From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3FD1C433E0 for ; Tue, 16 Mar 2021 06:34:53 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 7130865103 for ; Tue, 16 Mar 2021 06:34:53 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7130865103 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id E19FD6B006C; Tue, 16 Mar 2021 02:34:52 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DA0E26B006E; Tue, 16 Mar 2021 02:34:52 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BF30B6B0070; Tue, 16 Mar 2021 02:34:52 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0001.hostedemail.com [216.40.44.1]) by kanga.kvack.org (Postfix) with ESMTP id 9FD796B006C for ; Tue, 16 Mar 2021 02:34:52 -0400 (EDT) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 606C7349B for ; Tue, 16 Mar 2021 06:34:52 +0000 (UTC) X-FDA: 77924774424.09.E3377EE Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) by imf02.hostedemail.com (Postfix) with ESMTP id F377B407F8F7 for ; Tue, 16 Mar 2021 06:34:51 +0000 (UTC) Received: by mail-qv1-f46.google.com with SMTP id 30so9014367qva.9 for ; Mon, 15 Mar 2021 23:34:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=s+uLqyFrjkMmW5YeJaqvGeFwM5DpyLE4ZA0G18plRKW6nkBDny7Y1Hg1jB6l1VviZs iVQoYuy06c2imtqXONxNojwDzI11L8Qa06mrjwRw6EcTYvUlMhR+8Lp+oxxpVoz2r6MV HCP6FzftAUKiF/AxuYU1jXZbpbdmmwlN9PG7xFbZmfgZdYL+bi74iBxGEJEqwnRK4pu9 Fe9EJOMXK2UxSnubdPd0khIQUofJ3iqj6+JDqsiJeis2fVUrcTajpg9ImNlmjB0Trox9 sLfwQf7pNCciXu7qXbTOgcWM9gefBhaZEvrcyCTLdK787ft3FfHDgyoYYOzozCIKWYfd QtFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SByyMFSlLntBAm8fHgqN+CmCCGC2J92yQYTbduz/8F4=; b=UiYWISoKaDycyY0Xj10cVCKxN+/p3TWv/LeeXTdV4zBicGsjBt3EaRSqqtmnjJOJp0 66cU2GurR3qRS51x25flKLCxgBjhYxRLUo+u+DENQhorSKhmJqTLuCqOnB8Gb+U9sWrA fwe4Pw8LYAi4JMIBNBlD8mrR+godUYSWQp3YQcOsOyp3Svk3ObjFl2WeyIA099LWXmpP jRbdt8+ZeIcvjmwQ0smnxpYIMkaCS79iJMNObmoqcaV4/iLaj8i8+Jz9JEhNnHPltMdc 7KlTWdFgWLiVw13P/d0o1/q+MRrFbIg9W2wLOAYRUbICu8UbxsXTLakLU2Ff+gWk+cle NMsg== X-Gm-Message-State: AOAM532RahcnPn9xC5lDzsD0wNdIXhe/wWailbjb8cs7V1v/KnBGkDLl LOoe3YC2+A2GHY0nlyufLcW54PkAK3FmbXh+vT/k4A== X-Google-Smtp-Source: ABdhPJwCeQcT66aWyysAq/F0mnL+lIXNOvkkdqOLUYYKOZSFIJs9a705sEfwv8vZeNPeivpqwej8TWOU/YNOMe3w00c= X-Received: by 2002:a0c:8304:: with SMTP id j4mr14226424qva.18.1615876491060; Mon, 15 Mar 2021 23:34:51 -0700 (PDT) MIME-Version: 1.0 References: <20210316024410.19967-1-walter-zh.wu@mediatek.com> In-Reply-To: <20210316024410.19967-1-walter-zh.wu@mediatek.com> From: Dmitry Vyukov Date: Tue, 16 Mar 2021 07:34:39 +0100 Message-ID: Subject: Re: [PATCH v2] task_work: kasan: record task_work_add() call stack To: Walter Wu Cc: Andrey Ryabinin , Alexander Potapenko , Matthias Brugger , Andrey Konovalov , Andrew Morton , Jens Axboe , Oleg Nesterov , kasan-dev , Linux-MM , LKML , Linux ARM , wsd_upstream , linux-mediatek@lists.infradead.org Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: wcddu9nxy6c13iwz6jbi8pxeqcto8otu X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: F377B407F8F7 Received-SPF: none (google.com>: No applicable sender policy available) receiver=imf02; identity=mailfrom; envelope-from=""; helo=mail-qv1-f46.google.com; client-ip=209.85.219.46 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1615876491-4458 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Mar 16, 2021 at 3:44 AM Walter Wu wrote: > > Why record task_work_add() call stack? > Syzbot reports many use-after-free issues for task_work, see [1]. > After see the free stack and the current auxiliary stack, we think > they are useless, we don't know where register the work, this work > may be the free call stack, so that we miss the root cause and > don't solve the use-after-free. > > Add task_work_add() call stack into KASAN auxiliary stack in > order to improve KASAN report. It is useful for programmers > to solve use-after-free issues. > > [1]: https://groups.google.com/g/syzkaller-bugs/search?q=kasan%20use-after-free%20task_work_run > > Signed-off-by: Walter Wu > Suggested-by: Dmitry Vyukov > Cc: Andrey Konovalov > Cc: Andrey Ryabinin > Cc: Dmitry Vyukov > Cc: Alexander Potapenko > Cc: Andrew Morton > Cc: Matthias Brugger > Cc: Jens Axboe > Cc: Oleg Nesterov > --- > > v2: Fix kasan_record_aux_stack() calling sequence issue. > Thanks for Dmitry's suggestion Reviewed-by: Dmitry Vyukov > --- > kernel/task_work.c | 3 +++ > mm/kasan/kasan.h | 2 +- > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/kernel/task_work.c b/kernel/task_work.c > index 9cde961875c0..3d4852891fa8 100644 > --- a/kernel/task_work.c > +++ b/kernel/task_work.c > @@ -34,6 +34,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work, > { > struct callback_head *head; > > + /* record the work call stack in order to print it in KASAN reports */ > + kasan_record_aux_stack(work); > + > do { > head = READ_ONCE(task->task_works); > if (unlikely(head == &work_exited)) > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index 3436c6bf7c0c..e4629a971a3c 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -146,7 +146,7 @@ struct kasan_alloc_meta { > struct kasan_track alloc_track; > #ifdef CONFIG_KASAN_GENERIC > /* > - * call_rcu() call stack is stored into struct kasan_alloc_meta. > + * The auxiliary stack is stored into struct kasan_alloc_meta. > * The free stack is stored into struct kasan_free_meta. > */ > depot_stack_handle_t aux_stack[2]; > -- > 2.18.0 > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20210316024410.19967-1-walter-zh.wu%40mediatek.com.