From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 523252E0413 for ; Fri, 12 Sep 2025 10:13:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757672006; cv=none; b=cYs41Aq33wvfu1mwHuQKMtbscZSbDuGXANcFpCMa2hFNXyW639F4n/k3zm9Nihw4/lH1BbAMeP5Huy/WwHXo7UMRWSgWkLQXTWerNLtgeIuPDOcpQUvHlD9ssE0/JY/k/YDiY+6+oJce/O/uAaJPoso5QvMhjiPRGbbEgKlLXrM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757672006; c=relaxed/simple; bh=xBysK8gV2dBvim56r1xsBo0HiYvpD2t6feorIo85ANY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FFXAr0TlJF3QaWGfJvE7/64gw59fcDecYKIMl71ug7gM1e/soN16Nhnpg2KMQr3Gnmuz7f2N3tra2f0wBk9BGPT+WACl4WBvbx/DwWCQeKV8XEsqXGQhVKJ223RbudBtgfeZZKdAv6OuW+43D1uHL7TBfeChyQBmOvfLRKPa1Po= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HQCReLo3; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HQCReLo3" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-32d9086276eso1731073a91.0 for ; Fri, 12 Sep 2025 03:13:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1757672003; x=1758276803; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VbQZ2RA/ceP/Xd/vXrNH7xFxG1mfw2BEk3J2LPmN1HA=; b=HQCReLo3vXrOPBhE58FIlplmtB9nWwgi1jVytty/WbBS7SH+OovMW9EZh/ORTIvtV5 fj8t+yaP0ib/LmS0/h14ijHjzQ5D9BmmD8CAAfh/1ivzw5/3PvvH+adpDHlQFHcSK/X6 9Lh7rPuMCX3JSiHmLgj/YUsLsZg2LD6yAibgHWuJvp+YB5DkmEEqM5R2mjLswQ8wjd8M rYFuoSOrHeQRyZ0U64FE1S4U2A3PkM2PmUhEZRY2c8p5/ZCxZZ4TyyprC60n0YWtTbtn 3TxlfmZ7ay0LYpvVCF9osv3QXgtko9ZtJDFTVWV/msru4dmxh2x3WEY1cOoB59FCgoSg ZAQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757672003; x=1758276803; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VbQZ2RA/ceP/Xd/vXrNH7xFxG1mfw2BEk3J2LPmN1HA=; b=GOKcIMmLvBjD5k8T+sxLLF76XDYClFpVz4yMHR6r5p9S1vF1c2IBsDgLISiLkzGXAY 6ZPLFBFeHxFnYCKrgKEbsgSSeRp9cnoC/jO+kWvfAHZ4x9b5189wkkiGzhXk9HJ3XKsV qR1aEXnt8E7rBUEn71XtUglWv9vIxjbVOOxqU86X1aXlY3oFZl7ybhaN0roKcKI1DwiY JgsHyKw9euoOUOAEl2iibnRVgxhBhhNmmHcOAdI+WaVQaV5udFyo9Twxs1vQemUvnSg8 fd+HVMleHUDNkKNiT/mkirNtK4j4tAdJ6Q1bKxOoAdSRPXVbJUc/VynAS8sG9nVoG1E1 gvGg== X-Forwarded-Encrypted: i=1; AJvYcCWQbqTqZ92JtKW2eQKs8+KR5qqntfUZFBC5a5u95fVavmYHW95uV/BrF68FkS+h8HBt/Dnz@lists.linux.dev X-Gm-Message-State: AOJu0Yz0rEzlgWU3G40devSwKVua2iJFfzeGkbF1ZcKp+7/BQoYYf26P Lr/GZdet4D41o+P39ShKbsUY5WnqQrPIldxkWy7UfFDgP5D62C4By/9B X-Gm-Gg: ASbGnctn1m3JjE1mirx+e+4gAU6UsD8lxMlN/8I8sYETWEXmdiUnlXd94X3u0c/qZ3G APo+wpW1oxq6FFv3ToGO8+nHF+4bkMtAgdg4PSSLFXwgUpSQ4BHplWehdQMtfHNe0ZUWNVrwJE4 SXLUkAtxdn31Osgzzf6zTUKk3l3h3j9+bGJJku9qh35PKpKrrPJLQq6/oBtL/lMsPEGD7ZRMqN0 hcV2mz6oyKOw176vMDO8ruP1nMFaUb6ZTquvDu8UsMRU3NOjl/98UJQSKuBrhsgftHZLm5/nUMK 61c/D017Hbi+xVr29XaMycRkf6YYiHailGa2bIq/mRXRj8ebq0O2m4Okh0zCGIBtVqnP79QCJ/u qVAZa3Lzry22CsT2atajlAzt6HHqavTMDmAI= X-Google-Smtp-Source: AGHT+IF25l3C1E8p5GHeNvlIVkbp0kOIYt1wPzTaRq0s8H1fBwmcnKLuf8G6T/dCuiyhKBgfSsTJeA== X-Received: by 2002:a17:90b:2b46:b0:32d:7093:7f6b with SMTP id 98e67ed59e1d1-32de4f96188mr2888054a91.30.1757672003490; Fri, 12 Sep 2025 03:13:23 -0700 (PDT) Received: from localhost ([185.49.34.62]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-32dd98b3ea0sm5091462a91.18.2025.09.12.03.13.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Sep 2025 03:13:22 -0700 (PDT) From: Jinchao Wang To: Andrew Morton , Masami Hiramatsu , Peter Zijlstra , Mike Rapoport , Alexander Potapenko , Jonathan Corbet , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Valentin Schneider , Arnaldo Carvalho de Melo , Namhyung Kim , Mark Rutland , Alexander Shishkin , Jiri Olsa , Ian Rogers , Adrian Hunter , "Liang, Kan" , David Hildenbrand , Lorenzo Stoakes , "Liam R. Howlett" , Vlastimil Babka , Suren Baghdasaryan , Michal Hocko , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , Kees Cook , Alice Ryhl , Sami Tolvanen , Miguel Ojeda , Masahiro Yamada , Rong Xu , Naveen N Rao , David Kaplan , Andrii Nakryiko , Jinjie Ruan , Nam Cao , workflows@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, linux-mm@kvack.org, llvm@lists.linux.dev, Andrey Ryabinin , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , kasan-dev@googlegroups.com, "David S. Miller" , Mathieu Desnoyers , linux-trace-kernel@vger.kernel.org Cc: Jinchao Wang Subject: [PATCH v4 17/21] mm/ksw: add silent corruption test case Date: Fri, 12 Sep 2025 18:11:27 +0800 Message-ID: <20250912101145.465708-18-wangjinchao600@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250912101145.465708-1-wangjinchao600@gmail.com> References: <20250912101145.465708-1-wangjinchao600@gmail.com> Precedence: bulk X-Mailing-List: llvm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Introduce a new test scenario to simulate silent stack corruption: - silent_corruption_buggy(): exposes a local variable address globally without resetting it. - silent_corruption_unwitting(): reads the exposed pointer and modifies the memory, simulating a routine that unknowingly writes to another stack frame. - silent_corruption_victim(): demonstrates the effect of silent corruption on unrelated local variables. Signed-off-by: Jinchao Wang --- mm/kstackwatch/test.c | 96 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 95 insertions(+), 1 deletion(-) diff --git a/mm/kstackwatch/test.c b/mm/kstackwatch/test.c index ab1a3f92b5e8..2b196f72ffd7 100644 --- a/mm/kstackwatch/test.c +++ b/mm/kstackwatch/test.c @@ -20,6 +20,9 @@ static struct proc_dir_entry *test_proc; #define BUFFER_SIZE 4 #define MAX_DEPTH 6 +/* global variables for Silent corruption test */ +static u64 *g_corrupt_ptr; + /* * Test Case 0: Write to the canary position directly (Canary Test) * use a u64 buffer array to ensure the canary will be placed @@ -61,6 +64,92 @@ static void canary_test_overflow(void) pr_info("canary overflow test completed\n"); } +static void do_something(int min_ms, int max_ms) +{ + u32 rand; + + get_random_bytes(&rand, sizeof(rand)); + rand = min_ms + rand % (max_ms - min_ms + 1); + msleep(rand); +} + +static void silent_corruption_buggy(int i) +{ + u64 local_var; + + pr_info("starting %s\n", __func__); + + pr_info("%s %d local_var addr: 0x%lx\n", __func__, i, + (unsigned long)&local_var); + WRITE_ONCE(g_corrupt_ptr, &local_var); + + do_something(50, 150); + //buggy: return without resetting g_corrupt_ptr +} + +static void silent_corruption_victim(int i) +{ + u64 local_var; + + local_var = 0xdeadbeef; + pr_info("starting %s %dth\n", __func__, i); + pr_info("%s local_var addr: 0x%lx\n", __func__, + (unsigned long)&local_var); + + do_something(50, 150); + + if (local_var != 0) + pr_info("%s %d happy with 0x%llx\n", __func__, i, local_var); + else + pr_info("%s %d unhappy with 0x%llx\n", __func__, i, local_var); +} + +static int silent_corruption_unwitting(void *data) +{ + u64 *local_ptr; + + pr_info("starting %s\n", __func__); + + do { + local_ptr = READ_ONCE(g_corrupt_ptr); + do_something(500, 1000); + } while (!local_ptr); + + local_ptr[0] = 0; + + return 0; +} + +/* + * Test Case 2: Silent Corruption + * buggy() does not protect its local var correctly + * unwitting() simply does its intended work + * victim() is unaware know what happened + */ +static void silent_corruption_test(void) +{ + struct task_struct *unwitting; + + pr_info("starting %s\n", __func__); + WRITE_ONCE(g_corrupt_ptr, NULL); + + unwitting = kthread_run(silent_corruption_unwitting, NULL, "unwitting"); + if (IS_ERR(unwitting)) { + pr_err("failed to create thread2\n"); + return; + } + + silent_corruption_buggy(0); + + /* + * An iteration-based bug: The unwitting thread corrupts the victim's + * stack. In a twist of fate, the victim's subsequent repetitions ensure + * the corruption is contained, protecting the caller's stack. + */ + for (int i = 0; i < 20; i++) + silent_corruption_victim(i); +} + static ssize_t test_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *pos) { @@ -88,6 +177,10 @@ static ssize_t test_proc_write(struct file *file, const char __user *buffer, pr_info("triggering canary overflow test\n"); canary_test_overflow(); break; + case 2: + pr_info("triggering silent corruption test\n"); + silent_corruption_test(); + break; default: pr_err("Unknown test number %d\n", test_num); return -EINVAL; @@ -108,7 +201,8 @@ static ssize_t test_proc_read(struct file *file, char __user *buffer, "==================================\n" "Usage:\n" " echo 'test0' > /proc/kstackwatch_test - Canary write test\n" - " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n"; + " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n" + " echo 'test2' > /proc/kstackwatch_test - Silent corruption test\n"; return simple_read_from_buffer(buffer, count, pos, usage, strlen(usage)); -- 2.43.0