From patchwork Tue Jun 16 12:56:17 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marco Elver <elver@google.com>
X-Patchwork-Id: 11607383
Return-Path: <SRS0=hIPo=75=kvack.org=owner-linux-mm@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1D0B3912
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue, 16 Jun 2020 12:56:35 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id DE75F20DD4
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue, 16 Jun 2020 12:56:34 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="sSHE2J4H"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DE75F20DD4
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 001FF6B00A7; Tue, 16 Jun 2020 08:56:34 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id EF4366B00A8; Tue, 16 Jun 2020 08:56:33 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E09886B00A9; Tue, 16 Jun 2020 08:56:33 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0214.hostedemail.com
 [216.40.44.214])
	by kanga.kvack.org (Postfix) with ESMTP id C82BE6B00A7
	for <linux-mm@kvack.org>; Tue, 16 Jun 2020 08:56:33 -0400 (EDT)
Received: from smtpin19.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 1AB61180AD817
	for <linux-mm@kvack.org>; Tue, 16 Jun 2020 12:56:33 +0000 (UTC)
X-FDA: 76935073866.19.egg71_5709f9e26dff
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin19.hostedemail.com (Postfix) with ESMTP id EA90E1AD1B1
	for <linux-mm@kvack.org>; Tue, 16 Jun 2020 12:56:32 +0000 (UTC)
X-Spam-Summary: 
 2,0,0,980cf865310b73fb,d41d8cd98f00b204,3f8hoxgukckignxgtiqqing.eqonkpwz-oomxcem.qti@flex--elver.bounces.google.com,,RULES_HIT:41:152:355:379:541:800:960:965:966:973:988:989:1260:1277:1313:1314:1345:1437:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:2196:2199:2393:2559:2562:3138:3139:3140:3141:3142:3152:3353:3865:3866:3867:3870:3871:3872:4250:4321:4385:4390:4395:5007:6261:6653:7904:8603:9969:10004:10400:11026:11473:11658:11914:12114:12296:12297:12438:12555:12679:12895:13069:13180:13229:13311:13357:14096:14097:14181:14394:14659:14721:21080:21444:21451:21627:21796:21990:30036:30054,0,RBL:209.85.222.201:@flex--elver.bounces.google.com:.lbl8.mailshell.net-62.18.0.100
 66.100.201.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not
 bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:23,LUA_SUMMARY:none
X-HE-Tag: egg71_5709f9e26dff
X-Filterd-Recvd-Size: 4293
Received: from mail-qk1-f201.google.com (mail-qk1-f201.google.com
 [209.85.222.201])
	by imf03.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue, 16 Jun 2020 12:56:32 +0000 (UTC)
Received: by mail-qk1-f201.google.com with SMTP id a6so16738152qka.9
        for <linux-mm@kvack.org>; Tue, 16 Jun 2020 05:56:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=JEQhTwQYPsGwAzZzLRu7bODyjB8wxGLamvh49Pujfk0=;
        b=sSHE2J4HPUB3tIDmmWhIklNcdHKql+Uyvzmc6XqZpJzmMGO9f6RWeMHzZrA6nd1tSH
         wMFPzYcAPkUjWTpoSnXWYqcJagGQ/qjFYIRVjH2z9YI/HeVHHQV5Pl3ZS6vTxa7SGj5L
         j+utHFL7hNCvLLPoFB+AbBI8rZHh9d4+uQVvgsOqCTpmGC27qch98mbMkhW9CKDfvNJ8
         c1NsXeSe3lzWr+2hbz2PjJhuS2gJbX8ZKdgrN0uNsF4RMooNpcflAm1VQJlWZ+0I9jie
         0V6sIasNyxIBD6XERhgR0uOqbXiop7Ciwfj1E4eOd1HPeB+YNnkWvso/1bDHoPZ3yCxp
         kg8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=JEQhTwQYPsGwAzZzLRu7bODyjB8wxGLamvh49Pujfk0=;
        b=YSGMJpEZ03usIJV+7IZIB8q68QnUmAJtfJkAfnLEAK35mfqwS7MiJps83PbmTTP0nz
         JwacQOrZYD2BUNBkwhk0PfVqRHuFXHMcMU82Fzioo9ZjmMvlrlAS87h+H8d6IWORCiXE
         SR2kNxQHsWpFAmci66uwWUaVsOiK0IoTpyDCt3bcGrvozUeql4gVZABVow1q8hLFO/VK
         wHxuiKuMDqrW9f2zwrhGxY6sHXvn0hk4tbzBpTMnydp3P1ieIaA4Zlm8aQ9ebqk2LV6i
         nzkJsFyLn7AzruC2Gz6v0l93EO4v4jc/Okzj16odixQ/sDWViSqFZJQKRdLtQHz0R3uW
         lrSQ==
X-Gm-Message-State: AOAM531Y1C5IeNKiuNopt4Ph7YN8L4iRPtTwtV0povupl8f1dvV6CwGK
	9v0IWhF1eefh3Mix0vsVGvoNVTsnqw==
X-Google-Smtp-Source: 
 ABdhPJwJECfqDtEzlbRiaVbG9X3exdfTM0hZYMe8eM3LQl2bahV0IpaKa5NjpgAs6dfyJ1u5JrhunEnOKA==
X-Received: by 2002:a0c:e5c1:: with SMTP id u1mr2081593qvm.140.1592312191743;
 Tue, 16 Jun 2020 05:56:31 -0700 (PDT)
Date: Tue, 16 Jun 2020 14:56:17 +0200
Message-Id: <20200616125617.237428-1-elver@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.27.0.290.gba653c62da-goog
Subject: [PATCH] mm,
 kcsan: Instrument SLAB/SLUB free with "ASSERT_EXCLUSIVE_ACCESS"
From: Marco Elver <elver@google.com>
To: elver@google.com, akpm@linux-foundation.org
Cc: dvyukov@google.com, glider@google.com, andreyknvl@google.com,
	linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, cl@linux.com,
	penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com,
	linux-mm@kvack.org
X-Rspamd-Queue-Id: EA90E1AD1B1
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam02
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Provide the necessary KCSAN checks to assist with debugging racy
use-after-frees. While KASAN is more reliable at generally catching such
use-after-frees (due to its use of a quarantine), it can be difficult to
debug racy use-after-frees. If a reliable reproducer exists, KCSAN can
assist in debugging such issues.

Note: ASSERT_EXCLUSIVE_ACCESS is a convenience wrapper if the size is
simply sizeof(var). Instead, here we just use __kcsan_check_access()
explicitly to pass the correct size.

Signed-off-by: Marco Elver <elver@google.com>
---
 mm/slab.c | 4 ++++
 mm/slub.c | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/mm/slab.c b/mm/slab.c
index 9350062ffc1a..4c7013eeacd9 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3426,6 +3426,10 @@ static __always_inline void __cache_free(struct kmem_cache *cachep, void *objp,
 	if (kasan_slab_free(cachep, objp, _RET_IP_))
 		return;
 
+	/* Use KCSAN to help debug racy use-after-free. */
+	__kcsan_check_access(objp, cachep->object_size,
+			     KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT);
+
 	___cache_free(cachep, objp, caller);
 }
 
diff --git a/mm/slub.c b/mm/slub.c
index b8f798b50d44..57db6ca2e0dc 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1470,6 +1470,10 @@ static __always_inline bool slab_free_hook(struct kmem_cache *s, void *x)
 	if (!(s->flags & SLAB_DEBUG_OBJECTS))
 		debug_check_no_obj_freed(x, s->object_size);
 
+	/* Use KCSAN to help debug racy use-after-free. */
+	__kcsan_check_access(x, s->object_size,
+			     KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT);
+
 	/* KASAN might put x into memory quarantine, delaying its reuse */
 	return kasan_slab_free(s, x, _RET_IP_);
 }