From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 379A7C43334 for ; Mon, 4 Jul 2022 07:55:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B96BF6B0074; Mon, 4 Jul 2022 03:55:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B46F76B0075; Mon, 4 Jul 2022 03:55:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A0E5D8E0001; Mon, 4 Jul 2022 03:55:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 90FAE6B0074 for ; Mon, 4 Jul 2022 03:55:17 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 5559D2A31F for ; Mon, 4 Jul 2022 07:53:40 +0000 (UTC) X-FDA: 79648653042.25.499A0A7 Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) by imf05.hostedemail.com (Postfix) with ESMTP id D20A4101200 for ; Mon, 4 Jul 2022 07:46:17 +0000 (UTC) Received: by mail-lf1-f52.google.com with SMTP id t24so14376252lfr.4 for ; Mon, 04 Jul 2022 00:46:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EpLsmKlpKCiUIDe9SFr1Z71rXe3WR1MDQEjPMDRMDOU=; b=c9TZYYVaWzhGJ6mrcpbLMY00AjoFY9dgMyjx9bilb0BXIcId4yURXxfKA6oYWGtz01 PmSJnerb5jj8N+cjnRHPAfsGOfnvxBLsgTFG4mwnDA08+SCbtBP5UTHhUmDhmDewMW2Q RwSxPmhBuD8ddkrqYE3qsB6tbUwY0tApCJPYVt0YAFbEq/X1bSmmtnNN0PoHFXuunqbP VQ/ViDAAdiHFJAEPv+XrjEuyEVptRid+WTjiJPbvs37NRDavJsP3dNJPuz4nn1fs4Xbe qVMm4ryWBxq8puAt3JzaqirpqsKT3M/Zu/d6u0FPyfLvPbNNNN0Hhx4hj01mlz118RCv Qofw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EpLsmKlpKCiUIDe9SFr1Z71rXe3WR1MDQEjPMDRMDOU=; b=sAzlQdTCkiHFqPCExKKXQ0cqiGYy0VYD6JkaqdknIQtQkmzaMFjNLRvc8ytXc4CqsR gZT5k6cOMuGnsmsXwNvn4aBKy/eRLOy1XrpIwEAIrB+lmcjKz9Y5DF4oruRPDPwEPjuv VM0O9DmOYBMIextaZpluRfXBpXQFC8yfFVhymdplCJAp3fm6hOJeEuSuWY9QSOMc/HMZ EpbEZr0JUR9o5gP5d8rQ0nRCNmGbIwAEpnKtFjAR3Qk+4+o9fXaou5p6K0CAbZVSlHk+ zqgIg2eaiMt+21qWbwHtSZWq14Me3JPtWbFhQsUn//1i+SWgeCombeHJo7VJ79nuOrOX yW0Q== X-Gm-Message-State: AJIora85lBy+oOUjzPrby2fuj0/qXc/c6Dty/O7MZdAfy4cyMWTMwanQ NwK69+ZPL29tQceaKuo60Uvf5duxs4aa3uq+WaIl3A== X-Google-Smtp-Source: AGRyM1sjAUAcmtkyEiJeoit5ySGBOChyexenC3PN4u7CokwqIER+Wu9ppdrapofaMzf3YdE/UQWvXY+yHr2Ir3aRi4Q= X-Received: by 2002:a19:f006:0:b0:47f:ae73:abe5 with SMTP id p6-20020a19f006000000b0047fae73abe5mr17682143lfc.206.1656920775975; Mon, 04 Jul 2022 00:46:15 -0700 (PDT) MIME-Version: 1.0 References: <20220615062219.22618-1-Kuan-Ying.Lee@mediatek.com> <20220703161552.6a3304c8d316e4fdcce42caa@linux-foundation.org> In-Reply-To: <20220703161552.6a3304c8d316e4fdcce42caa@linux-foundation.org> From: Dmitry Vyukov Date: Mon, 4 Jul 2022 09:46:04 +0200 Message-ID: Subject: Re: [PATCH] kasan: separate double free case from invalid free To: Andrew Morton Cc: Kuan-Ying Lee , Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Vincenzo Frascino , Matthias Brugger , chinwen.chang@mediatek.com, yee.lee@mediatek.com, casper.li@mediatek.com, andrew.yang@mediatek.com, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Content-Type: text/plain; charset="UTF-8" ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=c9TZYYVa; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf05.hostedemail.com: domain of dvyukov@google.com designates 209.85.167.52 as permitted sender) smtp.mailfrom=dvyukov@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1656920778; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=EpLsmKlpKCiUIDe9SFr1Z71rXe3WR1MDQEjPMDRMDOU=; b=Ny+90z3qQuWjwC+H8XNVCgRX7fFdwjTFeJJnCZbbuOPK8oU4x25nO0+RobXjPc0a3KYEW+ d+IwvYj+HY0ygCmcXgW3+13zr2q3tVCnxYXBawqCbr2udwlp+NFh/e8OF11ug1hOhNx4fR XyF1EGRnPKSiLSFfbpGxvF2+VLNrjjQ= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1656920778; a=rsa-sha256; cv=none; b=CiA9FmKT3ul7xG3nhU4lvEAfhrKMK15nWlTBn4cQXhdkz1e6wTObonTrZGYHN5tXlInH63 kqTG3xcGLCilUvQizsI+71hhfVAcN3JQufrXiLeXYRcpkYlA5UKgGaNJsQcmONqj9S6olC 4nQT4OYqpTpz2dIBDJ97QOJbiUItHgQ= X-Stat-Signature: tiwistid64uqojtf7xcm739qok7b3g9b X-Rspamd-Queue-Id: D20A4101200 Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=c9TZYYVa; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf05.hostedemail.com: domain of dvyukov@google.com designates 209.85.167.52 as permitted sender) smtp.mailfrom=dvyukov@google.com X-Rspamd-Server: rspam03 X-Rspam-User: X-HE-Tag: 1656920777-617857 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, 4 Jul 2022 at 01:15, Andrew Morton wrote: > > On Wed, 15 Jun 2022 14:22:18 +0800 Kuan-Ying Lee wrote: > > > Currently, KASAN describes all invalid-free/double-free bugs as > > "double-free or invalid-free". This is ambiguous. > > > > KASAN should report "double-free" when a double-free is a more > > likely cause (the address points to the start of an object) and > > report "invalid-free" otherwise [1]. > > > > [1] https://bugzilla.kernel.org/show_bug.cgi?id=212193 > > > > ... > > Could we please have some review of this? Looks reasonable to me. Looking through git log it seems the only reason to combine them was laziness/didn't seem important enough. Reviewed-by: Dmitry Vyukov I will update syzkaller parsing of bug messages to not produce duplicates for existing double-frees. Not sure if anything needs to be done for other kernel testing systems. > > diff --git a/mm/kasan/common.c b/mm/kasan/common.c > > index c40c0e7b3b5f..707c3a527fcb 100644 > > --- a/mm/kasan/common.c > > +++ b/mm/kasan/common.c > > @@ -343,7 +343,7 @@ static inline bool ____kasan_slab_free(struct kmem_cache *cache, void *object, > > > > if (unlikely(nearest_obj(cache, virt_to_slab(object), object) != > > object)) { > > - kasan_report_invalid_free(tagged_object, ip); > > + kasan_report_invalid_free(tagged_object, ip, KASAN_REPORT_INVALID_FREE); > > return true; > > } > > > > @@ -352,7 +352,7 @@ static inline bool ____kasan_slab_free(struct kmem_cache *cache, void *object, > > return false; > > > > if (!kasan_byte_accessible(tagged_object)) { > > - kasan_report_invalid_free(tagged_object, ip); > > + kasan_report_invalid_free(tagged_object, ip, KASAN_REPORT_DOUBLE_FREE); > > return true; > > } > > > > @@ -377,12 +377,12 @@ bool __kasan_slab_free(struct kmem_cache *cache, void *object, > > static inline bool ____kasan_kfree_large(void *ptr, unsigned long ip) > > { > > if (ptr != page_address(virt_to_head_page(ptr))) { > > - kasan_report_invalid_free(ptr, ip); > > + kasan_report_invalid_free(ptr, ip, KASAN_REPORT_INVALID_FREE); > > return true; > > } > > > > if (!kasan_byte_accessible(ptr)) { > > - kasan_report_invalid_free(ptr, ip); > > + kasan_report_invalid_free(ptr, ip, KASAN_REPORT_DOUBLE_FREE); > > return true; > > } > > > > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > > index 610d60d6e5b8..01c03e45acd4 100644 > > --- a/mm/kasan/kasan.h > > +++ b/mm/kasan/kasan.h > > @@ -125,6 +125,7 @@ static inline bool kasan_sync_fault_possible(void) > > enum kasan_report_type { > > KASAN_REPORT_ACCESS, > > KASAN_REPORT_INVALID_FREE, > > + KASAN_REPORT_DOUBLE_FREE, > > }; > > > > struct kasan_report_info { > > @@ -277,7 +278,7 @@ static inline void kasan_print_address_stack_frame(const void *addr) { } > > > > bool kasan_report(unsigned long addr, size_t size, > > bool is_write, unsigned long ip); > > -void kasan_report_invalid_free(void *object, unsigned long ip); > > +void kasan_report_invalid_free(void *object, unsigned long ip, enum kasan_report_type type); > > > > struct page *kasan_addr_to_page(const void *addr); > > struct slab *kasan_addr_to_slab(const void *addr); > > diff --git a/mm/kasan/report.c b/mm/kasan/report.c > > index b341a191651d..fe3f606b3a98 100644 > > --- a/mm/kasan/report.c > > +++ b/mm/kasan/report.c > > @@ -176,8 +176,12 @@ static void end_report(unsigned long *flags, void *addr) > > static void print_error_description(struct kasan_report_info *info) > > { > > if (info->type == KASAN_REPORT_INVALID_FREE) { > > - pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", > > - (void *)info->ip); > > + pr_err("BUG: KASAN: invalid-free in %pS\n", (void *)info->ip); > > + return; > > + } > > + > > + if (info->type == KASAN_REPORT_DOUBLE_FREE) { > > + pr_err("BUG: KASAN: double-free in %pS\n", (void *)info->ip); > > return; > > } > > > > @@ -433,7 +437,7 @@ static void print_report(struct kasan_report_info *info) > > } > > } > > > > -void kasan_report_invalid_free(void *ptr, unsigned long ip) > > +void kasan_report_invalid_free(void *ptr, unsigned long ip, enum kasan_report_type type) > > { > > unsigned long flags; > > struct kasan_report_info info; > > @@ -448,7 +452,7 @@ void kasan_report_invalid_free(void *ptr, unsigned long ip) > > > > start_report(&flags, true); > > > > - info.type = KASAN_REPORT_INVALID_FREE; > > + info.type = type; > > info.access_addr = ptr; > > info.first_bad_addr = kasan_reset_tag(ptr); > > info.access_size = 0; > > -- > > 2.18.0 > >