Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp4357805pxk; Wed, 30 Sep 2020 00:22:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx41MjEX0DGe2jpkofdpZ59D4uZWrh8ecoGntQ0/ajKHaOY+2WYo4vyYVHIYO9MifozKDUu X-Received: by 2002:a17:906:2749:: with SMTP id a9mr1481999ejd.457.1601450524139; Wed, 30 Sep 2020 00:22:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601450524; cv=none; d=google.com; s=arc-20160816; b=RmJ6HeW4KI1qz8DUYbpS8VnURrxMIH2/zTQIRFgAa1xyM3NIoOIhEPUKjAsOnsXnWC 9MKXxXFeqy4YZgAWw5r2990pqreQLepZTDI8WAQmhlQmK5adEDyTPE5W4XvRsq1n/Vru aZfd+LaLSva8LRQ6FoTZ79iV9V6gdUqf6ziCAbJJLM3zAH1/MoCx/DY5Gd87pm/xrSLa 0Ne3bD+fNcbsKk/OCghbtB57iyhubdCykHarkbFrxIjEPyXqcfkcunCQOA0usjqzRLAO 8SqCbq+vE/3M8UsROFIubEanaHxdIrzv4bGU1NXUveRq3tvl9CQ0AtRPbHMqSF6CfrJ9 53wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:in-reply-to:subject:cc:to:dkim-signature :dkim-signature:from; bh=qszLRp610KM1evPqkHZZ4TULFEPMDDCHrKhOHL9Calg=; b=w+ibPlLsB4AVXDeU8duSJM8qB6iwxV6cNBs7UdnpoxMvEdmwqDKNk85nzxVIY2vjtT +VuJOpkNbSq94NaT7atMylZ/3eL+vvGbdfy4MjiBi0owFktvTMLTeN2Qw1ckwP1y+Ipw wZO5oyk2mzjSJUIfKr3JQ1B0Br3QjtEQU2Yc+NpktGbr0EyesTXRej1u0NqKkkODNc/i Chi7S3ngn0BlXHBVzKT35yhF2okeTtXSJb9xXzVco7auMcULpH1umpz+iGPxdEJlhHza OA9UYN6O7SOf/bcO3n4BnqQoxd0ISx01aHKDjKUhoj4Lv8jAiB41QY8JWT+0CJllrmI4 oTiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=oiDx8cqR; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h11si557992ejd.398.2020.09.30.00.21.40; Wed, 30 Sep 2020 00:22:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=oiDx8cqR; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728367AbgI3HSm (ORCPT + 99 others); Wed, 30 Sep 2020 03:18:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725440AbgI3HSl (ORCPT ); Wed, 30 Sep 2020 03:18:41 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C6537C061755 for ; Wed, 30 Sep 2020 00:18:41 -0700 (PDT) From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1601450320; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to; bh=qszLRp610KM1evPqkHZZ4TULFEPMDDCHrKhOHL9Calg=; b=oiDx8cqR1gH1cdVjlJen0MXBF5n8GWSksV5LbQFnVNUFTDAVQ5203uT+YL7zNshQD4TQDs aKH9y+x9be8PyF3THnjZdJlSsCxeYT3XilhNQoZvmntlzvJy4sKP8nyT2emK+f/Epte8RZ 0YGtL/lotU0E4Qb6IerdeyKMVrxYslKZxSO3r0ZLAy8drw6mQfXJeZpHILvxAQ/rKNclxh rbMHzuHgZTJfKn2Z36yQsU4LCS+4tSkT0BoqLbxHHJMqndM3V+rQmyZt/WU5wIvSZ38aBj cSmKdHSyPQOGnVc4mM+MGVEMqCOKdC41fknNGgSVaE09nW5KEDjtPqZmEUdZAQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1601450320; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to; bh=qszLRp610KM1evPqkHZZ4TULFEPMDDCHrKhOHL9Calg=; b=VxLi47jxjLMA/8KfOfQluB5H9tdiNpLA5xhADYI/Ahx5Yeo3d9xZB/suOR+oCyxtAJYNp3 kzZ8RbirgaX6ugDA== To: Walter Wu Cc: Andrew Morton , John Stultz , Stephen Boyd , Marco Elver , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Andrey Konovalov , Matthias Brugger , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, wsd_upstream , linux-mediatek@lists.infradead.org Subject: Re: [PATCH v4 1/6] timer: kasan: record timer stack In-Reply-To: <1601140312.15228.12.camel@mtksdccf07> Date: Wed, 30 Sep 2020 09:18:40 +0200 Message-ID: <87pn63ivfz.fsf@nanos.tec.linutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Walter, On Sun, Sep 27 2020 at 01:11, Walter Wu wrote: > First, I think the commit log =E2=80=9CBecause if the UAF root cause is i= n timer > init =E2=80=A6=E2=80=9D needs to be removed, this patch hopes to help pro= grammer gets > timer callback is where is registered. It is useful only if free stack > is called from timer callback, because programmer can see why & where > register this function. > > Second, see [1], it should satisfies first point. The free stack is from > timer callback, if we know where register this function, then it should > be useful to solve UAF. No. It's completely useless. The problem has absolutely nothing to do with the timer callback and the timer_init() invocation which set the timer's callback to 'dummy_timer'. The timer callback happens to free the object, but the worker thread has still a reference of some sort. So the problem is either missing refcounting which allows the timer callback to free the object or some missing serialization. Knowing the place which initialized the timer is absolutely not helping to figure out what's missing here. Aside of that it's trivial enough to do: git grep dummy_timer drivers/usb/gadget/udc/dummy_hcd.c if you really want to know what initialized it: dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] That said, I'm all for adding useful information to KASAN or whatever reports, but I'm not agreeing with the approach of 'Let's sprinkle kasan_foo() all over tha place and claim it is useful to decode an UAF'. Adding irrelevant information to a report is actually counter productive because it makes people look at the wrong place. Again: Provide an analysis of such a dump where the timer_init() function is a key element of solving the problem. Thanks, tglx