Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp405679pxb;
        Thu, 5 Nov 2020 03:19:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwpB9xFAL05rr+iC8zHU1NYs71b+tAZnIEtYNFKsDvYnonCI5TtetQFPNd/X6lhTl43J4Q/
X-Received: by 2002:a50:f392:: with SMTP id g18mr2047175edm.140.1604575183201;
        Thu, 05 Nov 2020 03:19:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1604575183; cv=none;
        d=google.com; s=arc-20160816;
        b=vpiQGbwTbzmIKOaIkw5nyyqiIQ+9/o7e961hbbTDRx1rulH7qTR/JJJcURGUYHtA41
         LnTdk7nnsMcSaPs229UvzjMKq4qYcwv5fEW5fqdFYynVdZfIYDpESo9+qxrDvosVtKKj
         TFRFvdMs3mZSVcg4avkVHJI+elnTXrNj6OdRuGbNFz3V1AH7hIffUS543pz7bgH74uPq
         UhadQA12zkArddjvQ2SyRyTqjXjWG6tN1Xl0YJf3xDsHPk7ibND4H7Yw6vBN2JqzqFjl
         aWBMuX/WeibMH7oAdtAuPDh5J1F3TBolu6dQrsa2c1pkBHuEzU+lMQNTjm74IkHQlZLU
         5xPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=ziZl4T8kjNiLHlGfLpcAi0KB0HNTpeQRkauj0SyOXZk=;
        b=Pzce5FFaEQ4+kBiwg5nfUxoWDbD9td6rKJp5jPkV/lhMwcZ4YlzJ67vvcmeLPRgUeK
         DG+bcJedUArU2kDjtTqiOQ2slcSZID6O+er8jZUH+StS3EjkyMvxVGaqELbnuFB2qdUF
         j8z/naN5zY4ka2s6x1AlKPPUYgx+uVU9BSwHWeMnd/SqnbJmJZYTQ5jAhhM4CHhzWY0C
         8UrfvROFBzHGz42sqQxyOK4V5qUbqH8jf1SnsfGQq1ojS+p2b34mvOIvP+Uanzk4lY4l
         PkWOdQFDeF2mvi39cZJjVUsK7u2CuAR5TioeLvuJSiFkLw3vjPE1bCYpgeCdSOl2CJVm
         nqQA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u4si875652eda.182.2020.11.05.03.19.19;
        Thu, 05 Nov 2020 03:19:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729016AbgKELP7 (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Thu, 5 Nov 2020 06:15:59 -0500
Received: from foss.arm.com ([217.140.110.172]:57754 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726067AbgKELP6 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 Nov 2020 06:15:58 -0500
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 55E9E142F;
        Thu,  5 Nov 2020 03:15:58 -0800 (PST)
Received: from C02TD0UTHF1T.local (unknown [10.57.58.72])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D5A9E3F719;
        Thu,  5 Nov 2020 03:15:55 -0800 (PST)
Date:   Thu, 5 Nov 2020 11:15:52 +0000
From:   Mark Rutland <mark.rutland@arm.com>
To:     Marco Elver <elver@google.com>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Alexander Potapenko <glider@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Jann Horn <jannh@google.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux Memory Management List <linux-mm@kvack.org>,
        kasan-dev <kasan-dev@googlegroups.com>,
        the arch/x86 maintainers <x86@kernel.org>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        "Paul E. McKenney" <paulmck@kernel.org>
Subject: Re: [PATCH] kfence: Use pt_regs to generate stack trace on faults
Message-ID: <20201105111552.GD82102@C02TD0UTHF1T.local>
References: <20201105092133.2075331-1-elver@google.com>
 <20201105105241.GC82102@C02TD0UTHF1T.local>
 <CANpmjNP+QOJrfJHC2P-9gFfB6wdnr9c9gPDgVFdgzbrCcG-nog@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CANpmjNP+QOJrfJHC2P-9gFfB6wdnr9c9gPDgVFdgzbrCcG-nog@mail.gmail.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Nov 05, 2020 at 12:11:19PM +0100, Marco Elver wrote:
> On Thu, 5 Nov 2020 at 11:52, Mark Rutland <mark.rutland@arm.com> wrote:
> > On Thu, Nov 05, 2020 at 10:21:33AM +0100, Marco Elver wrote:
> > > Instead of removing the fault handling portion of the stack trace based
> > > on the fault handler's name, just use struct pt_regs directly.
> > >
> > > Change kfence_handle_page_fault() to take a struct pt_regs, and plumb it
> > > through to kfence_report_error() for out-of-bounds, use-after-free, or
> > > invalid access errors, where pt_regs is used to generate the stack
> > > trace.
> > >
> > > If the kernel is a DEBUG_KERNEL, also show registers for more
> > > information.
> > >
> > > Suggested-by: Mark Rutland <mark.rutland@arm.com>
> > > Signed-off-by: Marco Elver <elver@google.com>
> >
> > Wow; I wasn't expecting this to be put together so quickly, thanks for
> > doing this!
> >
> > From a scan, this looks good to me -- just one question below.
> >
> > > diff --git a/include/linux/kfence.h b/include/linux/kfence.h
> > > index ed2d48acdafe..98a97f9d43cd 100644
> > > --- a/include/linux/kfence.h
> > > +++ b/include/linux/kfence.h
> > > @@ -171,6 +171,7 @@ static __always_inline __must_check bool kfence_free(void *addr)
> > >  /**
> > >   * kfence_handle_page_fault() - perform page fault handling for KFENCE pages
> > >   * @addr: faulting address
> > > + * @regs: current struct pt_regs (can be NULL, but shows full stack trace)
> > >   *
> > >   * Return:
> > >   * * false - address outside KFENCE pool,
> >
> > > @@ -44,8 +44,12 @@ static int get_stack_skipnr(const unsigned long stack_entries[], int num_entries
> > >               case KFENCE_ERROR_UAF:
> > >               case KFENCE_ERROR_OOB:
> > >               case KFENCE_ERROR_INVALID:
> > > -                     is_access_fault = true;
> > > -                     break;
> > > +                     /*
> > > +                      * kfence_handle_page_fault() may be called with pt_regs
> > > +                      * set to NULL; in that case we'll simply show the full
> > > +                      * stack trace.
> > > +                      */
> > > +                     return 0;
> >
> > For both the above comments, when/where is kfence_handle_page_fault()
> > called with regs set to NULL? I couldn't spot that in this patch, so
> > unless I mised it I'm guessing that's somewhere outside of the patch
> > context?
> 
> Right, currently it's not expected to happen, but I'd like to permit
> this function being called not from fault handlers, for use-cases like
> this:
> 
>  https://lkml.kernel.org/r/CANpmjNNxAvembOetv15FfZ=04mpj0Qwx+1tnn22tABaHHRRv=Q@mail.gmail.com
> 
> The revised recommendation when trying to get KFENCE to give us more
> information about allocation/free stacks after refcount underflow
> (like what Paul was trying to do) would be to call
> kfence_handle_page_fault(addr, NULL).
> 
> > If this is a case we don't expect to happen, maybe add a WARN_ON_ONCE()?
> 
> While it's currently not expected, I don't see why we should make this
> WARN and limit the potential uses of the API if it works just fine if
> we pass regs set to NULL. Although arguably the name
> kfence_handle_page_fault() might be confusing for such uses, for now,
> until more widespread use is evident (if at all) I'd say let's keep
> as-is, but simply not prevent such use-cases.

Fair enough! I guess in future we could always revise that anyhow.

FWIW, for this as-is:

Acked-by: Mark Rutland <mark.rutland@arm.com>

Mark.