Commit ee3ce779 authored by Dmitry Vyukov's avatar Dmitry Vyukov Committed by Linus Torvalds
Browse files

kasan: don't use __builtin_return_address(1)

__builtin_return_address(1) is unreliable without frame pointers.
With defconfig on kmalloc_pagealloc_invalid_free test I am getting:

BUG: KASAN: double-free or invalid-free in           (null)

Pass caller PC from callers explicitly.

Link: http://lkml.kernel.org/r/9b01bc2d237a4df74ff8472a3bf6b7635908de01.1514378558.git.dvyukov@google.com

Signed-off-by: default avatarDmitry Vyukov <dvyukov@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>a
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 47adccce
...@@ -56,14 +56,14 @@ void kasan_poison_object_data(struct kmem_cache *cache, void *object); ...@@ -56,14 +56,14 @@ void kasan_poison_object_data(struct kmem_cache *cache, void *object);
void kasan_init_slab_obj(struct kmem_cache *cache, const void *object); void kasan_init_slab_obj(struct kmem_cache *cache, const void *object);
void kasan_kmalloc_large(const void *ptr, size_t size, gfp_t flags); void kasan_kmalloc_large(const void *ptr, size_t size, gfp_t flags);
void kasan_kfree_large(void *ptr); void kasan_kfree_large(void *ptr, unsigned long ip);
void kasan_poison_kfree(void *ptr); void kasan_poison_kfree(void *ptr);
void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size, void kasan_kmalloc(struct kmem_cache *s, const void *object, size_t size,
gfp_t flags); gfp_t flags);
void kasan_krealloc(const void *object, size_t new_size, gfp_t flags); void kasan_krealloc(const void *object, size_t new_size, gfp_t flags);
void kasan_slab_alloc(struct kmem_cache *s, void *object, gfp_t flags); void kasan_slab_alloc(struct kmem_cache *s, void *object, gfp_t flags);
bool kasan_slab_free(struct kmem_cache *s, void *object); bool kasan_slab_free(struct kmem_cache *s, void *object, unsigned long ip);
struct kasan_cache { struct kasan_cache {
int alloc_meta_offset; int alloc_meta_offset;
...@@ -108,7 +108,7 @@ static inline void kasan_init_slab_obj(struct kmem_cache *cache, ...@@ -108,7 +108,7 @@ static inline void kasan_init_slab_obj(struct kmem_cache *cache,
const void *object) {} const void *object) {}
static inline void kasan_kmalloc_large(void *ptr, size_t size, gfp_t flags) {} static inline void kasan_kmalloc_large(void *ptr, size_t size, gfp_t flags) {}
static inline void kasan_kfree_large(void *ptr) {} static inline void kasan_kfree_large(void *ptr, unsigned long ip) {}
static inline void kasan_poison_kfree(void *ptr) {} static inline void kasan_poison_kfree(void *ptr) {}
static inline void kasan_kmalloc(struct kmem_cache *s, const void *object, static inline void kasan_kmalloc(struct kmem_cache *s, const void *object,
size_t size, gfp_t flags) {} size_t size, gfp_t flags) {}
...@@ -117,7 +117,8 @@ static inline void kasan_krealloc(const void *object, size_t new_size, ...@@ -117,7 +117,8 @@ static inline void kasan_krealloc(const void *object, size_t new_size,
static inline void kasan_slab_alloc(struct kmem_cache *s, void *object, static inline void kasan_slab_alloc(struct kmem_cache *s, void *object,
gfp_t flags) {} gfp_t flags) {}
static inline bool kasan_slab_free(struct kmem_cache *s, void *object) static inline bool kasan_slab_free(struct kmem_cache *s, void *object,
unsigned long ip)
{ {
return false; return false;
} }
......
...@@ -501,7 +501,7 @@ static void kasan_poison_slab_free(struct kmem_cache *cache, void *object) ...@@ -501,7 +501,7 @@ static void kasan_poison_slab_free(struct kmem_cache *cache, void *object)
kasan_poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE); kasan_poison_shadow(object, rounded_up_size, KASAN_KMALLOC_FREE);
} }
bool kasan_slab_free(struct kmem_cache *cache, void *object) bool kasan_slab_free(struct kmem_cache *cache, void *object, unsigned long ip)
{ {
s8 shadow_byte; s8 shadow_byte;
...@@ -511,7 +511,7 @@ bool kasan_slab_free(struct kmem_cache *cache, void *object) ...@@ -511,7 +511,7 @@ bool kasan_slab_free(struct kmem_cache *cache, void *object)
shadow_byte = READ_ONCE(*(s8 *)kasan_mem_to_shadow(object)); shadow_byte = READ_ONCE(*(s8 *)kasan_mem_to_shadow(object));
if (shadow_byte < 0 || shadow_byte >= KASAN_SHADOW_SCALE_SIZE) { if (shadow_byte < 0 || shadow_byte >= KASAN_SHADOW_SCALE_SIZE) {
kasan_report_invalid_free(object, __builtin_return_address(1)); kasan_report_invalid_free(object, ip);
return true; return true;
} }
...@@ -601,10 +601,10 @@ void kasan_poison_kfree(void *ptr) ...@@ -601,10 +601,10 @@ void kasan_poison_kfree(void *ptr)
kasan_poison_slab_free(page->slab_cache, ptr); kasan_poison_slab_free(page->slab_cache, ptr);
} }
void kasan_kfree_large(void *ptr) void kasan_kfree_large(void *ptr, unsigned long ip)
{ {
if (ptr != page_address(virt_to_head_page(ptr))) if (ptr != page_address(virt_to_head_page(ptr)))
kasan_report_invalid_free(ptr, __builtin_return_address(1)); kasan_report_invalid_free(ptr, ip);
/* The object will be poisoned by page_alloc. */ /* The object will be poisoned by page_alloc. */
} }
......
...@@ -107,7 +107,7 @@ static inline const void *kasan_shadow_to_mem(const void *shadow_addr) ...@@ -107,7 +107,7 @@ static inline const void *kasan_shadow_to_mem(const void *shadow_addr)
void kasan_report(unsigned long addr, size_t size, void kasan_report(unsigned long addr, size_t size,
bool is_write, unsigned long ip); bool is_write, unsigned long ip);
void kasan_report_invalid_free(void *object, void *ip); void kasan_report_invalid_free(void *object, unsigned long ip);
#if defined(CONFIG_SLAB) || defined(CONFIG_SLUB) #if defined(CONFIG_SLAB) || defined(CONFIG_SLUB)
void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache); void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache);
......
...@@ -326,12 +326,12 @@ static void print_shadow_for_address(const void *addr) ...@@ -326,12 +326,12 @@ static void print_shadow_for_address(const void *addr)
} }
} }
void kasan_report_invalid_free(void *object, void *ip) void kasan_report_invalid_free(void *object, unsigned long ip)
{ {
unsigned long flags; unsigned long flags;
kasan_start_report(&flags); kasan_start_report(&flags);
pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", ip); pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip);
pr_err("\n"); pr_err("\n");
print_address_description(object); print_address_description(object);
pr_err("\n"); pr_err("\n");
......
...@@ -3478,11 +3478,11 @@ free_done: ...@@ -3478,11 +3478,11 @@ free_done:
* Release an obj back to its cache. If the obj has a constructed state, it must * Release an obj back to its cache. If the obj has a constructed state, it must
* be in this state _before_ it is released. Called with disabled ints. * be in this state _before_ it is released. Called with disabled ints.
*/ */
static inline void __cache_free(struct kmem_cache *cachep, void *objp, static __always_inline void __cache_free(struct kmem_cache *cachep, void *objp,
unsigned long caller) unsigned long caller)
{ {
/* Put the object into the quarantine, don't touch it for now. */ /* Put the object into the quarantine, don't touch it for now. */
if (kasan_slab_free(cachep, objp)) if (kasan_slab_free(cachep, objp, _RET_IP_))
return; return;
___cache_free(cachep, objp, caller); ___cache_free(cachep, objp, caller);
......
...@@ -1356,13 +1356,13 @@ static inline void kmalloc_large_node_hook(void *ptr, size_t size, gfp_t flags) ...@@ -1356,13 +1356,13 @@ static inline void kmalloc_large_node_hook(void *ptr, size_t size, gfp_t flags)
kasan_kmalloc_large(ptr, size, flags); kasan_kmalloc_large(ptr, size, flags);
} }
static inline void kfree_hook(void *x) static __always_inline void kfree_hook(void *x)
{ {
kmemleak_free(x); kmemleak_free(x);
kasan_kfree_large(x); kasan_kfree_large(x, _RET_IP_);
} }
static inline void *slab_free_hook(struct kmem_cache *s, void *x) static __always_inline void *slab_free_hook(struct kmem_cache *s, void *x)
{ {
void *freeptr; void *freeptr;
...@@ -1390,7 +1390,7 @@ static inline void *slab_free_hook(struct kmem_cache *s, void *x) ...@@ -1390,7 +1390,7 @@ static inline void *slab_free_hook(struct kmem_cache *s, void *x)
* kasan_slab_free() may put x into memory quarantine, delaying its * kasan_slab_free() may put x into memory quarantine, delaying its
* reuse. In this case the object's freelist pointer is changed. * reuse. In this case the object's freelist pointer is changed.
*/ */
kasan_slab_free(s, x); kasan_slab_free(s, x, _RET_IP_);
return freeptr; return freeptr;
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment