S2PKGWVmkq4UUBfA2CxI4UFM5J86aNVKo0ix6jPsrm LqNbLbLNQstCfAoLYKLQStdVEBU8dov2BHWP9J53eeZiXCJbfWojUKS80j/uMk1xbPrq 9c066Vq0rQJ6urjbkyrvILAX3lSGKxjIt7SD5TInaObJHbNi6Ldxw5LlEkVy3gh2vtJe iSdA== X-Gm-Message-State: AOAM531n5b7TSJos9FndJPML68HGpBHz4rwC0XOOyuqZfdUl4TbTLMn5 vxjurnwFj9M6JZzKBK9MWK0JJfNaEwrydcuk2z3s7A== X-Google-Smtp-Source: ABdhPJwCeQcT66aWyysAq/F0mnL+lIXNOvkkdqOLUYYKOZSFIJs9a705sEfwv8vZeNPeivpqwej8TWOU/YNOMe3w00c= X-Received: by 2002:a0c:8304:: with SMTP id j4mr14226424qva.18.1615876491060; Mon, 15 Mar 2021 23:34:51 -0700 (PDT) MIME-Version: 1.0 References: <20210316024410.19967-1-walter-zh.wu@mediatek.com> In-Reply-To: <20210316024410.19967-1-walter-zh.wu@mediatek.com> From: Dmitry Vyukov Date: Tue, 16 Mar 2021 07:34:39 +0100 Message-ID: Subject: Re: [PATCH v2] task_work: kasan: record task_work_add() call stack To: Walter Wu Cc: Andrey Ryabinin , Alexander Potapenko , Matthias Brugger , Andrey Konovalov , Andrew Morton , Jens Axboe , Oleg Nesterov , kasan-dev , Linux-MM , LKML , Linux ARM , wsd_upstream , linux-mediatek@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 16, 2021 at 3:44 AM Walter Wu wrote: > > Why record task_work_add() call stack? > Syzbot reports many use-after-free issues for task_work, see [1]. > After see the free stack and the current auxiliary stack, we think > they are useless, we don't know where register the work, this work > may be the free call stack, so that we miss the root cause and > don't solve the use-after-free. > > Add task_work_add() call stack into KASAN auxiliary stack in > order to improve KASAN report. It is useful for programmers > to solve use-after-free issues. > > [1]: https://groups.google.com/g/syzkaller-bugs/search?q=kasan%20use-after-free%20task_work_run > > Signed-off-by: Walter Wu > Suggested-by: Dmitry Vyukov > Cc: Andrey Konovalov > Cc: Andrey Ryabinin > Cc: Dmitry Vyukov > Cc: Alexander Potapenko > Cc: Andrew Morton > Cc: Matthias Brugger > Cc: Jens Axboe > Cc: Oleg Nesterov > --- > > v2: Fix kasan_record_aux_stack() calling sequence issue. > Thanks for Dmitry's suggestion Reviewed-by: Dmitry Vyukov > --- > kernel/task_work.c | 3 +++ > mm/kasan/kasan.h | 2 +- > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/kernel/task_work.c b/kernel/task_work.c > index 9cde961875c0..3d4852891fa8 100644 > --- a/kernel/task_work.c > +++ b/kernel/task_work.c > @@ -34,6 +34,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work, > { > struct callback_head *head; > > + /* record the work call stack in order to print it in KASAN reports */ > + kasan_record_aux_stack(work); > + > do { > head = READ_ONCE(task->task_works); > if (unlikely(head == &work_exited)) > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index 3436c6bf7c0c..e4629a971a3c 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -146,7 +146,7 @@ struct kasan_alloc_meta { > struct kasan_track alloc_track; > #ifdef CONFIG_KASAN_GENERIC > /* > - * call_rcu() call stack is stored into struct kasan_alloc_meta. > + * The auxiliary stack is stored into struct kasan_alloc_meta. > * The free stack is stored into struct kasan_free_meta. > */ > depot_stack_handle_t aux_stack[2]; > -- > 2.18.0 > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20210316024410.19967-1-walter-zh.wu%40mediatek.com. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3FD1C433E0 for ; Tue, 16 Mar 2021 06:34:53 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 7130865103 for ; Tue, 16 Mar 2021 06:34:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7130865103 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id E19FD6B006C; Tue, 16 Mar 2021 02:34:52 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DA0E26B006E; Tue, 16 Mar 2021 02:34:52 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BF30B6B0070; Tue, 16 Mar 2021 02:34:52 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0001.hostedemail.com [216.40.44.1]) by kanga.kvack.org (Postfix) with ESMTP id 9FD796B006C for ; Tue, 16 Mar 2021 02:34:52 -0400 (EDT) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 606C7349B for ; Tue, 16 Mar 2021 06:34:52 +0000 (UTC) X-FDA: 77924774424.09.E3377EE Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) by imf02.hostedemail.com (Postfix) with ESMTP id F377B407F8F7 for ; Tue, 16 Mar 2021 06:34:51 +0000 (UTC) Received: by mail-qv1-f46.google.com with SMTP id 30so9014367qva.9 for ; Mon, 15 Mar 2021 23:34:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=s+uLqyFrjkMmW5YeJaqvGeFwM5DpyLE4ZA0G18plRKW6nkBDny7Y1Hg1jB6l1VviZs iVQoYuy06c2imtqXONxNojwDzI11L8Qa06mrjwRw6EcTYvUlMhR+8Lp+oxxpVoz2r6MV HCP6FzftAUKiF/AxuYU1jXZbpbdmmwlN9PG7xFbZmfgZdYL+bi74iBxGEJEqwnRK4pu9 Fe9EJOMXK2UxSnubdPd0khIQUofJ3iqj6+JDqsiJeis2fVUrcTajpg9ImNlmjB0Trox9 sLfwQf7pNCciXu7qXbTOgcWM9gefBhaZEvrcyCTLdK787ft3FfHDgyoYYOzozCIKWYfd QtFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=UiYWISoKaDycyY0Xj10cVCKxN+/p3TWv/LeeXTdV4zBicGsjBt3EaRSqqtmnjJOJp0 66cU2GurR3qRS51x25flKLCxgBjhYxRLUo+u+DENQhorSKhmJqTLuCqOnB8Gb+U9sWrA fwe4Pw8LYAi4JMIBNBlD8mrR+godUYSWQp3YQcOsOyp3Svk3ObjFl2WeyIA099LWXmpP jRbdt8+ZeIcvjmwQ0smnxpYIMkaCS79iJMNObmoqcaV4/iLaj8i8+Jz9JEhNnHPltMdc 7KlTWdFgWLiVw13P/d0o1/q+MRrFbIg9W2wLOAYRUbICu8UbxsXTLakLU2Ff+gWk+cle NMsg== X-Gm-Message-State: AOAM532RahcnPn9xC5lDzsD0wNdIXhe/wWailbjb8cs7V1v/KnBGkDLl LOoe3YC2+A2GHY0nlyufLcW54PkAK3FmbXh+vT/k4A== X-Google-Smtp-Source: ABdhPJwCeQcT66aWyysAq/F0mnL+lIXNOvkkdqOLUYYKOZSFIJs9a705sEfwv8vZeNPeivpqwej8TWOU/YNOMe3w00c= X-Received: by 2002:a0c:8304:: with SMTP id j4mr14226424qva.18.1615876491060; Mon, 15 Mar 2021 23:34:51 -0700 (PDT) MIME-Version: 1.0 References: <20210316024410.19967-1-walter-zh.wu@mediatek.com> In-Reply-To: <20210316024410.19967-1-walter-zh.wu@mediatek.com> From: Dmitry Vyukov Date: Tue, 16 Mar 2021 07:34:39 +0100 Message-ID: Subject: Re: [PATCH v2] task_work: kasan: record task_work_add() call stack To: Walter Wu Cc: Andrey Ryabinin , Alexander Potapenko , Matthias Brugger , Andrey Konovalov , Andrew Morton , Jens Axboe , Oleg Nesterov , kasan-dev , Linux-MM , LKML , Linux ARM , wsd_upstream , linux-mediatek@lists.infradead.org Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: wcddu9nxy6c13iwz6jbi8pxeqcto8otu X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: F377B407F8F7 Received-SPF: none (google.com>: No applicable sender policy available) receiver=imf02; identity=mailfrom; envelope-from=""; helo=mail-qv1-f46.google.com; client-ip=209.85.219.46 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1615876491-4458 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Mar 16, 2021 at 3:44 AM Walter Wu wrote: > > Why record task_work_add() call stack? > Syzbot reports many use-after-free issues for task_work, see [1]. > After see the free stack and the current auxiliary stack, we think > they are useless, we don't know where register the work, this work > may be the free call stack, so that we miss the root cause and > don't solve the use-after-free. > > Add task_work_add() call stack into KASAN auxiliary stack in > order to improve KASAN report. It is useful for programmers > to solve use-after-free issues. > > [1]: https://groups.google.com/g/syzkaller-bugs/search?q=kasan%20use-after-free%20task_work_run > > Signed-off-by: Walter Wu > Suggested-by: Dmitry Vyukov > Cc: Andrey Konovalov > Cc: Andrey Ryabinin > Cc: Dmitry Vyukov > Cc: Alexander Potapenko > Cc: Andrew Morton > Cc: Matthias Brugger > Cc: Jens Axboe > Cc: Oleg Nesterov > --- > > v2: Fix kasan_record_aux_stack() calling sequence issue. > Thanks for Dmitry's suggestion Reviewed-by: Dmitry Vyukov > --- > kernel/task_work.c | 3 +++ > mm/kasan/kasan.h | 2 +- > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/kernel/task_work.c b/kernel/task_work.c > index 9cde961875c0..3d4852891fa8 100644 > --- a/kernel/task_work.c > +++ b/kernel/task_work.c > @@ -34,6 +34,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work, > { > struct callback_head *head; > > + /* record the work call stack in order to print it in KASAN reports */ > + kasan_record_aux_stack(work); > + > do { > head = READ_ONCE(task->task_works); > if (unlikely(head == &work_exited)) > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index 3436c6bf7c0c..e4629a971a3c 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -146,7 +146,7 @@ struct kasan_alloc_meta { > struct kasan_track alloc_track; > #ifdef CONFIG_KASAN_GENERIC > /* > - * call_rcu() call stack is stored into struct kasan_alloc_meta. > + * The auxiliary stack is stored into struct kasan_alloc_meta. > * The free stack is stored into struct kasan_free_meta. > */ > depot_stack_handle_t aux_stack[2]; > -- > 2.18.0 > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20210316024410.19967-1-walter-zh.wu%40mediatek.com. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F688C433DB for ; Tue, 16 Mar 2021 06:35:23 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9390E650E3 for ; Tue, 16 Mar 2021 06:35:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9390E650E3 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=7FHSBxN8GxUtt8R1/11fHRzWpIpNN6Y09X4tX39okec=; b=NpqCQBVNAq1JQbZxdrYjzYWwk QgNJEi0dWlkGG9oEVZ+B+9jd+0EO1TVWIlxmn6b6TUgIZfx+Wf1Sy0qo/Vydn4ZMl1PY9p2YZIA6+ 7NF+PBKWWmYl5E3lFk++BE7j4uFiZfF2OXYPPRQALraM4lRl3x9C9XzC0w8kLaPNsPJevTCkaKSHf gTv7B+DWxT+4bo2ES2EwGungS12WjTQfnAI4UaaeRyapPxCpCyG3L0qryiy5P3qVZti5ckEfRU7Pl 8BYKdgBGSvsbfeK+2mnKJelFsDUb7wWejfzhMuSKZCPY5kO/+2bp7ScTg/OzYh4GeQdIP/99u+vtb BWYieUoCA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lM3IH-00HXUE-Mq; Tue, 16 Mar 2021 06:35:05 +0000 Received: from mail-qv1-xf35.google.com ([2607:f8b0:4864:20::f35]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lM3I4-00HXSC-K9 for linux-mediatek@lists.infradead.org; Tue, 16 Mar 2021 06:34:55 +0000 Received: by mail-qv1-xf35.google.com with SMTP id x27so9008876qvd.2 for ; Mon, 15 Mar 2021 23:34:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=s+uLqyFrjkMmW5YeJaqvGeFwM5DpyLE4ZA0G18plRKW6nkBDny7Y1Hg1jB6l1VviZs iVQoYuy06c2imtqXONxNojwDzI11L8Qa06mrjwRw6EcTYvUlMhR+8Lp+oxxpVoz2r6MV HCP6FzftAUKiF/AxuYU1jXZbpbdmmwlN9PG7xFbZmfgZdYL+bi74iBxGEJEqwnRK4pu9 Fe9EJOMXK2UxSnubdPd0khIQUofJ3iqj6+JDqsiJeis2fVUrcTajpg9ImNlmjB0Trox9 sLfwQf7pNCciXu7qXbTOgcWM9gefBhaZEvrcyCTLdK787ft3FfHDgyoYYOzozCIKWYfd QtFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=L360IQqovptAQomr0D0dYBchFhmT8YDbQ3XZWsf54wUsnB0+lWHTbd0pfuidCpjEh9 fuC8zRAn9OG/JGVoV9klNTQEdboJfQj18LQQvekKOI7sxyozhjBoY2HmtybazJWcdBMl yb5aVy8i4MvvflPaSHv1clWwr/g3kWW0Hgxt9GuTreJ60pvI+HKH+/5qFcu8mt8OfxQi +m7qcxmYmZU09CcLgr1yljr6Ia1Raeqd1ORSNsQMwGr9Q4tu1Y0TSGVgv4dECrB4xvCn 1u5044YRSkW205m8EBBfqcoFS2nE5y4ES1rhjaAdmws7Rxj7L2snuelSq9QuZRzscIT7 hTAQ== X-Gm-Message-State: AOAM533JRV/PFCRfh5DyldvBN5HnNOjYKEbdeXLDKRk2ax9TdK/vvC97 nQS6aVw8IdL10IzxmsHktJCWT++I1WpsssT5XPvy3g== X-Google-Smtp-Source: ABdhPJwCeQcT66aWyysAq/F0mnL+lIXNOvkkdqOLUYYKOZSFIJs9a705sEfwv8vZeNPeivpqwej8TWOU/YNOMe3w00c= X-Received: by 2002:a0c:8304:: with SMTP id j4mr14226424qva.18.1615876491060; Mon, 15 Mar 2021 23:34:51 -0700 (PDT) MIME-Version: 1.0 References: <20210316024410.19967-1-walter-zh.wu@mediatek.com> In-Reply-To: <20210316024410.19967-1-walter-zh.wu@mediatek.com> From: Dmitry Vyukov Date: Tue, 16 Mar 2021 07:34:39 +0100 Message-ID: Subject: Re: [PATCH v2] task_work: kasan: record task_work_add() call stack To: Walter Wu Cc: Andrey Ryabinin , Alexander Potapenko , Matthias Brugger , Andrey Konovalov , Andrew Morton , Jens Axboe , Oleg Nesterov , kasan-dev , Linux-MM , LKML , Linux ARM , wsd_upstream , linux-mediatek@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210316_063453_468086_FFDC86EB X-CRM114-Status: GOOD ( 27.71 ) X-BeenThere: linux-mediatek@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Linux-mediatek" Errors-To: linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org On Tue, Mar 16, 2021 at 3:44 AM Walter Wu wrote: > > Why record task_work_add() call stack? > Syzbot reports many use-after-free issues for task_work, see [1]. > After see the free stack and the current auxiliary stack, we think > they are useless, we don't know where register the work, this work > may be the free call stack, so that we miss the root cause and > don't solve the use-after-free. > > Add task_work_add() call stack into KASAN auxiliary stack in > order to improve KASAN report. It is useful for programmers > to solve use-after-free issues. > > [1]: https://groups.google.com/g/syzkaller-bugs/search?q=kasan%20use-after-free%20task_work_run > > Signed-off-by: Walter Wu > Suggested-by: Dmitry Vyukov > Cc: Andrey Konovalov > Cc: Andrey Ryabinin > Cc: Dmitry Vyukov > Cc: Alexander Potapenko > Cc: Andrew Morton > Cc: Matthias Brugger > Cc: Jens Axboe > Cc: Oleg Nesterov > --- > > v2: Fix kasan_record_aux_stack() calling sequence issue. > Thanks for Dmitry's suggestion Reviewed-by: Dmitry Vyukov > --- > kernel/task_work.c | 3 +++ > mm/kasan/kasan.h | 2 +- > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/kernel/task_work.c b/kernel/task_work.c > index 9cde961875c0..3d4852891fa8 100644 > --- a/kernel/task_work.c > +++ b/kernel/task_work.c > @@ -34,6 +34,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work, > { > struct callback_head *head; > > + /* record the work call stack in order to print it in KASAN reports */ > + kasan_record_aux_stack(work); > + > do { > head = READ_ONCE(task->task_works); > if (unlikely(head == &work_exited)) > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index 3436c6bf7c0c..e4629a971a3c 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -146,7 +146,7 @@ struct kasan_alloc_meta { > struct kasan_track alloc_track; > #ifdef CONFIG_KASAN_GENERIC > /* > - * call_rcu() call stack is stored into struct kasan_alloc_meta. > + * The auxiliary stack is stored into struct kasan_alloc_meta. > * The free stack is stored into struct kasan_free_meta. > */ > depot_stack_handle_t aux_stack[2]; > -- > 2.18.0 > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20210316024410.19967-1-walter-zh.wu%40mediatek.com. _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5884C433DB for ; Tue, 16 Mar 2021 06:36:55 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6B97665215 for ; Tue, 16 Mar 2021 06:36:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6B97665215 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=FlLBCFr9lB3uhnfwzpPZiBWaYApRkuNrCxecflQPR2g=; b=TOlsAh54nKMfrfj6kns8tzuVW /RKUI4zsBJSMWuZ8tHh0XaBTnXrk+0EZW5o4nhBmPxiT2GyO1AjZG6J2+CnsIl3kgkE/FiYM4VGmd t/PZww2smY+1dun9aY/L0FCaapIZdv+vph5ywl/d/WpMV+IViyGQzf11bgiO0JRUGd50GIE0F1OZX eV4+9OpiRc2KAxD6eWpFDp57FBhs/aea9KJQmljJs4SVdpnF7MaEoC4iPDGQ4UQuHB/EjqVFAxI+o g0mZ7BPyys59t+yEwGenlf8wFOm60QcmY0IPn/LVnPgRAyViObqDmygie7QjH1ux2l8d3kwsziSzr Tep/n6BNw==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lM3I9-00HXTP-Ta; Tue, 16 Mar 2021 06:34:58 +0000 Received: from mail-qv1-xf2a.google.com ([2607:f8b0:4864:20::f2a]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lM3I4-00HXSD-K9 for linux-arm-kernel@lists.infradead.org; Tue, 16 Mar 2021 06:34:55 +0000 Received: by mail-qv1-xf2a.google.com with SMTP id j17so9017275qvo.13 for ; Mon, 15 Mar 2021 23:34:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=s+uLqyFrjkMmW5YeJaqvGeFwM5DpyLE4ZA0G18plRKW6nkBDny7Y1Hg1jB6l1VviZs iVQoYuy06c2imtqXONxNojwDzI11L8Qa06mrjwRw6EcTYvUlMhR+8Lp+oxxpVoz2r6MV HCP6FzftAUKiF/AxuYU1jXZbpbdmmwlN9PG7xFbZmfgZdYL+bi74iBxGEJEqwnRK4pu9 Fe9EJOMXK2UxSnubdPd0khIQUofJ3iqj6+JDqsiJeis2fVUrcTajpg9ImNlmjB0Trox9 sLfwQf7pNCciXu7qXbTOgcWM9gefBhaZEvrcyCTLdK787ft3FfHDgyoYYOzozCIKWYfd QtFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=qvB8MijHppI+NU8ZbxKSMu/tTeMEVeDagcQ+qCX8LZVlKh9eSg/nF74QnchfFK9Zdt HrLoJeL3YM+P5i908nOCLQ+G67wMCEKydHE9Glprwc1D4cfL1qpDorfKK/Vj+9vr6v1P R7ujhAxvSIqfWKkfCRvrTfKOC0XBvukMoNLn9PPLhskcFAte0WNMWqjj2zsJ/K9mQNWY 9VlRMxPUasmqB2UdBGwx6bbFQw8U17IEzXiGDyY54gvJqDB5NMDJJJv/u4Z2MFIUbG11 A8RAFxisQBTxz6VYLK9Femb9IRZfnakVeLIM/Xmn/Gv8EiJCxzp55FqaaApjH0Hid4l0 xMeQ== X-Gm-Message-State: AOAM532vBmMkTJ2TS49GcqPwexWIe+wufXog5Jq8wa7B5bSQZJcUeggU HLcjA8RwkZD4mYDf6li+NVt3MPLmTo3or4plpTmAHw== X-Google-Smtp-Source: ABdhPJwCeQcT66aWyysAq/F0mnL+lIXNOvkkdqOLUYYKOZSFIJs9a705sEfwv8vZeNPeivpqwej8TWOU/YNOMe3w00c= X-Received: by 2002:a0c:8304:: with SMTP id j4mr14226424qva.18.1615876491060; Mon, 15 Mar 2021 23:34:51 -0700 (PDT) MIME-Version: 1.0 References: <20210316024410.19967-1-walter-zh.wu@mediatek.com> In-Reply-To: <20210316024410.19967-1-walter-zh.wu@mediatek.com> From: Dmitry Vyukov Date: Tue, 16 Mar 2021 07:34:39 +0100 Message-ID: Subject: Re: [PATCH v2] task_work: kasan: record task_work_add() call stack To: Walter Wu Cc: Andrey Ryabinin , Alexander Potapenko , Matthias Brugger , Andrey Konovalov , Andrew Morton , Jens Axboe , Oleg Nesterov , kasan-dev , Linux-MM , LKML , Linux ARM , wsd_upstream , linux-mediatek@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210316_063453_398885_B0ED0E6D X-CRM114-Status: GOOD ( 29.02 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Mar 16, 2021 at 3:44 AM Walter Wu wrote: > > Why record task_work_add() call stack? > Syzbot reports many use-after-free issues for task_work, see [1]. > After see the free stack and the current auxiliary stack, we think > they are useless, we don't know where register the work, this work > may be the free call stack, so that we miss the root cause and > don't solve the use-after-free. > > Add task_work_add() call stack into KASAN auxiliary stack in > order to improve KASAN report. It is useful for programmers > to solve use-after-free issues. > > [1]: https://groups.google.com/g/syzkaller-bugs/search?q=kasan%20use-after-free%20task_work_run > > Signed-off-by: Walter Wu > Suggested-by: Dmitry Vyukov > Cc: Andrey Konovalov > Cc: Andrey Ryabinin > Cc: Dmitry Vyukov > Cc: Alexander Potapenko > Cc: Andrew Morton > Cc: Matthias Brugger > Cc: Jens Axboe > Cc: Oleg Nesterov > --- > > v2: Fix kasan_record_aux_stack() calling sequence issue. > Thanks for Dmitry's suggestion Reviewed-by: Dmitry Vyukov > --- > kernel/task_work.c | 3 +++ > mm/kasan/kasan.h | 2 +- > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/kernel/task_work.c b/kernel/task_work.c > index 9cde961875c0..3d4852891fa8 100644 > --- a/kernel/task_work.c > +++ b/kernel/task_work.c > @@ -34,6 +34,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work, > { > struct callback_head *head; > > + /* record the work call stack in order to print it in KASAN reports */ > + kasan_record_aux_stack(work); > + > do { > head = READ_ONCE(task->task_works); > if (unlikely(head == &work_exited)) > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index 3436c6bf7c0c..e4629a971a3c 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -146,7 +146,7 @@ struct kasan_alloc_meta { > struct kasan_track alloc_track; > #ifdef CONFIG_KASAN_GENERIC > /* > - * call_rcu() call stack is stored into struct kasan_alloc_meta. > + * The auxiliary stack is stored into struct kasan_alloc_meta. > * The free stack is stored into struct kasan_free_meta. > */ > depot_stack_handle_t aux_stack[2]; > -- > 2.18.0 > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20210316024410.19967-1-walter-zh.wu%40mediatek.com. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel