Skip to content

Commit e1db95b

Browse files
xairytorvalds
xairy
authored and
torvalds
committed
kasan: fix assigning tags twice
When an object is kmalloc()'ed, two hooks are called: kasan_slab_alloc() and kasan_kmalloc(). Right now we assign a tag twice, once in each of the hooks. Fix it by assigning a tag only in the former hook. Link: http://lkml.kernel.org/r/ce8c6431da735aa7ec051fd6497153df690eb021.1549921721.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Christoph Lameter <cl@linux.com> Cc: David Rientjes <rientjes@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Evgeniy Stepanov <eugenis@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Kostya Serebryany <kcc@google.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: Qian Cai <cai@lca.pw> Cc: Vincenzo Frascino <vincenzo.frascino@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 050c17f commit e1db95b

File tree

1 file changed

+17
-12
lines changed

1 file changed

+17
-12
lines changed

mm/kasan/common.c

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -361,10 +361,15 @@ void kasan_poison_object_data(struct kmem_cache *cache, void *object)
361361
* get different tags.
362362
*/
363363
static u8 assign_tag(struct kmem_cache *cache, const void *object,
364-
bool init, bool krealloc)
364+
bool init, bool keep_tag)
365365
{
366-
/* Reuse the same tag for krealloc'ed objects. */
367-
if (krealloc)
366+
/*
367+
* 1. When an object is kmalloc()'ed, two hooks are called:
368+
* kasan_slab_alloc() and kasan_kmalloc(). We assign the
369+
* tag only in the first one.
370+
* 2. We reuse the same tag for krealloc'ed objects.
371+
*/
372+
if (keep_tag)
368373
return get_tag(object);
369374

370375
/*
@@ -405,12 +410,6 @@ void * __must_check kasan_init_slab_obj(struct kmem_cache *cache,
405410
return (void *)object;
406411
}
407412

408-
void * __must_check kasan_slab_alloc(struct kmem_cache *cache, void *object,
409-
gfp_t flags)
410-
{
411-
return kasan_kmalloc(cache, object, cache->object_size, flags);
412-
}
413-
414413
static inline bool shadow_invalid(u8 tag, s8 shadow_byte)
415414
{
416415
if (IS_ENABLED(CONFIG_KASAN_GENERIC))
@@ -467,7 +466,7 @@ bool kasan_slab_free(struct kmem_cache *cache, void *object, unsigned long ip)
467466
}
468467

469468
static void *__kasan_kmalloc(struct kmem_cache *cache, const void *object,
470-
size_t size, gfp_t flags, bool krealloc)
469+
size_t size, gfp_t flags, bool keep_tag)
471470
{
472471
unsigned long redzone_start;
473472
unsigned long redzone_end;
@@ -485,7 +484,7 @@ static void *__kasan_kmalloc(struct kmem_cache *cache, const void *object,
485484
KASAN_SHADOW_SCALE_SIZE);
486485

487486
if (IS_ENABLED(CONFIG_KASAN_SW_TAGS))
488-
tag = assign_tag(cache, object, false, krealloc);
487+
tag = assign_tag(cache, object, false, keep_tag);
489488

490489
/* Tag is ignored in set_tag without CONFIG_KASAN_SW_TAGS */
491490
kasan_unpoison_shadow(set_tag(object, tag), size);
@@ -498,10 +497,16 @@ static void *__kasan_kmalloc(struct kmem_cache *cache, const void *object,
498497
return set_tag(object, tag);
499498
}
500499

500+
void * __must_check kasan_slab_alloc(struct kmem_cache *cache, void *object,
501+
gfp_t flags)
502+
{
503+
return __kasan_kmalloc(cache, object, cache->object_size, flags, false);
504+
}
505+
501506
void * __must_check kasan_kmalloc(struct kmem_cache *cache, const void *object,
502507
size_t size, gfp_t flags)
503508
{
504-
return __kasan_kmalloc(cache, object, size, flags, false);
509+
return __kasan_kmalloc(cache, object, size, flags, true);
505510
}
506511
EXPORT_SYMBOL(kasan_kmalloc);
507512

0 commit comments

Comments
 (0)