Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp2376106rdf; Mon, 6 Nov 2023 12:13:35 -0800 (PST) X-Google-Smtp-Source: AGHT+IFUvrc46Fwxxm2mKGAUH/vxdGTVGXHsUuD/mkWADuc/USOvOcj0BT3GS7nubGIv6RlpTP3V X-Received: by 2002:a05:6a20:4414:b0:180:7df:76a5 with SMTP id ce20-20020a056a20441400b0018007df76a5mr35007941pzb.55.1699301614751; Mon, 06 Nov 2023 12:13:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699301614; cv=none; d=google.com; s=arc-20160816; b=xn3WFKEzMcJt2Td++gBsjPS84fVuDgwQ1HKT4PjmBjnLFap//PMsnhRXt8P7DMwki2 QZA+CXitU0fSpe9bM41hYbq8ENydT9bx27xBNdbzSLEg6CJp4vEzzVpWKCMVRbnTTzBv xVcpUXE8ZcCpfH6ragSTUgRQxpvNGrIrKMof3lbKltxOcf7Lo5kKvw21Cp3r3t0k5NJ7 AIymUfPEFH3RlBBK1pnL+IeNOGhjY8jTjNli5qmkakNHDJPvqhJXyalc/GFYyqcNzXoO m/mka26Q4IvfCVH7NtKXH229paZANjH1fvIxmr2Ksa4VboURiqzD3qc4rZKYZy/xWcmi CFEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=pzcd7T6SaBRo5t2Dalks3vRx+ahOG8KGm+CRn7Qcn4c=; fh=n5KN85tQTomq0Sa/nFFC9xbnc77mxkBzF8HoolO/QOw=; b=bP2Wo52AjbV27HbYLdh2ixAa7p1l/b2CnmsdSSrXhcGeyCa60mPd8otInGlABEntfk oo4uyhzU5yhVOY96DscYGh7F92SJhU6eXenUNjiIyhbwyylS1t6cPM0gvYzvSnDw399s GmNcry6PZtyBU82JL+BT4zmVIPIMkoXxF1r5+TMjr2PK7yfGGvEqjl23mkdoEClr8ftM D5i0iclhG41xmR35JjyJBhfUz1Z7PB5yJyLWZzkL/F2cOeShmCW6jgwKTy8Wc7kLlBJR tsVHliVkCr0OcLNYgQvmWgaFCIZ+Z6+GDV9UY9XsanYQVBbVERgqzwuZFbjjejtcrxz5 Rpxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=pwv3dkzf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id j5-20020a056a00234500b006c0db523732si9471737pfj.136.2023.11.06.12.13.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Nov 2023 12:13:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=pwv3dkzf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 791BE80C6DE9; Mon, 6 Nov 2023 12:13:24 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233056AbjKFUM5 (ORCPT + 99 others); Mon, 6 Nov 2023 15:12:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34348 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233015AbjKFUMs (ORCPT ); Mon, 6 Nov 2023 15:12:48 -0500 Received: from out-188.mta1.migadu.com (out-188.mta1.migadu.com [IPv6:2001:41d0:203:375::bc]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53A76D75 for ; Mon, 6 Nov 2023 12:12:45 -0800 (PST) X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1699301563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pzcd7T6SaBRo5t2Dalks3vRx+ahOG8KGm+CRn7Qcn4c=; b=pwv3dkzff3LD7yWHcbYcgAz4JV6yfUR59dhP8YxPHgOJqBy44vK2HoY3LSsvhd8ac/r+Kw YjUTxsAxtuUXSOSqxissVE/DJambefCo5UZhQA3OpygTzSXNBEkWw+ttz9+sRuo965g4Qr dO5rxteHGvoYv4f78rDOUpqGsj2A/J4= From: andrey.konovalov@linux.dev To: Marco Elver , Alexander Potapenko Cc: Andrey Konovalov , Dmitry Vyukov , Andrey Ryabinin , kasan-dev@googlegroups.com, Evgenii Stepanov , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov Subject: [PATCH RFC 12/20] kasan: save alloc stack traces for mempool Date: Mon, 6 Nov 2023 21:10:21 +0100 Message-Id: <325b1285d95f7bb6d2865750aa0088ab4cb5e0c3.1699297309.git.andreyknvl@google.com> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Mon, 06 Nov 2023 12:13:24 -0800 (PST) From: Andrey Konovalov Update kasan_mempool_unpoison_object to properly poison the redzone and save alloc strack traces for kmalloc and slab pools. As a part of this change, split out and use a unpoison_slab_object helper function from __kasan_slab_alloc. Signed-off-by: Andrey Konovalov --- include/linux/kasan.h | 7 +++--- mm/kasan/common.c | 50 ++++++++++++++++++++++++++++++++++--------- 2 files changed, 44 insertions(+), 13 deletions(-) diff --git a/include/linux/kasan.h b/include/linux/kasan.h index e636a00e26ba..7392c5d89b92 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -303,9 +303,10 @@ void __kasan_mempool_unpoison_object(void *ptr, size_t size, unsigned long ip); * mempool). * * This function unpoisons a slab allocation that was previously poisoned via - * kasan_mempool_poison_object() without initializing its memory. For the - * tag-based modes, this function does not assign a new tag to the allocation - * and instead restores the original tags based on the pointer value. + * kasan_mempool_poison_object() and saves an alloc stack trace for it without + * initializing the allocation's memory. For the tag-based modes, this function + * does not assign a new tag to the allocation and instead restores the + * original tags based on the pointer value. * * This function operates on all slab allocations including large kmalloc * allocations (the ones returned by kmalloc_large() or by kmalloc() with the diff --git a/mm/kasan/common.c b/mm/kasan/common.c index b50e4fbaf238..65850d37fd27 100644 --- a/mm/kasan/common.c +++ b/mm/kasan/common.c @@ -267,6 +267,20 @@ void __kasan_kfree_large(void *ptr, unsigned long ip) /* The object will be poisoned by kasan_poison_pages(). */ } +void unpoison_slab_object(struct kmem_cache *cache, void *object, gfp_t flags, + bool init) +{ + /* + * Unpoison the whole object. For kmalloc() allocations, + * poison_kmalloc_redzone() will do precise poisoning. + */ + kasan_unpoison(object, cache->object_size, init); + + /* Save alloc info (if possible) for non-kmalloc() allocations. */ + if (kasan_stack_collection_enabled() && !is_kmalloc_cache(cache)) + kasan_save_alloc_info(cache, object, flags); +} + void * __must_check __kasan_slab_alloc(struct kmem_cache *cache, void *object, gfp_t flags, bool init) { @@ -289,15 +303,8 @@ void * __must_check __kasan_slab_alloc(struct kmem_cache *cache, tag = assign_tag(cache, object, false); tagged_object = set_tag(object, tag); - /* - * Unpoison the whole object. - * For kmalloc() allocations, kasan_kmalloc() will do precise poisoning. - */ - kasan_unpoison(tagged_object, cache->object_size, init); - - /* Save alloc info (if possible) for non-kmalloc() allocations. */ - if (kasan_stack_collection_enabled() && !is_kmalloc_cache(cache)) - kasan_save_alloc_info(cache, tagged_object, flags); + /* Unpoison the object and save alloc info for non-kmalloc() allocations. */ + unpoison_slab_object(cache, tagged_object, flags, init); return tagged_object; } @@ -472,7 +479,30 @@ bool __kasan_mempool_poison_object(void *ptr, unsigned long ip) void __kasan_mempool_unpoison_object(void *ptr, size_t size, unsigned long ip) { - kasan_unpoison(ptr, size, false); + struct slab *slab; + gfp_t flags = 0; /* Might be executing under a lock. */ + + if (is_kfence_address(kasan_reset_tag(ptr))) + return; + + slab = virt_to_slab(ptr); + + /* + * This function can be called for large kmalloc allocation that get + * their memory from page_alloc. + */ + if (unlikely(!slab)) { + kasan_unpoison(ptr, size, false); + poison_kmalloc_large_redzone(ptr, size, flags); + return; + } + + /* Unpoison the object and save alloc info for non-kmalloc() allocations. */ + unpoison_slab_object(slab->slab_cache, ptr, size, flags); + + /* Poison the redzone and save alloc info for kmalloc() allocations. */ + if (is_kmalloc_cache(slab->slab_cache)) + poison_kmalloc_redzone(slab->slab_cache, ptr, size, flags); } bool __kasan_check_byte(const void *address, unsigned long ip) -- 2.25.1