diff mbox series

sched/task_stack: Fix object_is_on_stack() for KASAN tagged pointers

Message ID 20241113042544.19095-1-qun-wei.lin@mediatek.com (mailing list archive)
State New
Headers show
Series sched/task_stack: Fix object_is_on_stack() for KASAN tagged pointers | expand

Commit Message

Qun-wei Lin (林群崴) Nov. 13, 2024, 4:25 a.m. UTC
When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the
object_is_on_stack() function may produce incorrect results due to the
presence of tags in the obj pointer, while the stack pointer does not
have tags. This discrepancy can lead to incorrect stack object detection
and subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also
enabled.

Example of the warning:

ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364
Modules linked in:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4
Hardware name: linux,dummy-virt (DT)
pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __debug_object_init+0x330/0x364
lr : __debug_object_init+0x330/0x364
sp : ffff800082ea7b40
x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534
x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0
x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418
x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000
x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e
x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e
x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800
x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001
x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4
x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050
Call trace:
 __debug_object_init+0x330/0x364
 debug_object_init_on_stack+0x30/0x3c
 schedule_hrtimeout_range_clock+0xac/0x26c
 schedule_hrtimeout+0x1c/0x30
 wait_task_inactive+0x1d4/0x25c
 kthread_bind_mask+0x28/0x98
 init_rescuer+0x1e8/0x280
 workqueue_init+0x1a0/0x3cc
 kernel_init_freeable+0x118/0x200
 kernel_init+0x28/0x1f0
 ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
------------[ cut here ]------------

Signed-off-by: Qun-Wei Lin <qun-wei.lin@mediatek.com>
---
 include/linux/sched/task_stack.h | 2 ++
 1 file changed, 2 insertions(+)

Comments

Andrew Morton Nov. 13, 2024, 7:06 a.m. UTC | #1
On Wed, 13 Nov 2024 12:25:43 +0800 Qun-Wei Lin <qun-wei.lin@mediatek.com> wrote:

> When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the
> object_is_on_stack() function may produce incorrect results due to the
> presence of tags in the obj pointer, while the stack pointer does not
> have tags. This discrepancy can lead to incorrect stack object detection
> and subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also
> enabled.
> 
> Example of the warning:

Thanks.

Are we able to identify when this started happening?  ie, a suitable
Fixes: taret?
Qun-wei Lin (林群崴) Nov. 18, 2024, 3:12 a.m. UTC | #2
On Tue, 2024-11-12 at 23:06 -0800, Andrew Morton wrote:
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
> 
> 
> On Wed, 13 Nov 2024 12:25:43 +0800 Qun-Wei Lin <
> qun-wei.lin@mediatek.com> wrote:
> 
> > When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the
> > object_is_on_stack() function may produce incorrect results due to
> > the
> > presence of tags in the obj pointer, while the stack pointer does
> > not
> > have tags. This discrepancy can lead to incorrect stack object
> > detection
> > and subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also
> > enabled.
> > 
> > Example of the warning:
> 
> Thanks.
> 
> Are we able to identify when this started happening?  ie, a suitable
> Fixes: taret?
> 

The issue has been present since the introduction of
CONFIG_KASAN_STACK. The stack instrumentation was not accounted for in
the object_is_on_stack() function from the beginning.

Thanks!
diff mbox series

Patch

diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h
index bf10bdb487dd..6c2fef89a4fd 100644
--- a/include/linux/sched/task_stack.h
+++ b/include/linux/sched/task_stack.h
@@ -9,6 +9,7 @@ 
 #include <linux/sched.h>
 #include <linux/magic.h>
 #include <linux/refcount.h>
+#include <linux/kasan.h>
 
 #ifdef CONFIG_THREAD_INFO_IN_TASK
 
@@ -89,6 +90,7 @@  static inline int object_is_on_stack(const void *obj)
 {
 	void *stack = task_stack_page(current);
 
+	obj = kasan_reset_tag(obj);
 	return (obj >= stack) && (obj < (stack + THREAD_SIZE));
 }