From patchwork Tue Dec 12 00:14:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: andrey.konovalov@linux.dev X-Patchwork-Id: 13488210 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 355A8C4332F for ; Tue, 12 Dec 2023 00:14:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C0C346B025F; Mon, 11 Dec 2023 19:14:14 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id BBE386B0260; Mon, 11 Dec 2023 19:14:14 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9E8486B0266; Mon, 11 Dec 2023 19:14:14 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 841566B0260 for ; Mon, 11 Dec 2023 19:14:14 -0500 (EST) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 58245A089D for ; Tue, 12 Dec 2023 00:14:14 +0000 (UTC) X-FDA: 81556244028.25.C02591F Received: from out-183.mta1.migadu.com (out-183.mta1.migadu.com [95.215.58.183]) by imf02.hostedemail.com (Postfix) with ESMTP id A2F9780002 for ; Tue, 12 Dec 2023 00:14:11 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b="UvkDjF/5"; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf02.hostedemail.com: domain of andrey.konovalov@linux.dev designates 95.215.58.183 as permitted sender) smtp.mailfrom=andrey.konovalov@linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1702340051; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=x4Cn8Rdft153TNfaMCqmpUoRbUij/xgpu9Ka1HxHDYI=; b=5HDkt0c9KCZGICqSubMLEGlmah+H7YyolZloUbdLd95xwGwSe3xdNvdAUAcwSP0/psGzc0 HsWUyH5W5ltFuuOP2w/WozVccBK/HrpPdIJKvlP8pugEnq7oT229r5wXC8BVUi/QGQI3/1 IJW6Q0Sn5kLftRXglDTZkdBlEuiZsiw= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b="UvkDjF/5"; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf02.hostedemail.com: domain of andrey.konovalov@linux.dev designates 95.215.58.183 as permitted sender) smtp.mailfrom=andrey.konovalov@linux.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1702340051; a=rsa-sha256; cv=none; b=nz88ixOJwL5unT+lzL7Q8+TpkQflkJQYWb7wxbOcsxMIqeEJmHxw3wMtFue+uaSp4fTgBb rpHxTj+cQR/5vhXR6eRtVKro2d0o8f+kC56JjtBbK2+1czBOkE6BXXZm+IKqQbZkzqLGuH 0KXHTCsqZu86djB8BAjnp8CwqZR7cdM= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1702340049; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=x4Cn8Rdft153TNfaMCqmpUoRbUij/xgpu9Ka1HxHDYI=; b=UvkDjF/5ctTo0nGnQabktnmBPXGfus3/X3idORYN6B4D44rXq0KJToDsQKy9BeHFX8qw7b qQCY+W0sZZweOoacCTj/1cWItkpd82s9p4KPKbjHROXaD7+UwOj6FNmJAKaJ2G1O+XKX3R d6piyZ++vR5FIz/37yANY5B0lerp6zk= From: andrey.konovalov@linux.dev To: Andrew Morton Cc: Andrey Konovalov , Marco Elver , Alexander Potapenko , Dmitry Vyukov , Vlastimil Babka , kasan-dev@googlegroups.com, Evgenii Stepanov , Tetsuo Handa , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov , syzbot+186b55175d8360728234@syzkaller.appspotmail.com Subject: [PATCH mm 2/4] kasan: handle concurrent kasan_record_aux_stack calls Date: Tue, 12 Dec 2023 01:14:01 +0100 Message-Id: <432a89fafce11244287c8af757e73a2eb22a5354.1702339432.git.andreyknvl@google.com> In-Reply-To: References: MIME-Version: 1.0 X-Migadu-Flow: FLOW_OUT X-Rspamd-Queue-Id: A2F9780002 X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: h8kj3kftqu3zd34ixzt33n7xgkxe58tz X-HE-Tag: 1702340051-416519 X-HE-Meta: U2FsdGVkX19l503M12lCamZV1Y2ydUrXlWfRFDIhlcoyV3I5dKhvjw7DURiVaQ6i4+Z8WHvziQhLqP2me+D0Z18Iy5sT+AvsHRuSUBkWYJADoQLVVvC55i5+ROM/pyae9v4E7/yDgH3BF/CjE524DqFrlBLKkwJM/5bYysNxO/wCrjCwkTNM5ZQIpKqgcAXH/rui9os2fXW4+JjowzNK2w4WOJaouL0Q+VudYfKNO5oaiyXZVaG0/t1RrnnEEGbIGVMSf3WthpBqspACaoVYBvgn7v9UB973suIZo+zzw0aribj0yrxu1zb8BBORv+EO92jFQWm+oz2CQy1pFRffObE0YFOFrYZyYmr7AV97Mxi1OnS5B6jPLP2Tpea5U8IUhC/WQtmffi1hvz2ZhJCMtozMJhaQlgFjGHn1FXOSjAK6ZrzLByQuoPfdpIb9SHKHzDrDi/rLhjiL35c38ivRBAXx/d29AS9w15bnJUnuFBGq0oqmYw/4lXcWb0GOnrKI9caQUdi27i1VimcPh5QfzH9Q9rLzbkDfnbkN0nzuXtlZO5L1ddHX/gXp8+6edCqKjAOTQvkSRUGBVGWiwojOwR+Spknir95EVtOZFAslutH1pU+DQFqbdD4k4OUEu+la7Nx0K697DjBaEPe4Lb6TAwuMrwhCEFdttLH9XzZdeTsETPj9igk58bPfjjVqWsxXe4PV8SR1ukPVjX96weRn9UFRXqJDOBt6MBgW19a9BjxYTpRzvyOVwRbChqmBfoW1hP5Uyihrg3Sooj9SHSRtz74IxUk167gpNdObVE18FgNCdy+20uzYL2IlL4gLr9hJfU9RhyO/MEwUk/R41d+n8FnDteVG5eq+TsZxEzR8PdVX3jTJEOUBnOnha3iOu+T8ekHzjw2Ca1i5DPPLc/kA0+Fk7bsy/mx9JzqrmzpFdMg4sX9VFbaIQ++KEgwPFirNcdt6XRcQJrSWg0Qh0RK W4yp7smD isglCELzeciNwCLZtSnkJP8cYU3Ti7vZa0OueqW1gxRPruPfBFesNssGD6Jy9n9tcoszbdi70sYgKzud4apiq+kwQsZGznqgKsAiI0o/ym4iuCgPWm9B9l0F2EKXvv6gg4+qDelNFgdTit3qTR/90HzPgTS7Bg7yAXXs9bLzKskNzmTAnjRpdM2ls+UVEEzUVqkRvkEVnCtXJlQZcXZalJA4qjTx7igMmaUbsDKbtfBQAm/NFgqRtU+wj+8m7l3C7MNX3xkANZc8MtNgNqfYORHsYToNJVQdZ2837HPx3INQocO0G/JhBCd/Yo7Sl80tiDeBz X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Andrey Konovalov kasan_record_aux_stack can be called concurrently on the same object. This might lead to a race condition when rotating the saved aux stack trace handles. Fix by introducing a spinlock to protect the aux stack trace handles in kasan_record_aux_stack. Reported-by: Tetsuo Handa Reported-by: syzbot+186b55175d8360728234@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000784b1c060b0074a2@google.com/ Signed-off-by: Andrey Konovalov --- This can be squashed into "kasan: use stack_depot_put for Generic mode" or left standalone. --- mm/kasan/generic.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c index 54e20b2bc3e1..ca5c75a1866c 100644 --- a/mm/kasan/generic.c +++ b/mm/kasan/generic.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -35,6 +36,8 @@ #include "kasan.h" #include "../slab.h" +DEFINE_SPINLOCK(aux_lock); + /* * All functions below always inlined so compiler could * perform better optimizations in each of __asan_loadX/__assn_storeX @@ -502,6 +505,8 @@ static void __kasan_record_aux_stack(void *addr, depot_flags_t depot_flags) struct kmem_cache *cache; struct kasan_alloc_meta *alloc_meta; void *object; + depot_stack_handle_t new_handle, old_handle; + unsigned long flags; if (is_kfence_address(addr) || !slab) return; @@ -512,9 +517,15 @@ static void __kasan_record_aux_stack(void *addr, depot_flags_t depot_flags) if (!alloc_meta) return; - stack_depot_put(alloc_meta->aux_stack[1]); + new_handle = kasan_save_stack(0, depot_flags); + + spin_lock_irqsave(&aux_lock, flags); + old_handle = alloc_meta->aux_stack[1]; alloc_meta->aux_stack[1] = alloc_meta->aux_stack[0]; - alloc_meta->aux_stack[0] = kasan_save_stack(0, depot_flags); + alloc_meta->aux_stack[0] = new_handle; + spin_unlock_irqrestore(&aux_lock, flags); + + stack_depot_put(old_handle); } void kasan_record_aux_stack(void *addr)