From: Peter Zijlstra <peterz@infradead.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Eric Dumazet <edumazet@google.com>,
Sasha Levin <sasha.levin@oracle.com>
Subject: Re: use-after-free in __perf_install_in_context
Date: Tue, 8 Dec 2015 17:44:12 +0100 [thread overview]
Message-ID: <20151208164412.GD6357@twins.programming.kicks-ass.net> (raw)
In-Reply-To: <CACT4Y+b8mQs7mDZ2O_k69XuhJAtfXJZ4zOQDCagnRcr7ZJOgzg@mail.gmail.com>
On Mon, Dec 07, 2015 at 05:09:21PM +0100, Dmitry Vyukov wrote:
> If your audit does not give any results, can you give me a patch that
> prints rcu callback submission stacks in KASAN reports?
Just because my brain is fried for today, I figured I'd give it a go.
Completely untested..
---
include/linux/slub_def.h | 2 ++
kernel/rcu/tree_plugin.h | 1 +
mm/slub.c | 34 ++++++++++++++++++++++++++++++++--
3 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h
index 33885118523c..445b586c0bfa 100644
--- a/include/linux/slub_def.h
+++ b/include/linux/slub_def.h
@@ -129,4 +129,6 @@ static inline void *virt_to_obj(struct kmem_cache *s,
void object_err(struct kmem_cache *s, struct page *page,
u8 *object, char *reason);
+void object_set_indirect(const void *addr);
+
#endif /* _LINUX_SLUB_DEF_H */
diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
index 630c19772630..4e1e79e01e34 100644
--- a/kernel/rcu/tree_plugin.h
+++ b/kernel/rcu/tree_plugin.h
@@ -659,6 +659,7 @@ static void rcu_preempt_do_callbacks(void)
*/
void call_rcu(struct rcu_head *head, rcu_callback_t func)
{
+ object_set_indirect(head);
__call_rcu(head, func, rcu_state_p, -1, 0);
}
EXPORT_SYMBOL_GPL(call_rcu);
diff --git a/mm/slub.c b/mm/slub.c
index 46997517406e..6977dc7cffcd 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -196,7 +196,12 @@ struct track {
unsigned long when; /* When did the operation occur */
};
-enum track_item { TRACK_ALLOC, TRACK_FREE };
+enum track_item {
+ TRACK_ALLOC = 0,
+ TRACK_FREE,
+ TRACK_INDIRECT,
+ TRACK_NR,
+};
#ifdef CONFIG_SYSFS
static int sysfs_slab_add(struct kmem_cache *);
@@ -551,6 +556,7 @@ static void init_tracking(struct kmem_cache *s, void *object)
set_track(s, object, TRACK_FREE, 0UL);
set_track(s, object, TRACK_ALLOC, 0UL);
+ set_track(s, object, TRACK_INDIRECT, 0UL);
}
static void print_track(const char *s, struct track *t)
@@ -579,6 +585,7 @@ static void print_tracking(struct kmem_cache *s, void *object)
print_track("Allocated", get_track(s, object, TRACK_ALLOC));
print_track("Freed", get_track(s, object, TRACK_FREE));
+ print_track("Indirect", get_track(s, object, TRACK_INDIRECT));
}
static void print_page_info(struct page *page)
@@ -652,6 +659,29 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)
dump_stack();
}
+void object_set_indirect(const void *addr)
+{
+ if ((addr >= (void *)PAGE_OFFSET) &&
+ (addr < high_memory)) {
+ struct page *page = virt_to_head_page(addr);
+
+ if (PageSlab(page)) {
+ void *object;
+ struct kmem_cache *cache = page->slab_cache;
+ void *last_object;
+
+ object = virt_to_obj(cache, page_address(page), addr);
+ last_object = page_address(page) +
+ page->objects * cache->size;
+
+ if (unlikely(object > last_object))
+ object = last_object; /* we hit into padding */
+
+ set_track(cache, object, TRACK_INDIRECT, (unsigned long)addr);
+ }
+ }
+}
+
void object_err(struct kmem_cache *s, struct page *page,
u8 *object, char *reason)
{
@@ -767,7 +797,7 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p)
if (s->flags & SLAB_STORE_USER)
/* We also have user information there */
- off += 2 * sizeof(struct track);
+ off += TRACK_NR * sizeof(struct track);
if (s->size == off)
return 1;
next prev parent reply other threads:[~2015-12-08 16:44 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-04 20:04 use-after-free in __perf_install_in_context Dmitry Vyukov
2015-12-04 20:32 ` Alexei Starovoitov
2015-12-04 21:00 ` Dmitry Vyukov
2015-12-07 11:04 ` Dmitry Vyukov
2015-12-07 11:06 ` Dmitry Vyukov
2015-12-07 11:24 ` Dmitry Vyukov
2015-12-07 15:36 ` Peter Zijlstra
2015-12-07 16:09 ` Dmitry Vyukov
2015-12-08 3:24 ` Alexei Starovoitov
2015-12-08 16:12 ` Dmitry Vyukov
2015-12-08 17:54 ` Alexei Starovoitov
2015-12-08 17:56 ` Dmitry Vyukov
2015-12-08 18:05 ` Alexei Starovoitov
2015-12-08 18:35 ` Dmitry Vyukov
2015-12-08 19:56 ` Alexei Starovoitov
2015-12-09 9:17 ` Dmitry Vyukov
2015-12-10 3:54 ` Alexei Starovoitov
2015-12-10 9:02 ` Peter Zijlstra
2015-12-10 17:03 ` Alexei Starovoitov
2015-12-11 8:14 ` Ingo Molnar
2015-12-15 13:11 ` Dmitry Vyukov
2015-12-08 16:44 ` Peter Zijlstra [this message]
2015-12-08 19:14 ` Dmitry Vyukov
2015-12-10 19:57 ` Peter Zijlstra
2015-12-15 13:09 ` Dmitry Vyukov
2015-12-17 14:06 ` Peter Zijlstra
2015-12-17 14:08 ` Dmitry Vyukov
2015-12-17 14:26 ` Peter Zijlstra
2015-12-17 14:28 ` Peter Zijlstra
2015-12-17 14:35 ` Dmitry Vyukov
2015-12-17 14:43 ` Peter Zijlstra
2015-12-31 17:15 ` Dmitry Vyukov
2016-01-05 12:17 ` Peter Zijlstra
2016-01-08 8:40 ` Dmitry Vyukov
2016-01-08 10:28 ` Dmitry Vyukov
2016-01-06 18:46 ` [tip:perf/core] perf: Fix race in perf_event_exec() tip-bot for Peter Zijlstra
2016-01-06 18:56 ` Eric Dumazet
2016-01-07 13:40 ` Peter Zijlstra
2016-01-07 16:26 ` Paul E. McKenney
2016-01-07 16:36 ` Eric Dumazet
2016-01-07 16:46 ` Paul E. McKenney
2015-12-08 16:22 ` use-after-free in __perf_install_in_context Peter Zijlstra
2015-12-08 18:57 ` Ingo Molnar
2015-12-09 9:05 ` Peter Zijlstra
2015-12-08 16:27 ` Peter Zijlstra
2015-12-08 16:50 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151208164412.GD6357@twins.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=acme@kernel.org \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.