Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp4039769pxf;
        Tue, 16 Mar 2021 04:23:46 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzQSfuYKO8yAIg0t3k+0IlZuxAYMCl5hrahFX3tU/b7yAOrfDBHXpbn5jgRR5oBSh0h7swz
X-Received: by 2002:a17:906:1408:: with SMTP id p8mr28631390ejc.89.1615893826707;
        Tue, 16 Mar 2021 04:23:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1615893826; cv=none;
        d=google.com; s=arc-20160816;
        b=n8Kw6/hks1IrQY+KLa6CGilW2h16gtb7kpN15p5qeHX0TlJp95m8kD00MEfKefDR07
         h9WowXW7l91AmEbw80fAdcM6fpL2IB5T8QTqIaH/7A22C4ZYurvPFw6bb8z6gg6zGKcP
         iJJTEn/bcXyh8XOOGK8KShnfpC9PfBaE1scZMvXd+rpF2bFp2xG8AemmFYMt4EcqsP/n
         62Hf/CSGjjCJd7g8QlqdDhfEF9CI4ycTtR/50vmJSqMXVAkC2c3gUednEIloZL4QON/G
         fs68g1RnjxNwCPPDFN8Bx+xr57x7ou0IWxM9yF9a2XqUI76YvJzl5ur9DrzBslWInpeR
         nycw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
        bh=KyOzZxvo9bBLo0Mrm5XRySVJWLgFDT8L9S2FjYYN7Uc=;
        b=or/k0hVeGLnb8mAUGUgGIINjbDHFfgQhs5eLhu0jwkjVy5Nxl1/5uEb3xGC29uTOvq
         RJT0itYa6LxiqwmlwzpuW0/ywb2mC9pISMelLMbOolq6v2tuvJRbM168F2dRFrBND1eZ
         1GZHKf4A55ZzqcTJftUYdEwJdWhkXZOJRcFdNdhlZvBf+2Tjy69G95eMUHuH90e9rnJg
         myJQeOJdmIs//2TxeaMyIS0wH96G+VO9/OiJT+NmgdaIDhq8iVcxOxRJ8B1t2mR0ZJqS
         zy+KcJbW29V/wxp3R/hy4wNhvOMixtUFXTPoxImg7wIrMl0kSmP4rLNIGOjWOnq6r9b2
         DUVg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d5si4666084edv.281.2021.03.16.04.23.24;
        Tue, 16 Mar 2021 04:23:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229558AbhCPCol (ORCPT <rfc822;m15259695263@gmail.com>
        + 99 others); Mon, 15 Mar 2021 22:44:41 -0400
Received: from mailgw01.mediatek.com ([210.61.82.183]:55143 "EHLO
        mailgw01.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org
        with ESMTP id S234637AbhCPCoR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Mar 2021 22:44:17 -0400
X-UUID: c747895dedf149ee8043bffd5a27bc42-20210316
X-UUID: c747895dedf149ee8043bffd5a27bc42-20210316
Received: from mtkcas11.mediatek.inc [(172.21.101.40)] by mailgw01.mediatek.com
        (envelope-from <walter-zh.wu@mediatek.com>)
        (Cellopoint E-mail Firewall v4.1.14 Build 0819 with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256)
        with ESMTP id 859541587; Tue, 16 Mar 2021 10:44:12 +0800
Received: from mtkcas07.mediatek.inc (172.21.101.84) by
 mtkmbs01n1.mediatek.inc (172.21.101.68) with Microsoft SMTP Server (TLS) id
 15.0.1497.2; Tue, 16 Mar 2021 10:44:11 +0800
Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas07.mediatek.inc
 (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend
 Transport; Tue, 16 Mar 2021 10:44:11 +0800
From:   Walter Wu <walter-zh.wu@mediatek.com>
To:     Andrey Ryabinin <ryabinin.a.a@gmail.com>,
        Alexander Potapenko <glider@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Matthias Brugger <matthias.bgg@gmail.com>,
        Andrey Konovalov <andreyknvl@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Jens Axboe <axboe@kernel.dk>, Oleg Nesterov <oleg@redhat.com>
CC:     <kasan-dev@googlegroups.com>, <linux-mm@kvack.org>,
        <linux-kernel@vger.kernel.org>,
        <linux-arm-kernel@lists.infradead.org>,
        wsd_upstream <wsd_upstream@mediatek.com>,
        <linux-mediatek@lists.infradead.org>,
        Walter Wu <walter-zh.wu@mediatek.com>
Subject: [PATCH v2] task_work: kasan: record task_work_add() call stack
Date:   Tue, 16 Mar 2021 10:44:10 +0800
Message-ID: <20210316024410.19967-1-walter-zh.wu@mediatek.com>
X-Mailer: git-send-email 2.18.0
MIME-Version: 1.0
Content-Type: text/plain
X-MTK:  N
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Why record task_work_add() call stack?
Syzbot reports many use-after-free issues for task_work, see [1].
After see the free stack and the current auxiliary stack, we think
they are useless, we don't know where register the work, this work
may be the free call stack, so that we miss the root cause and
don't solve the use-after-free.

Add task_work_add() call stack into KASAN auxiliary stack in
order to improve KASAN report. It is useful for programmers
to solve use-after-free issues.

[1]: https://groups.google.com/g/syzkaller-bugs/search?q=kasan%20use-after-free%20task_work_run

Signed-off-by: Walter Wu <walter-zh.wu@mediatek.com>
Suggested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Oleg Nesterov <oleg@redhat.com>
---

v2: Fix kasan_record_aux_stack() calling sequence issue.
    Thanks for Dmitry's suggestion

---
 kernel/task_work.c | 3 +++
 mm/kasan/kasan.h   | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/task_work.c b/kernel/task_work.c
index 9cde961875c0..3d4852891fa8 100644
--- a/kernel/task_work.c
+++ b/kernel/task_work.c
@@ -34,6 +34,9 @@ int task_work_add(struct task_struct *task, struct callback_head *work,
 {
 	struct callback_head *head;
 
+	/* record the work call stack in order to print it in KASAN reports */
+	kasan_record_aux_stack(work);
+
 	do {
 		head = READ_ONCE(task->task_works);
 		if (unlikely(head == &work_exited))
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index 3436c6bf7c0c..e4629a971a3c 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -146,7 +146,7 @@ struct kasan_alloc_meta {
 	struct kasan_track alloc_track;
 #ifdef CONFIG_KASAN_GENERIC
 	/*
-	 * call_rcu() call stack is stored into struct kasan_alloc_meta.
+	 * The auxiliary stack is stored into struct kasan_alloc_meta.
 	 * The free stack is stored into struct kasan_free_meta.
 	 */
 	depot_stack_handle_t aux_stack[2];
-- 
2.18.0