From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751576AbbLHSFg (ORCPT <rfc822;w@1wt.eu>);
	Tue, 8 Dec 2015 13:05:36 -0500
Received: from mail-pf0-f177.google.com ([209.85.192.177]:33382 "EHLO
	mail-pf0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750819AbbLHSFf (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 8 Dec 2015 13:05:35 -0500
Date: Tue, 8 Dec 2015 10:05:30 -0800
From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzkaller <syzkaller@googlegroups.com>,
        Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Eric Dumazet <edumazet@google.com>,
        Sasha Levin <sasha.levin@oracle.com>
Subject: Re: use-after-free in __perf_install_in_context
Message-ID: <20151208180528.GA77166@ast-mbp.thefacebook.com>
References: <CACT4Y+bQqHPsxdh5nhSA154KeCxRirk8QGwRe-5pMUToGE8yAg@mail.gmail.com>
 <20151207153630.GB6356@twins.programming.kicks-ass.net>
 <CACT4Y+b8mQs7mDZ2O_k69XuhJAtfXJZ4zOQDCagnRcr7ZJOgzg@mail.gmail.com>
 <20151208032405.GA47397@ast-mbp.thefacebook.com>
 <CACT4Y+ZsKVN+FXjyRNYgtWxMjjYfB9uz8f0QAW7iGjLE5GCQBA@mail.gmail.com>
 <20151208175433.GA75053@ast-mbp.thefacebook.com>
 <CACT4Y+Y_w4oteNLKGE4gVqOpoyrmm+3VQDemGGScbepnXhL4VA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+Y_w4oteNLKGE4gVqOpoyrmm+3VQDemGGScbepnXhL4VA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 08, 2015 at 06:56:23PM +0100, Dmitry Vyukov wrote:
> On Tue, Dec 8, 2015 at 6:54 PM, Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
> > On Tue, Dec 08, 2015 at 05:12:04PM +0100, Dmitry Vyukov wrote:
> >> On Tue, Dec 8, 2015 at 4:24 AM, Alexei Starovoitov
> >> <alexei.starovoitov@gmail.com> wrote:
> >> > On Mon, Dec 07, 2015 at 05:09:21PM +0100, Dmitry Vyukov wrote:
> >> >> > So it would be _awesome_ if we could somehow extend this callchain to
> >> >> > include the site that calls call_rcu().
> >> >>
> >> >> We have a patch for KASAN in works that adds so-called stack depot
> >> >> which allows to map a stack trace onto uint32 id. Then we can plumb
> >> >
> >> > I was hacking something similar to categorize stack traces with u32 id.
> >> > How are you planning to limit the number of such stack traces ?
> >> > and what is the interface for user space to get stack trace from an id?
> >>
> >>
> >> We don't limit number of stack traces. Kernel does not seem to use
> >> data-driven recursion extensively, so there is limited number of
> >> stacks. Though, probably we will need to strip non-interrupt part for
> >> interrupt stacks, otherwise that can produce unbounded number of
> >> different stacks.
> >> There is no interface for user-space, it is used only inside of kernel
> >> to save stacks for memory blocks (rcu callbacks, thread pool items in
> >> the future).
> >> The design is based on what we successfully and extensively use in
> >> user-space sanitizers for years. Current code is here:
> >> https://github.com/ramosian-glider/kasan/commit/fb0eefd212366401ed5ad244233ef379a27bfb46
> >
> > why did you pick approach to never free accumulated stacks?
> > That limits usability a lot, since once kasan starts using it only
> > reboot will free the memory. ouch.
> > what worked for user space doesn't work for kernel.
> 
> 
> Freeing and reusing will slow down and complicate code significantly.
> And it is not yet proved to be necessary.

It's a joke, right? allocating kernel pages without ability to free?!