Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4323295rdb; Mon, 11 Dec 2023 16:14:55 -0800 (PST) X-Google-Smtp-Source: AGHT+IFpeMYnJ+fUwsnFanEC98htiqh+ZWyHkhOsdfUCgluMX5bLyOfnUgshz9E8BLtrovHpfFUy X-Received: by 2002:a17:903:244e:b0:1d0:6ffd:ceb5 with SMTP id l14-20020a170903244e00b001d06ffdceb5mr3234503pls.110.1702340095675; Mon, 11 Dec 2023 16:14:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702340095; cv=none; d=google.com; s=arc-20160816; b=njgnk11Txpx5C2gqbQHIHd5mlUeFh+qhczaTf7JBFx6XCjvaL1x2Cj1MrKy/4FytQm Mob+KptkC2zd1MbcX1PSQtUPOgMs+oG8ZN9JGBsT+VF96Erk8velrAuiDWjzoonkq2MX IpjM+G/SQUPxDKSFwVG3l8yw6vHJZB22xsP3VYIZJ+bwSY1QxM5EMhneH/FE3JRSRn9E zxZZtJwKdRoa7db1s+rCJYXNbmCqsnaw0etXxVOw+ZxTa7InwmuDLS+GZFNupPnn4Plm fa2mju8TYgQxGBEKtNTkN49dqkNl0KT2n11BIWQZ8iL5vXg1yDEZNmiNkDoFSf/sGrw9 uI4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=x4Cn8Rdft153TNfaMCqmpUoRbUij/xgpu9Ka1HxHDYI=; fh=xumGgQ3/A3VHYu1DQDaIWA+Xl29EI5lD+bm6U+z1O60=; b=RQ7/++DF74FAKzMMyX6liNro44kAsEPesbUg1/qHFUM+mSVuxIb0VCPC38lwsyCX2U uZzH6K4ONQBzvv+j5s0qqtyF7gFaQRyFG9jGY6vE2PKMJHu+yqt+5L+r7M0WnUHwSEbP 2BJ0tEZ4YK1GxWpZYUfd1P/HE/tWU65DfOU8bK53e6bLwE+ZHvltNBu2QdFMcndv03RL KtaO+OGCLmPvTxuar13Jrt+zybgqgUph+lWC6wPeL02kT2XmwodEvXeDv4T1fyjDy2Sl 0NZR46DhRhG7oWxAeoZumhJScoF3SWFh+COlkxIhLYxFaRU8Y/v5opI9scy//qg+uvl+ iWSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="UvkDjF/5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id v17-20020a1709028d9100b001cfd24c7b81si6861267plo.216.2023.12.11.16.14.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 16:14:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="UvkDjF/5"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 84D5F809EE0C; Mon, 11 Dec 2023 16:14:52 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345433AbjLLAOI (ORCPT + 99 others); Mon, 11 Dec 2023 19:14:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48012 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345415AbjLLAOF (ORCPT ); Mon, 11 Dec 2023 19:14:05 -0500 Received: from out-174.mta1.migadu.com (out-174.mta1.migadu.com [IPv6:2001:41d0:203:375::ae]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 98EFCAD for ; Mon, 11 Dec 2023 16:14:11 -0800 (PST) X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1702340049; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=x4Cn8Rdft153TNfaMCqmpUoRbUij/xgpu9Ka1HxHDYI=; b=UvkDjF/5ctTo0nGnQabktnmBPXGfus3/X3idORYN6B4D44rXq0KJToDsQKy9BeHFX8qw7b qQCY+W0sZZweOoacCTj/1cWItkpd82s9p4KPKbjHROXaD7+UwOj6FNmJAKaJ2G1O+XKX3R d6piyZ++vR5FIz/37yANY5B0lerp6zk= From: andrey.konovalov@linux.dev To: Andrew Morton Cc: Andrey Konovalov , Marco Elver , Alexander Potapenko , Dmitry Vyukov , Vlastimil Babka , kasan-dev@googlegroups.com, Evgenii Stepanov , Tetsuo Handa , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov , syzbot+186b55175d8360728234@syzkaller.appspotmail.com Subject: [PATCH mm 2/4] kasan: handle concurrent kasan_record_aux_stack calls Date: Tue, 12 Dec 2023 01:14:01 +0100 Message-Id: <432a89fafce11244287c8af757e73a2eb22a5354.1702339432.git.andreyknvl@google.com> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Mon, 11 Dec 2023 16:14:52 -0800 (PST) From: Andrey Konovalov kasan_record_aux_stack can be called concurrently on the same object. This might lead to a race condition when rotating the saved aux stack trace handles. Fix by introducing a spinlock to protect the aux stack trace handles in kasan_record_aux_stack. Reported-by: Tetsuo Handa Reported-by: syzbot+186b55175d8360728234@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000784b1c060b0074a2@google.com/ Signed-off-by: Andrey Konovalov --- This can be squashed into "kasan: use stack_depot_put for Generic mode" or left standalone. --- mm/kasan/generic.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c index 54e20b2bc3e1..ca5c75a1866c 100644 --- a/mm/kasan/generic.c +++ b/mm/kasan/generic.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include @@ -35,6 +36,8 @@ #include "kasan.h" #include "../slab.h" +DEFINE_SPINLOCK(aux_lock); + /* * All functions below always inlined so compiler could * perform better optimizations in each of __asan_loadX/__assn_storeX @@ -502,6 +505,8 @@ static void __kasan_record_aux_stack(void *addr, depot_flags_t depot_flags) struct kmem_cache *cache; struct kasan_alloc_meta *alloc_meta; void *object; + depot_stack_handle_t new_handle, old_handle; + unsigned long flags; if (is_kfence_address(addr) || !slab) return; @@ -512,9 +517,15 @@ static void __kasan_record_aux_stack(void *addr, depot_flags_t depot_flags) if (!alloc_meta) return; - stack_depot_put(alloc_meta->aux_stack[1]); + new_handle = kasan_save_stack(0, depot_flags); + + spin_lock_irqsave(&aux_lock, flags); + old_handle = alloc_meta->aux_stack[1]; alloc_meta->aux_stack[1] = alloc_meta->aux_stack[0]; - alloc_meta->aux_stack[0] = kasan_save_stack(0, depot_flags); + alloc_meta->aux_stack[0] = new_handle; + spin_unlock_irqrestore(&aux_lock, flags); + + stack_depot_put(old_handle); } void kasan_record_aux_stack(void *addr) -- 2.25.1