From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933451AbcFJRRt (ORCPT ); Fri, 10 Jun 2016 13:17:49 -0400 Received: from mail-am1on0111.outbound.protection.outlook.com ([157.56.112.111]:13664 "EHLO emea01-am1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932426AbcFJRRr (ORCPT ); Fri, 10 Jun 2016 13:17:47 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=aryabinin@virtuozzo.com; Subject: Re: [PATCH v5 1/2] mm, kasan: improve double-free detection To: Kuthonuzo Luruo , , , , , , , References: <20160607180322.GA1782@cherokee.in.rdlabs.hpecorp.net> <5759A0A9.3080301@virtuozzo.com> CC: , , From: Andrey Ryabinin Message-ID: <575AF2D9.7030701@virtuozzo.com> Date: Fri, 10 Jun 2016 20:03:21 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <5759A0A9.3080301@virtuozzo.com> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [195.214.232.10] X-ClientProxiedBy: AM2PR09CA0002.eurprd09.prod.outlook.com (10.161.22.140) To HE1PR0801MB1307.eurprd08.prod.outlook.com (10.167.247.149) X-MS-Office365-Filtering-Correlation-Id: ee53cb4f-1896-492f-8119-08d39151044c X-Microsoft-Exchange-Diagnostics: 1;HE1PR0801MB1307;2:94FJ0cH+P0apVrt76hT8/QVLcEboecn8nZYG9inLxE5rlRyc3TbnSGOX8/5mtpeS4QskLU+1Qz9fkTyxPwqtfkOhw50ArNU7M9g6XGFvCC9QRgajUpOMyUS0++TNojeCQh25Ae79wHAe2biGV/6eKBS6q6RlHWksHCAMd3lOsRybGLB+ZBkMWapr5XyxWgqN;3:LjGZ5XXjG3lIufSncwmncGPoWE7fKcxFQisltukRK4xzdxL/oyy7TiLK1RkXeWq/a9q0KqWDbHI5Jf7nF+P6MScuK+P+fbx/3apq8vAG6zniNTeWrPS8dTvRS2jLmYhv;25:+bgGo8c9PYVCLydl9e7/zTBp8IdQrBOL92Ms0x3VrNmbzkaaTztZ1jr50ZfLcNe0Z8/mRdJgevrn2ZLupSvjrQ/R0pIPvdHxPOQI8B9ucQ/cNDX1LJkPgzaMTS2hHDOwaingfiI39m+xEt1ullUWF/lsf79AQGMMqX5j2rbbNZCK/3BdFtHsUxxTM+QPEse5oA97yyvw+yVbWWPHUbYTFEWOnAWIvJfHJvQfv7//rkshx0O+pTrcFsbSwgWsDtXlPyPnN133XFsqo52TAsfMTvgEyCzC7OqzG8A3MaHl1qgfXFroz8z1Oz/WEDcVQanyXLSZeAdH70w4mj6bsCR6ahLGwWCz/JgoMYh4m4r9WaAhdNwb/ads+vJF3Q9zfdKAzJfdqp3li3rg591YisDUxYd8zmItRx21z6fWc+8Wu4w= X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR0801MB1307; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040130)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041072)(6043046);SRVR:HE1PR0801MB1307;BCL:0;PCL:0;RULEID:;SRVR:HE1PR0801MB1307; X-Microsoft-Exchange-Diagnostics: 1;HE1PR0801MB1307;4:zmwGV9kTRw5goU31ZAVrYC1dGneREx4QEstdUh33VV5/vzTO/ERJcwn03eq85OnlI/Bvxb+rVAXKVFzp8qJwFV6tuTdd8imx+d+01noVYw0/Z2b2yReb8PlQB/Tyt5NTSwZXOgovza5fzaAHZ9bVCoZMjlyAXgjLRLT9FbJ2eq6Ps0XmKV5V+z59viG/PKwKTEE1UUaDrUec8u2/he9FEWKBCBd5y6edxi7/KC6giOjG+bJdHh3ZJPcG6IAsd7gUCvfHuB2MkC/XerqAi7mXhWJtIvSo4Npn3wV07tQGLMA/IPWyWrQpOXKQxULyBxcntuRrokui9Y7VDZVp1nPJOqwG06WG5p5djJGzoiNptTfSKBVd1pcrP/nFUGQ1PjajOxwB12hJ4Clggr3s2wOOsI30xFnkfvoLABlKirqjNZc= X-Forefront-PRVS: 096943F07A X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6009001)(6049001)(7916002)(377454003)(189002)(24454002)(199003)(4001350100001)(5001770100001)(575784001)(36756003)(54356999)(65816999)(87266999)(50986999)(19580395003)(86362001)(80316001)(23746002)(2201001)(42186005)(5008740100001)(76176999)(97736004)(83506001)(81156014)(8676002)(230700001)(50466002)(2906002)(586003)(105586002)(101416001)(64126003)(6116002)(5004730100002)(81166006)(33656002)(189998001)(3846002)(59896002)(4326007)(106356001)(68736007)(77096005)(92566002)(2950100001)(47776003)(65806001)(65956001)(66066001);DIR:OUT;SFP:1102;SCL:1;SRVR:HE1PR0801MB1307;H:[10.30.19.223];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;CAT:NONE;LANG:en;CAT:NONE; X-Microsoft-Exchange-Diagnostics: =?Windows-1252?Q?1;HE1PR0801MB1307;23:eCK53+Nkzt/DRJfeJ6e20FICXMs3/1qqEKX?= =?Windows-1252?Q?5qxtb8V1AKn548Tx9B3iO99ojpgNeFpabU+0pRZEpomToaYVyaiw839Z?= =?Windows-1252?Q?yVW6GwDs2MbABMpw+LvpIXcXyEdv1j/fsEbf8LjdfSG15REzvpJgqoKz?= =?Windows-1252?Q?CVav+yDcUKarbpZz5Qln8gD7wrX0AKe1X019y1P/ob5Oe4F9oXQIgPI/?= =?Windows-1252?Q?esBbiuZS2a0Dyyp8u8TC/ZyC0SPX6irS8YWPgA71ysqk/hSEj/DQsdlt?= =?Windows-1252?Q?J5uj2oEChxhZ56ZS48DqWpNz4crJZD0hgXSXWMEmhuiI7ywTTAvw9qRt?= =?Windows-1252?Q?7iUn1LoCgYd2+MkFq1+Dgxs2GVAyLvn8c3mFJdNHUbC77de/JHqizz/4?= =?Windows-1252?Q?CY7ORtbiuFkD9jlEi3Qp+7Ix4MQuzOWwiVuZFWke/+sP2nWyqtD4+908?= =?Windows-1252?Q?996lK/u/dAZxrXrvGks73rJrfce5XDjikf6yTF8yAXsY8u/ald8dr1u7?= =?Windows-1252?Q?cUhbqnm+u9hXuExmdyFu0sc5dj3lqK1s0tH4tYdxN8xFbQwEKHKf20UX?= =?Windows-1252?Q?hrbKucgZPtU1p4d1wUr5GUgzTKgvBGm3aY3Xw54CpMNpwpP11fwf/TlR?= =?Windows-1252?Q?51vQNCLMq6or26cbgHhXjhW0PZYxsFmlcO9xA4YVD2RkihhfY5M8PJJk?= =?Windows-1252?Q?tgAoSnv8U72VfpVKSAd1vy/8Tiu7RG0WahcGzQLoku5BoVoypSzS2Vx1?= =?Windows-1252?Q?bOAr3jjo7VkKsiDwDVNHmJSeaTrZuxZ9hCWo15WR4e29Md749VmV8BY0?= =?Windows-1252?Q?UWKnAt8UNGSHAVirNxV7/DWUPXMxolB/3EV/OdslInZNb3sq3u1Wn3Ho?= =?Windows-1252?Q?Xu+OiYW1HjA5ZmK0i5pJhZzNUiLa6YtCcJ0GQf/Mi0H/68cJ9GAjG+18?= =?Windows-1252?Q?3Xn5nIjmjgONEr/BaEdAXskIaGIN7FE4uckbhOL59bSfOvNzdoSrMesD?= =?Windows-1252?Q?7baM1iu6yvTE6wgRAaIN3OAlUpLPdu4tFMiZzfWtjVlfcB9iIF5+h+IP?= =?Windows-1252?Q?71gIaGJIxU8ywGQ3YeyhghcOT3qk1X4ucS0iKgu3iu+ym201kNXrE6Fe?= =?Windows-1252?Q?hEJqo/YLLhFnT+tJKgK0c4e5IAVoQyDpOSltC06N+mUFuu0sZl1HnH6+?= =?Windows-1252?Q?Rl6S+RWcC+rowfkKUDWtMbAeHI0zVMo72jXnoUHps+Al/Tll9U40DZpQ?= =?Windows-1252?Q?JPdwFdT6XTFOnKYQayhWISHZcpDhzTZIj+pzdwFTAfwsEMvPlGLixDXG?= =?Windows-1252?Q?nhHurKqhSlF9nvBjsPmZcOUon0UhTPLq6SvW4I1pqGq+PBvtVeRvFrCN?= =?Windows-1252?Q?HU5gXcebQItoY1RBCwVlXBLlNSYxB9E/JvEOBkyZZ+xQF9rwndMmzIlw?= =?Windows-1252?Q?=3D?= X-Microsoft-Exchange-Diagnostics: 1;HE1PR0801MB1307;6:f73pgTdeDDjxWE/GYK7bHV8kCPffSQGJBb5GxkH1dnh+lmYCulK1bMIZ1lA+QLAIlhjDEZNMdL/7C9E6UCW8T7JJ7v/RDa3bwmIaNMxEUEM9N5BzBP57kVje2dMCMLOahh0sswoh5aTXWmtnB4dPzGCEepuPgwu/kK670iUpk0zjKIGYCY2aKSt4jUFkslBT9/D9Cp9TY80nldo5y0DQ8KqgDy83v6RJoWdr/Vaf0klgIOxCOlFPX8zD/feimFWgnKDIgztuAGFvkTT+xgEBkfLluVSQ73QXgBbBGINrJRs=;5:pNgZqNAp87AILSBr51GqDMIcpzefnaDkH/yD/0WyFC45rqZoDsjt1PFNN8nKIqrdQB5KPudMmJ1BtYjio4fjj4WUuocOuiOZyeDGAWAmRGd1ZwwZVqN++R0eNLznHqK393RNOgYXNVSbAbiuiAF/2w==;24:L9dPSy+lD+O+rObfFZT3xH4vgJhrNH+tk2HwjF+DThPGC0mU6qpgRGL3/oV6GPD6cpsiOwEp9mxLPVyIvSPl/CEMST7fn/UvDYhQNTYXGn4=;7:A9PkUEEg5he0EddJudTI9alpKRl3bW9eEbcqCTnJCDZIGHWHs3aPgGKxCyq/L6k1M9LxZm8UOOjHOJb1CEvpqq6gCzjpaWuVrAJWr7HlJs+XzRdatAjygYW6bNeFqyPGEkeadr1VloLu8TWKbC/KDJU7b0mG4rNb0qJcoJA+joM1jKBAHSqbBRdOLVszUxUVqFte2Zn5eh1i/Y1HRI/g2Q==;20:08vxCc2yKPSIqP6eVPaaFRCB2/RQ30DngcS3/Mh72ywVAU3wqEsphqlQ6nboCxcJCFtu485CDRlwv1eRx0mttOLlZkwQA40ZBWIpBdx44+Bcz1sYd+rab8wEmwJwQEMcu9BHGtTYkaFVqasi26eh64sJUdg5scY0LeDNQnWCxM8= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2016 17:02:32.8232 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0801MB1307 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/09/2016 08:00 PM, Andrey Ryabinin wrote: > On 06/07/2016 09:03 PM, Kuthonuzo Luruo wrote: > > Next time, when/if you send patch series, send patches in one thread, i.e. patches should be replies to the cover letter. > Your patches are not linked together, which makes them harder to track. > > >> Currently, KASAN may fail to detect concurrent deallocations of the same >> object due to a race in kasan_slab_free(). This patch makes double-free >> detection more reliable by serializing access to KASAN object metadata. >> New functions kasan_meta_lock() and kasan_meta_unlock() are provided to >> lock/unlock per-object metadata. Double-free errors are now reported via >> kasan_report(). >> >> Per-object lock concept from suggestion/observations by Dmitry Vyukov. >> > > > So, I still don't like this, this too way hacky and complex. > I have some thoughts about how to make this lockless and robust enough. > I'll try to sort this out tomorrow. > So, I something like this should work. Tested very briefly. diff --git a/include/linux/kasan.h b/include/linux/kasan.h index ac4b3c4..8691142 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -75,6 +75,8 @@ struct kasan_cache { int kasan_module_alloc(void *addr, size_t size); void kasan_free_shadow(const struct vm_struct *vm); +void kasan_init_slab_obj(struct kmem_cache *cache, const void *object); + size_t ksize(const void *); static inline void kasan_unpoison_slab(const void *ptr) { ksize(ptr); } @@ -102,6 +104,9 @@ static inline void kasan_unpoison_object_data(struct kmem_cache *cache, static inline void kasan_poison_object_data(struct kmem_cache *cache, void *object) {} +static inline void kasan_init_slab_obj(struct kmem_cache *cache, + const void *object) { } + static inline void kasan_kmalloc_large(void *ptr, size_t size, gfp_t flags) {} static inline void kasan_kfree_large(const void *ptr) {} static inline void kasan_poison_kfree(void *ptr) {} diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 6845f92..ab0fded 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -388,11 +388,9 @@ void kasan_cache_create(struct kmem_cache *cache, size_t *size, *size += sizeof(struct kasan_alloc_meta); /* Add free meta. */ - if (cache->flags & SLAB_DESTROY_BY_RCU || cache->ctor || - cache->object_size < sizeof(struct kasan_free_meta)) { - cache->kasan_info.free_meta_offset = *size; - *size += sizeof(struct kasan_free_meta); - } + cache->kasan_info.free_meta_offset = *size; + *size += sizeof(struct kasan_free_meta); + redzone_adjust = optimal_redzone(cache->object_size) - (*size - cache->object_size); if (redzone_adjust > 0) @@ -431,13 +429,6 @@ void kasan_poison_object_data(struct kmem_cache *cache, void *object) kasan_poison_shadow(object, round_up(cache->object_size, KASAN_SHADOW_SCALE_SIZE), KASAN_KMALLOC_REDZONE); -#ifdef CONFIG_SLAB - if (cache->flags & SLAB_KASAN) { - struct kasan_alloc_meta *alloc_info = - get_alloc_info(cache, object); - alloc_info->state = KASAN_STATE_INIT; - } -#endif } #ifdef CONFIG_SLAB @@ -501,6 +492,20 @@ struct kasan_free_meta *get_free_info(struct kmem_cache *cache, BUILD_BUG_ON(sizeof(struct kasan_free_meta) > 32); return (void *)object + cache->kasan_info.free_meta_offset; } + +void kasan_init_slab_obj(struct kmem_cache *cache, const void *object) +{ + struct kasan_alloc_meta *alloc_info; + struct kasan_free_meta *free_info; + + if (!(cache->flags & SLAB_KASAN)) + return; + + alloc_info = get_alloc_info(cache, object); + free_info = get_free_info(cache, object); + __memset(alloc_info, 0, sizeof(*alloc_info)); + __memset(free_info, 0, sizeof(*free_info)); +} #endif void kasan_slab_alloc(struct kmem_cache *cache, void *object, gfp_t flags) @@ -523,37 +528,47 @@ static void kasan_poison_slab_free(struct kmem_cache *cache, void *object) bool kasan_slab_free(struct kmem_cache *cache, void *object) { #ifdef CONFIG_SLAB + struct kasan_free_meta *free_info = get_free_info(cache, object); + struct kasan_track new_free_stack, old_free_stack; + s8 old_shadow; + /* RCU slabs could be legally used after free within the RCU period */ if (unlikely(cache->flags & SLAB_DESTROY_BY_RCU)) return false; - if (likely(cache->flags & SLAB_KASAN)) { - struct kasan_alloc_meta *alloc_info = - get_alloc_info(cache, object); - struct kasan_free_meta *free_info = - get_free_info(cache, object); - - switch (alloc_info->state) { - case KASAN_STATE_ALLOC: - alloc_info->state = KASAN_STATE_QUARANTINE; - quarantine_put(free_info, cache); - set_track(&free_info->track, GFP_NOWAIT); - kasan_poison_slab_free(cache, object); - return true; - case KASAN_STATE_QUARANTINE: - case KASAN_STATE_FREE: - pr_err("Double free"); - dump_stack(); - break; - default: - break; - } + if (unlikely(!(cache->flags & SLAB_KASAN))) + return false; + + set_track(&new_free_stack, GFP_NOWAIT); + old_free_stack = xchg(&free_info->track, new_free_stack); + old_shadow = xchg((s8 *)kasan_mem_to_shadow(object), + KASAN_KMALLOC_FREE); + + if (old_shadow < 0 || old_shadow >= KASAN_SHADOW_SCALE_SIZE) { + struct kasan_track free_stack; + + /* Paired with xchg() above */ + free_stack = smp_load_acquire(&free_info->track); + + /* + * We didn't raced with another instance of kasan_slab_free() + * so the previous free stack supposed to be in old_free_stack. + * Otherwise, free_stack will contain stack trace of another + * kfree() call. + */ + if (free_stack.id == new_free_stack.id) + free_stack = old_free_stack; + + kasan_report_double_free(cache, object, + free_stack, old_shadow); + return false; } - return false; -#else kasan_poison_slab_free(cache, object); - return false; + return true; + #endif + kasan_poison_slab_free(cache, object); + return false; } void kasan_kmalloc(struct kmem_cache *cache, const void *object, size_t size, @@ -581,7 +596,6 @@ void kasan_kmalloc(struct kmem_cache *cache, const void *object, size_t size, struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object); - alloc_info->state = KASAN_STATE_ALLOC; alloc_info->alloc_size = size; set_track(&alloc_info->track, flags); } diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index fb87923..9b46d2e 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -59,24 +59,21 @@ struct kasan_global { * Structures to keep alloc and free tracks * */ -enum kasan_state { - KASAN_STATE_INIT, - KASAN_STATE_ALLOC, - KASAN_STATE_QUARANTINE, - KASAN_STATE_FREE -}; - #define KASAN_STACK_DEPTH 64 struct kasan_track { - u32 pid; - depot_stack_handle_t stack; +union { + struct { + u32 pid; + depot_stack_handle_t stack; + }; + u64 id; +}; }; struct kasan_alloc_meta { struct kasan_track track; - u32 state : 2; /* enum kasan_state */ - u32 alloc_size : 30; + u32 alloc_size; }; struct qlist_node { @@ -109,6 +106,9 @@ static inline bool kasan_report_enabled(void) void kasan_report(unsigned long addr, size_t size, bool is_write, unsigned long ip); +void kasan_report_double_free(struct kmem_cache *cache, void *object, + struct kasan_track free_stack, s8 shadow); + #ifdef CONFIG_SLAB void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache); diff --git a/mm/kasan/quarantine.c b/mm/kasan/quarantine.c index 4973505..3ec039c 100644 --- a/mm/kasan/quarantine.c +++ b/mm/kasan/quarantine.c @@ -144,11 +144,9 @@ static void *qlink_to_object(struct qlist_node *qlink, struct kmem_cache *cache) static void qlink_free(struct qlist_node *qlink, struct kmem_cache *cache) { void *object = qlink_to_object(qlink, cache); - struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object); unsigned long flags; local_irq_save(flags); - alloc_info->state = KASAN_STATE_FREE; ___cache_free(cache, object, _THIS_IP_); local_irq_restore(flags); } diff --git a/mm/kasan/report.c b/mm/kasan/report.c index b3c122d..a0f4519 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -140,28 +140,13 @@ static void object_err(struct kmem_cache *cache, struct page *page, pr_err("Object at %p, in cache %s\n", object, cache->name); if (!(cache->flags & SLAB_KASAN)) return; - switch (alloc_info->state) { - case KASAN_STATE_INIT: - pr_err("Object not allocated yet\n"); - break; - case KASAN_STATE_ALLOC: - pr_err("Object allocated with size %u bytes.\n", - alloc_info->alloc_size); - pr_err("Allocation:\n"); - print_track(&alloc_info->track); - break; - case KASAN_STATE_FREE: - case KASAN_STATE_QUARANTINE: - pr_err("Object freed, allocated with size %u bytes\n", - alloc_info->alloc_size); - free_info = get_free_info(cache, object); - pr_err("Allocation:\n"); - print_track(&alloc_info->track); - pr_err("Deallocation:\n"); - print_track(&free_info->track); - break; - } + free_info = get_free_info(cache, object); + pr_err("Allocation:\n"); + print_track(&alloc_info->track); + pr_err("Deallocation:\n"); + print_track(&free_info->track); } + #endif static void print_address_description(struct kasan_access_info *info) @@ -245,17 +230,31 @@ static void print_shadow_for_address(const void *addr) static DEFINE_SPINLOCK(report_lock); -static void kasan_report_error(struct kasan_access_info *info) +static void kasan_start_report(unsigned long *flags) { - unsigned long flags; - const char *bug_type; - /* * Make sure we don't end up in loop. */ kasan_disable_current(); - spin_lock_irqsave(&report_lock, flags); + spin_lock_irqsave(&report_lock, *flags); pr_err("==================================================================\n"); +} + +static void kasan_end_report(unsigned long *flags) +{ + pr_err("==================================================================\n"); + add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); + spin_unlock_irqrestore(&report_lock, *flags); + kasan_enable_current(); +} + +static void kasan_report_error(struct kasan_access_info *info) +{ + unsigned long flags; + const char *bug_type; + + kasan_start_report(&flags); + if (info->access_addr < kasan_shadow_to_mem((void *)KASAN_SHADOW_START)) { if ((unsigned long)info->access_addr < PAGE_SIZE) @@ -276,10 +275,29 @@ static void kasan_report_error(struct kasan_access_info *info) print_address_description(info); print_shadow_for_address(info->first_bad_addr); } - pr_err("==================================================================\n"); - add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); - spin_unlock_irqrestore(&report_lock, flags); - kasan_enable_current(); + + kasan_end_report(&flags); +} + +void kasan_report_double_free(struct kmem_cache *cache, void *object, + struct kasan_track free_stack, s8 shadow) +{ + unsigned long flags; + + kasan_start_report(&flags); + + pr_err("BUG: Double free or corrupt pointer\n"); + pr_err("Unexpected shadow byte: 0x%hhX\n", shadow); + + dump_stack(); + pr_err("Object at %p, in cache %s\n", object, cache->name); + get_alloc_info(cache, object); + pr_err("Allocation:\n"); + print_track(&get_alloc_info(cache, object)->track); + pr_err("Deallocation:\n"); + print_track(&free_stack); + + kasan_end_report(&flags); } void kasan_report(unsigned long addr, size_t size, diff --git a/mm/slab.c b/mm/slab.c index 763096a..65c942b 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -2604,9 +2604,11 @@ static void cache_init_objs(struct kmem_cache *cachep, } for (i = 0; i < cachep->num; i++) { + objp = index_to_obj(cachep, page, i); + kasan_init_slab_obj(cachep, objp); + /* constructor could break poison info */ if (DEBUG == 0 && cachep->ctor) { - objp = index_to_obj(cachep, page, i); kasan_unpoison_object_data(cachep, objp); cachep->ctor(objp); kasan_poison_object_data(cachep, objp);