From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752694AbbIIGqs (ORCPT ); Wed, 9 Sep 2015 02:46:48 -0400 Received: from szxga02-in.huawei.com ([119.145.14.65]:48573 "EHLO szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751071AbbIIGqj (ORCPT ); Wed, 9 Sep 2015 02:46:39 -0400 Message-ID: <55EFD46A.20309@huawei.com> Date: Wed, 9 Sep 2015 14:40:42 +0800 From: "long.wanglong" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121010 Thunderbird/16.0.1 MIME-Version: 1.0 To: Xishi Qiu , CC: Andrew Morton , Andrey Konovalov , Rusty Russell , Michal Marek , , Linux MM , LKML , Wang Long Subject: Re: [PATCH V2] kasan: fix last shadow judgement in memory_is_poisoned_16() References: <55EED09E.3010107@huawei.com> In-Reply-To: <55EED09E.3010107@huawei.com> Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.111.152.157] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2015/9/8 20:12, Xishi Qiu wrote: > The shadow which correspond 16 bytes memory may span 2 or 3 bytes. If the > memory is aligned on 8, then the shadow takes only 2 bytes. So we check > "shadow_first_bytes" is enough, and need not to call "memory_is_poisoned_1(addr + 15);". > But the code "if (likely(!last_byte))" is wrong judgement. > > e.g. addr=0, so last_byte = 15 & KASAN_SHADOW_MASK = 7, then the code will > continue to call "memory_is_poisoned_1(addr + 15);" > > Signed-off-by: Xishi Qiu > --- > mm/kasan/kasan.c | 3 +-- > 1 files changed, 1 insertions(+), 2 deletions(-) > > diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c > index 7b28e9c..8da2114 100644 > --- a/mm/kasan/kasan.c > +++ b/mm/kasan/kasan.c > @@ -135,12 +135,11 @@ static __always_inline bool memory_is_poisoned_16(unsigned long addr) > > if (unlikely(*shadow_addr)) { > u16 shadow_first_bytes = *(u16 *)shadow_addr; > - s8 last_byte = (addr + 15) & KASAN_SHADOW_MASK; > > if (unlikely(shadow_first_bytes)) > return true; > > - if (likely(!last_byte)) > + if (likely(IS_ALIGNED(addr, 8))) > return false; > > return memory_is_poisoned_1(addr + 15); > Hi, I also notice this problem, how about another method to fix it: diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 5d65d06..6a20dda 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -140,7 +140,7 @@ static __always_inline bool memory_is_poisoned_16(unsigned long addr) if (unlikely(shadow_first_bytes)) return true; - if (likely(!last_byte)) + if (likely(last_byte >= 7)) return false; return memory_is_poisoned_1(addr + 15); This method can ensure consistency of code, for example, in memory_is_poisoned_8: static __always_inline bool memory_is_poisoned_8(unsigned long addr) { u16 *shadow_addr = (u16 *)kasan_mem_to_shadow((void *)addr); if (unlikely(*shadow_addr)) { if (memory_is_poisoned_1(addr + 7)) return true; if (likely(((addr + 7) & KASAN_SHADOW_MASK) >= 7)) return false; return unlikely(*(u8 *)shadow_addr); } return false; } Otherwise, we also should use IS_ALIGNED macro in memory_is_poisoned_8! Best Regards Wang Long