From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42915C4361B for ; Tue, 15 Dec 2020 03:09:21 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id CCAB1224D4 for ; Tue, 15 Dec 2020 03:09:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CCAB1224D4 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 67D228D0021; Mon, 14 Dec 2020 22:09:20 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 62D508D001C; Mon, 14 Dec 2020 22:09:20 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 51D4E8D0021; Mon, 14 Dec 2020 22:09:20 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0080.hostedemail.com [216.40.44.80]) by kanga.kvack.org (Postfix) with ESMTP id 3580A8D001C for ; Mon, 14 Dec 2020 22:09:20 -0500 (EST) Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 043E4181AEF30 for ; Tue, 15 Dec 2020 03:09:20 +0000 (UTC) X-FDA: 77594035680.12.jeans60_2d0ea7e27420 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin12.hostedemail.com (Postfix) with ESMTP id DA209180192D6 for ; Tue, 15 Dec 2020 03:09:19 +0000 (UTC) X-HE-Tag: jeans60_2d0ea7e27420 X-Filterd-Recvd-Size: 3833 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf49.hostedemail.com (Postfix) with ESMTP for ; Tue, 15 Dec 2020 03:09:19 +0000 (UTC) Date: Mon, 14 Dec 2020 19:09:17 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1608001758; bh=gG78B3HITWaZnx956nhyA99yuTK3wMmaA3Cqr2AQcRI=; h=From:To:Subject:In-Reply-To:From; b=TPfXTYcnuNyrtJZ9EWK4CN7v8u+x1p9c0DfS0SSM6CUJbjVNCa1bMzHuwwsGNHUXX O3REgplrgMZqwoIK8K8NF/HvRXXGWCm9AThTl98V/tw9YbklXYEvPOYiqjeHgixNKp Q+VsfN4yMgIa7L0y/8BF3ThbVXsOVGI0zKzW1KXw= From: Andrew Morton To: akpm@linux-foundation.org, andreyknvl@google.com, aryabinin@virtuozzo.com, corbet@lwn.net, dvyukov@google.com, elver@google.com, glider@google.com, jiangshanlai@gmail.com, linux-mm@kvack.org, matthias.bgg@gmail.com, mm-commits@vger.kernel.org, tj@kernel.org, torvalds@linux-foundation.org, walter-zh.wu@mediatek.com Subject: [patch 103/200] lib/test_kasan.c: add workqueue test case Message-ID: <20201215030917.62L-aoc01%akpm@linux-foundation.org> In-Reply-To: <20201214190237.a17b70ae14f129e2dca3d204@linux-foundation.org> User-Agent: s-nail v14.8.16 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Walter Wu Subject: lib/test_kasan.c: add workqueue test case Adds a test to verify workqueue stack recording and print it in KASAN report. The KASAN report was as follows(cleaned up slightly): BUG: KASAN: use-after-free in kasan_workqueue_uaf Freed by task 54: kasan_save_stack+0x24/0x50 kasan_set_track+0x24/0x38 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x170 kasan_slab_free+0x10/0x18 kfree+0x98/0x270 kasan_workqueue_work+0xc/0x18 Last potentially related work creation: kasan_save_stack+0x24/0x50 kasan_record_wq_stack+0xa8/0xb8 insert_work+0x48/0x288 __queue_work+0x3e8/0xc40 queue_work_on+0xf4/0x118 kasan_workqueue_uaf+0xfc/0x190 Link: https://lkml.kernel.org/r/20201203022748.30681-1-walter-zh.wu@mediatek.com Signed-off-by: Walter Wu Acked-by: Marco Elver Reviewed-by: Dmitry Vyukov Reviewed-by: Andrey Konovalov Cc: Andrey Ryabinin Cc: Alexander Potapenko Cc: Matthias Brugger Cc: Jonathan Corbet Cc: Lai Jiangshan Cc: Tejun Heo Signed-off-by: Andrew Morton --- lib/test_kasan_module.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) --- a/lib/test_kasan_module.c~lib-test_kasanc-add-workqueue-test-case +++ a/lib/test_kasan_module.c @@ -91,6 +91,34 @@ static noinline void __init kasan_rcu_ua call_rcu(&global_rcu_ptr->rcu, kasan_rcu_reclaim); } +static noinline void __init kasan_workqueue_work(struct work_struct *work) +{ + kfree(work); +} + +static noinline void __init kasan_workqueue_uaf(void) +{ + struct workqueue_struct *workqueue; + struct work_struct *work; + + workqueue = create_workqueue("kasan_wq_test"); + if (!workqueue) { + pr_err("Allocation failed\n"); + return; + } + work = kmalloc(sizeof(struct work_struct), GFP_KERNEL); + if (!work) { + pr_err("Allocation failed\n"); + return; + } + + INIT_WORK(work, kasan_workqueue_work); + queue_work(workqueue, work); + destroy_workqueue(workqueue); + + pr_info("use-after-free on workqueue\n"); + ((volatile struct work_struct *)work)->data; +} static int __init test_kasan_module_init(void) { @@ -102,6 +130,7 @@ static int __init test_kasan_module_init copy_user_test(); kasan_rcu_uaf(); + kasan_workqueue_uaf(); kasan_restore_multi_shot(multishot); return -EAGAIN; _