From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751688AbbLHRym (ORCPT <rfc822;w@1wt.eu>);
	Tue, 8 Dec 2015 12:54:42 -0500
Received: from mail-pf0-f179.google.com ([209.85.192.179]:35842 "EHLO
	mail-pf0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751607AbbLHRyl (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 8 Dec 2015 12:54:41 -0500
Date: Tue, 8 Dec 2015 09:54:35 -0800
From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Eric Dumazet <edumazet@google.com>,
        Sasha Levin <sasha.levin@oracle.com>
Subject: Re: use-after-free in __perf_install_in_context
Message-ID: <20151208175433.GA75053@ast-mbp.thefacebook.com>
References: <CACT4Y+bQqHPsxdh5nhSA154KeCxRirk8QGwRe-5pMUToGE8yAg@mail.gmail.com>
 <20151207153630.GB6356@twins.programming.kicks-ass.net>
 <CACT4Y+b8mQs7mDZ2O_k69XuhJAtfXJZ4zOQDCagnRcr7ZJOgzg@mail.gmail.com>
 <20151208032405.GA47397@ast-mbp.thefacebook.com>
 <CACT4Y+ZsKVN+FXjyRNYgtWxMjjYfB9uz8f0QAW7iGjLE5GCQBA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+ZsKVN+FXjyRNYgtWxMjjYfB9uz8f0QAW7iGjLE5GCQBA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 08, 2015 at 05:12:04PM +0100, Dmitry Vyukov wrote:
> On Tue, Dec 8, 2015 at 4:24 AM, Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
> > On Mon, Dec 07, 2015 at 05:09:21PM +0100, Dmitry Vyukov wrote:
> >> > So it would be _awesome_ if we could somehow extend this callchain to
> >> > include the site that calls call_rcu().
> >>
> >> We have a patch for KASAN in works that adds so-called stack depot
> >> which allows to map a stack trace onto uint32 id. Then we can plumb
> >
> > I was hacking something similar to categorize stack traces with u32 id.
> > How are you planning to limit the number of such stack traces ?
> > and what is the interface for user space to get stack trace from an id?
> 
> 
> We don't limit number of stack traces. Kernel does not seem to use
> data-driven recursion extensively, so there is limited number of
> stacks. Though, probably we will need to strip non-interrupt part for
> interrupt stacks, otherwise that can produce unbounded number of
> different stacks.
> There is no interface for user-space, it is used only inside of kernel
> to save stacks for memory blocks (rcu callbacks, thread pool items in
> the future).
> The design is based on what we successfully and extensively use in
> user-space sanitizers for years. Current code is here:
> https://github.com/ramosian-glider/kasan/commit/fb0eefd212366401ed5ad244233ef379a27bfb46

why did you pick approach to never free accumulated stacks?
That limits usability a lot, since once kasan starts using it only
reboot will free the memory. ouch.
what worked for user space doesn't work for kernel.