Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp5996972ybe; Tue, 10 Sep 2019 11:56:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqwgidw0YbBuGVREsMDqgo/94X63NEl/qV463+REFIaOtSTvUWjfI3/mFWvl5m10OH/WE+Kt X-Received: by 2002:a50:c209:: with SMTP id n9mr32668807edf.215.1568141759932; Tue, 10 Sep 2019 11:55:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568141759; cv=none; d=google.com; s=arc-20160816; b=MzMp0DCn16Q8U4Bi5li0KvQDHrxtupr8lMNg8cHEXHLYm14Ox6GYNZbyPu2dpexZ5W XL4uBT/RjIP1LNn+XruHGtpYana/ctMusllHKNfWG5KBi1M7pHBby6pk8LfKx17722wQ kMVtwciGrcg9CTWOs0df0xqOgp586MgP1NGL8kTQzF/59bORG9b6L15q3ReWa9gVAgYF NT32M/tB504d0swkC+wBzTmuMBWZDlwWixsctVeew24VYMcDjuW4e5JpYVG5jIyufb6u qSaYjPclywAtRkjxZxnBAmKNJwQJDuQiDeiyzc/fY9sHxsYO6y5sxh05FXljMgUAscRt pGJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=mCcrdxpTjYNMqPwu5a0++sL0igTDvXz8dnP5yhSCASQ=; b=0RO32h1GkaBp43G5h93/8Dd1pX9MPoEJZYj9UoTWMJJdClLYbGRUGYSDHDeDPfkuyD BiNoXtOjABXlIdZU6tEyrCPJdoUNvflfGbs6zFLVj7f2hZSThFel4Ht+qXKAUhOFgG07 tUPPy6EkXWpIQjhVU2Xro4D/N/PkPFsKLESW+dHiffjZQUXbZyqbkeSUmPy8o0V758Xh nSAZOgDr4Jo+hAz2Vt9T0xQrxi3CApNDYIt8rpdsqHeuj4B32f8bLklzANBDOUGFXPKo Rx0aBSE23t4xNOExgXnZfwPfncECRdlOEefA9WmBrF+iJSFU/ATgktdTusoS1DdFQbxM z4Xg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z11si6184287ejm.28.2019.09.10.11.55.35; Tue, 10 Sep 2019 11:55:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730118AbfIJKuv (ORCPT + 99 others); Tue, 10 Sep 2019 06:50:51 -0400 Received: from relay.sw.ru ([185.231.240.75]:48776 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729737AbfIJKuu (ORCPT ); Tue, 10 Sep 2019 06:50:50 -0400 Received: from [172.16.25.5] by relay.sw.ru with esmtp (Exim 4.92) (envelope-from ) id 1i7djC-0007sY-TJ; Tue, 10 Sep 2019 13:50:31 +0300 Subject: Re: [PATCH v2 0/2] mm/kasan: dump alloc/free stack for page allocator To: Vlastimil Babka , walter-zh.wu@mediatek.com, Alexander Potapenko , Dmitry Vyukov , Matthias Brugger , Andrew Morton , Martin Schwidefsky , Will Deacon , Andrey Konovalov , Arnd Bergmann , Thomas Gleixner , Michal Hocko , Qian Cai Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, wsd_upstream@mediatek.com References: <20190909082412.24356-1-walter-zh.wu@mediatek.com> From: Andrey Ryabinin Message-ID: Date: Tue, 10 Sep 2019 13:50:29 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/9/19 4:07 PM, Vlastimil Babka wrote: > On 9/9/19 10:24 AM, walter-zh.wu@mediatek.com wrote: >> From: Walter Wu >> >> This patch is KASAN report adds the alloc/free stacks for page allocator >> in order to help programmer to see memory corruption caused by page. >> >> By default, KASAN doesn't record alloc and free stack for page allocator. >> It is difficult to fix up page use-after-free or dobule-free issue. >> >> Our patchsets will record the last stack of pages. >> It is very helpful for solving the page use-after-free or double-free. >> >> KASAN report will show the last stack of page, it may be: >> a) If page is in-use state, then it prints alloc stack. >>     It is useful to fix up page out-of-bound issue. > > I still disagree with duplicating most of page_owner functionality for the sake of using a single stack handle for both alloc and free (while page_owner + debug_pagealloc with patches in mmotm uses two handles). It reduces the amount of potentially important debugging information, and I really doubt the u32-per-page savings are significant, given the rest of KASAN overhead. > >> BUG: KASAN: slab-out-of-bounds in kmalloc_pagealloc_oob_right+0x88/0x90 >> Write of size 1 at addr ffffffc0d64ea00a by task cat/115 >> ... >> Allocation stack of page: >>   set_page_stack.constprop.1+0x30/0xc8 >>   kasan_alloc_pages+0x18/0x38 >>   prep_new_page+0x5c/0x150 >>   get_page_from_freelist+0xb8c/0x17c8 >>   __alloc_pages_nodemask+0x1a0/0x11b0 >>   kmalloc_order+0x28/0x58 >>   kmalloc_order_trace+0x28/0xe0 >>   kmalloc_pagealloc_oob_right+0x2c/0x68 >> >> b) If page is freed state, then it prints free stack. >>     It is useful to fix up page use-after-free or double-free issue. >> >> BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0x70/0x80 >> Write of size 1 at addr ffffffc0d651c000 by task cat/115 >> ... >> Free stack of page: >>   kasan_free_pages+0x68/0x70 >>   __free_pages_ok+0x3c0/0x1328 >>   __free_pages+0x50/0x78 >>   kfree+0x1c4/0x250 >>   kmalloc_pagealloc_uaf+0x38/0x80 >> >> This has been discussed, please refer below link. >> https://bugzilla.kernel.org/show_bug.cgi?id=203967 > > That's not a discussion, but a single comment from Dmitry, which btw contains "provide alloc *and* free stacks for it" ("it" refers to page, emphasis mine). It would be nice if he or other KASAN guys could clarify. > For slab objects we memorize both alloc and free stacks. You'll never know in advance what information will be usefull to fix an issue, so it usually better to provide more information. I don't think we should do anything different for pages. Given that we already have the page_owner responsible for providing alloc/free stacks for pages, all that we should in KASAN do is to enable the feature by default. Free stack saving should be decoupled from debug_pagealloc into separate option so that it can be enabled by KASAN and/or debug_pagealloc.