> On Sep 11, 2019, at 4:39 AM, Walter Wu <walter-zh.wu@xxxxxxxxxxxx> wrote: > > This patch is KASAN's report adds the alloc/free stack for page allocator > in order to help programmer to see memory corruption caused by the page. > > By default, KASAN doesn't record alloc or free stack for page allocator. > It is difficult to fix up the page use-after-free or double-free issue. > > We add the following changing: > 1) KASAN enable PAGE_OWNER by default to get the alloc stack of the page. > 2) Add new feature option to get the free stack of the page. > > The new feature KASAN_DUMP_PAGE depends on DEBUG_PAGEALLOC, it will help > to record free stack of the page, it is very helpful for solving the page > use-after-free or double-free issue. > > When KASAN_DUMP_PAGE is enabled then KASAN's report will show the last > alloc and free stack of the page, it should be: > > BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0x70/0x80 > Write of size 1 at addr ffffffc0d60e4000 by task cat/115 > ... > prep_new_page+0x1c8/0x218 > get_page_from_freelist+0x1ba0/0x28d0 > __alloc_pages_nodemask+0x1d4/0x1978 > kmalloc_order+0x28/0x58 > kmalloc_order_trace+0x28/0xe0 > kmalloc_pagealloc_uaf+0x2c/0x80 > page last free stack trace: > __free_pages_ok+0x116c/0x1630 > __free_pages+0x50/0x78 > kfree+0x1c4/0x250 > kmalloc_pagealloc_uaf+0x38/0x80 > > Changes since v1: > - slim page_owner and move it into kasan > - enable the feature by default > > Changes since v2: > - enable PAGE_OWNER by default > - use DEBUG_PAGEALLOC to get page information > > cc: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx> > cc: Vlastimil Babka <vbabka@xxxxxxx> > cc: Andrey Konovalov <andreyknvl@xxxxxxxxxx> > Signed-off-by: Walter Wu <walter-zh.wu@xxxxxxxxxxxx> > --- > lib/Kconfig.kasan | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan > index 4fafba1a923b..4d59458c0c5a 100644 > --- a/lib/Kconfig.kasan > +++ b/lib/Kconfig.kasan > @@ -41,6 +41,7 @@ config KASAN_GENERIC > select SLUB_DEBUG if SLUB > select CONSTRUCTORS > select STACKDEPOT > + select PAGER_OWNER > help > Enables generic KASAN mode. > Supported in both GCC and Clang. With GCC it requires version 4.9.2 > @@ -63,6 +64,7 @@ config KASAN_SW_TAGS > select SLUB_DEBUG if SLUB > select CONSTRUCTORS > select STACKDEPOT > + select PAGER_OWNER > help > Enables software tag-based KASAN mode. > This mode requires Top Byte Ignore support by the CPU and therefore > @@ -135,6 +137,19 @@ config KASAN_S390_4_LEVEL_PAGING > to 3TB of RAM with KASan enabled). This options allows to force > 4-level paging instead. > > +config KASAN_DUMP_PAGE > + bool "Dump the last allocation and freeing stack of the page" > + depends on KASAN > + select DEBUG_PAGEALLOC > + help > + By default, KASAN enable PAGE_OWNER only to record alloc stack > + for page allocator. It is difficult to fix up page use-after-free > + or double-free issue. > + This feature depends on DEBUG_PAGEALLOC, it will extra record > + free stack of page. It is very helpful for solving the page > + use-after-free or double-free issue. > + This option will have a small memory overhead. > + > config TEST_KASAN > tristate "Module for testing KASAN for bug detection" > depends on m && KASAN > — The new config looks redundant and confusing. It looks to me more of a document update in Documentation/dev-tools/kasan.txt to educate developers to select PAGE_OWNER and DEBUG_PAGEALLOC if needed.
