diff options
| author | Se Wang (Patrick) Oh <sewango@codeaurora.org> | 2015-06-25 14:50:02 -0700 |
|---|---|---|
| committer | David Keitel <dkeitel@codeaurora.org> | 2016-03-22 11:10:44 -0700 |
| commit | dae9a397e1d3d92b6f44f248972350cbc16828b5 (patch) | |
| tree | 14c7cdab9296dd89a6e390d501fe2310952675a5 /kernel/fork.c | |
| parent | 7fc60d089e84a540706f1d274eb93491391dfc8f (diff) | |
kernel: fork: Call KASan alloc before release the thread info pages
the pages allocated for thread info is used for stack. KAsan marks
some stack memory region for guarding area and the bitmasks for
that region are not cleared until the pages are freed. When
CONFIG_PAGE_POISONING is enabled, as the pages still have special
bitmasks, a out of bound access KASan report arises during pages
poisoning. So mark the pages as alloc status before poisoning the
pages.
==================================================================
BUG: KASan: out of bounds on stack in memset+0x24/0x44 at addr ffffffc0b8e3f000
Write of size 4096 by task swapper/0/0
page:ffffffbacc38e760 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.0-g5a4a5d5-07244-g488682c-dirty #12
Hardware name: Qualcomm Technologies, Inc. MSM 8996 v2.0 LiQUID (DT)
Call trace:
[<ffffffc00008c010>] dump_backtrace+0x0/0x250
[<ffffffc00008c270>] show_stack+0x10/0x1c
[<ffffffc001b6f9e4>] dump_stack+0x74/0xfc
[<ffffffc0002debf4>] kasan_report_error+0x2b0/0x408
[<ffffffc0002dee28>] kasan_report+0x34/0x40
[<ffffffc0002de240>] __asan_storeN+0x15c/0x168
[<ffffffc0002de47c>] memset+0x20/0x44
[<ffffffc0002d77bc>] kernel_map_pages+0x2e8/0x384
[<ffffffc000266458>] free_pages_prepare+0x340/0x3a0
[<ffffffc0002694cc>] __free_pages_ok+0x20/0x12c
[<ffffffc00026a698>] __free_pages+0x34/0x44
[<ffffffc00026abb0>] free_kmem_pages+0x68/0x80
[<ffffffc0000b0424>] free_task+0x80/0xac
[<ffffffc0000b05a8>] __put_task_struct+0x158/0x23c
[<ffffffc0000b9194>] delayed_put_task_struct+0x188/0x1cc
[<ffffffc00018586c>] rcu_process_callbacks+0x6cc/0xbb0
[<ffffffc0000bfdb0>] __do_softirq+0x368/0x750
[<ffffffc0000c0630>] irq_exit+0xd8/0x15c
[<ffffffc00016f610>] __handle_domain_irq+0x108/0x168
[<ffffffc000081af8>] gic_handle_irq+0x50/0xc0
Memory state around the buggy address:
ffffffc0b8e3f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0b8e3fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0b8e3fa80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
^
ffffffc0b8e3fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0b8e3fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Change-Id: I90aa1c6e82a0bde58d2d5d68d84e67f932728a88
Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
Diffstat (limited to 'kernel/fork.c')
| -rw-r--r-- | kernel/fork.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/fork.c b/kernel/fork.c index 7ec6e9939b2c..859b949d106f 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -23,6 +23,7 @@ #include <linux/file.h> #include <linux/fdtable.h> #include <linux/iocontext.h> +#include <linux/kasan.h> #include <linux/key.h> #include <linux/binfmts.h> #include <linux/mman.h> @@ -169,6 +170,7 @@ static struct thread_info *alloc_thread_info_node(struct task_struct *tsk, static inline void free_thread_info(struct thread_info *ti) { + kasan_alloc_pages(virt_to_page(ti), THREAD_SIZE_ORDER); free_kmem_pages((unsigned long)ti, THREAD_SIZE_ORDER); } # else |