mm: slub: call kasan_alloc_pages before freeing pages in slub
KASan marks slub objects as redzone and free and the bitmasks for
that region are not cleared until the pages are freed. When
CONFIG_PAGE_POISONING is enabled, as the pages still have special
bitmasks, KAsan report arises during pages poisoning. So mark the
pages as alloc status before poisoning the pages.
==================================================================
BUG: KASan: use after free in memset+0x24/0x44 at addr ffffffc0bb628000
Write of size 4096 by task kworker/u8:0/6
page:ffffffbacc51d900 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Call trace:
[<ffffffc00008c010>] dump_backtrace+0x0/0x250
[<ffffffc00008c270>] show_stack+0x10/0x1c
[<ffffffc001b6f9e4>] dump_stack+0x74/0xfc
[<ffffffc0002debf4>] kasan_report_error+0x2b0/0x408
[<ffffffc0002dee28>] kasan_report+0x34/0x40
[<ffffffc0002de240>] __asan_storeN+0x15c/0x168
[<ffffffc0002de47c>] memset+0x20/0x44
[<ffffffc0002d77bc>] kernel_map_pages+0x2e8/0x384
[<ffffffc000266458>] free_pages_prepare+0x340/0x3a0
[<ffffffc0002694cc>] __free_pages_ok+0x20/0x12c
[<ffffffc00026a698>] __free_pages+0x34/0x44
[<ffffffc00026ab3c>] __free_kmem_pages+0x8/0x14
[<ffffffc0002dc3fc>] kfree+0x114/0x254
[<ffffffc000b05748>] devres_free+0x48/0x5c
[<ffffffc000b05824>] devres_destroy+0x10/0x28
[<ffffffc000b05958>] devm_kfree+0x1c/0x3c
Memory state around the buggy address:
ffffffc0bb627f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0bb627f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0bb628000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffffffc0bb628080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffffc0bb628100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
BUG: KASan: use after free in memset+0x24/0x44 at addr ffffffc0bb2fe000
Write of size 4096 by task swapper/0/1
page:ffffffbacc4fdec0 count:0 mapcount:0 mapping: (null) index:0xffffffc0bb2fe6a0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Call trace:
[<ffffffc00008c010>] dump_backtrace+0x0/0x250
[<ffffffc00008c270>] show_stack+0x10/0x1c
[<ffffffc001b6f9e4>] dump_stack+0x74/0xfc
[<ffffffc0002debf4>] kasan_report_error+0x2b0/0x408
[<ffffffc0002dee28>] kasan_report+0x34/0x40
[<ffffffc0002de240>] __asan_storeN+0x15c/0x168
[<ffffffc0002de47c>] memset+0x20/0x44
[<ffffffc0002d77bc>] kernel_map_pages+0x2e8/0x384
[<ffffffc000266458>] free_pages_prepare+0x340/0x3a0
[<ffffffc0002694cc>] __free_pages_ok+0x20/0x12c
[<ffffffc00026a698>] __free_pages+0x34/0x44
[<ffffffc0002d9c98>] __free_slab+0x15c/0x178
[<ffffffc0002d9d14>] discard_slab+0x60/0x6c
[<ffffffc0002dc034>] __slab_free+0x320/0x340
[<ffffffc0002dc224>] kmem_cache_free+0x1d0/0x25c
[<ffffffc0003bb608>] kernfs_put+0x2a0/0x3d8
Memory state around the buggy address:
ffffffc0bb2fdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffffc0bb2fdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffffffc0bb2fe000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
^
fffffc0bb2fe080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffffc0bb2fe100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Change-Id: Id963b9439685f94a022dcdd60b59aaf126610387
Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
1 file changed