kasan: fix bug report in mali driver
PD#172700
When kasan enabled, following bug will report:
==================================================================
BUG: KASAN: use-after-free in mali_allocation_unref+0x1b8/0x350 [mali]
Read of size 8 at addr
ffffffc04c0b6378 by task BootAnimation/3034
CPU: 3 PID: 3034 Comm: BootAnimation Tainted: G B O 4.9.113 #5
Hardware name: Amlogic (DT)
Call trace:
[<
ffffff900908ecc0>] dump_backtrace+0x0/0x368
[<
ffffff900908f0cc>] show_stack+0x24/0x30
[<
ffffff900963bdb0>] dump_stack+0xa0/0xc8
[<
ffffff90092ba140>] print_address_description+0x68/0x258
[<
ffffff90092ba694>] kasan_report+0x264/0x338
[<
ffffff90092b8cd4>] __asan_load8+0x84/0x98
[<
ffffff900260bce8>] mali_allocation_unref+0x1b8/0x350 [mali]
[<
ffffff900260ab74>] _mali_ukk_mem_free+0xcc/0x190 [mali]
[<
ffffff900260e4a0>] mem_free_wrapper+0x110/0x1c0 [mali]
[<
ffffff90026129c0>] mali_ioctl+0x210/0x4b8 [mali]
[<
ffffff900935c8d8>] compat_SyS_ioctl+0xe0/0x1218
[<
ffffff9009083f00>] el0_svc_naked+0x34/0x38
Allocated by task 3034:
save_stack_trace_tsk+0x0/0x268
save_stack_trace+0x24/0x30
kasan_kmalloc+0xd8/0x188
kasan_slab_alloc+0x14/0x20
kmem_cache_alloc+0x118/0x258
mmap_region+0x390/0x7a8
do_mmap+0x308/0x470
vm_mmap_pgoff+0x140/0x168
SyS_mmap_pgoff+0x98/0x118
el0_svc_naked+0x34/0x38
Freed by task 3034:
save_stack_trace_tsk+0x0/0x268
save_stack_trace+0x24/0x30
kasan_slab_free+0x88/0x188
kmem_cache_free+0x68/0x268
remove_vma+0x94/0xa8
do_munmap+0x340/0x500
SyS_munmap+0x58/0x80
el0_svc_naked+0x34/0x38
The buggy address belongs to the object at
ffffffc04c0b62d0
which belongs to the cache vm_area_struct of size 176
The buggy address is located 168 bytes inside of
176-byte region [
ffffffc04c0b62d0,
ffffffc04c0b6380)
The buggy address belongs to the page:
page:
ffffffbf01302d80 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x851af00000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffffc04c0b6200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc04c0b6280: 00 00 fc fc fc fc fc fc fc fc fb fb fb fb fb fb
>
ffffffc04c0b6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffffffc04c0b6380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffffffc04c0b6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
==================================================================
Once UI have any update, this report will print. It is because
cpu_mapping.vma not cleared in mali_mem_vma_close hook and used
in mali_allocation_unref function.
Change-Id: Ic6319b6e6c6255324736d82cf0d386b6f61a39b8
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
projects / GitHub / LineageOS / G12 / android_hardware_amlogic_kernel-modules_mali-driver.git / commit