kasan: improve double-free report format
authorAndrey Konovalov <andreyknvl@google.com>
Wed, 3 May 2017 21:56:47 +0000 (14:56 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Wed, 3 May 2017 22:52:12 +0000 (15:52 -0700)
Changes double-free report header from

  BUG: Double free or freeing an invalid pointer
  Unexpected shadow byte: 0xFB

to

  BUG: KASAN: double-free or invalid-free in kmalloc_oob_left+0xe5/0xef

This makes a bug uniquely identifiable by the first report line.  To
account for removing of the unexpected shadow value, print shadow bytes
at the end of the report as in reports for other kinds of bugs.

Link: http://lkml.kernel.org/r/20170302134851.101218-9-andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/kasan/kasan.c
mm/kasan/kasan.h
mm/kasan/report.c

index 98b27195e38b07fc1b6e20c1f9c49db9bc112303..9348d27088c1145872495859c8eee26f6dc7f23f 100644 (file)
@@ -577,7 +577,8 @@ bool kasan_slab_free(struct kmem_cache *cache, void *object)
 
        shadow_byte = READ_ONCE(*(s8 *)kasan_mem_to_shadow(object));
        if (shadow_byte < 0 || shadow_byte >= KASAN_SHADOW_SCALE_SIZE) {
-               kasan_report_double_free(cache, object, shadow_byte);
+               kasan_report_double_free(cache, object,
+                               __builtin_return_address(1));
                return true;
        }
 
index dd2dea8eb0771a506c0b510efc79c3fc5253bda5..1229298cce646ddc725c4f1ea9d823a0c71e3cd1 100644 (file)
@@ -99,7 +99,7 @@ static inline const void *kasan_shadow_to_mem(const void *shadow_addr)
 void kasan_report(unsigned long addr, size_t size,
                bool is_write, unsigned long ip);
 void kasan_report_double_free(struct kmem_cache *cache, void *object,
-                       s8 shadow);
+                                       void *ip);
 
 #if defined(CONFIG_SLAB) || defined(CONFIG_SLUB)
 void quarantine_put(struct kasan_free_meta *info, struct kmem_cache *cache);
index b015acc80876b9031abcf414830092b3171e9f30..7d3d9670e2334ecc2d93dea21db7ab772947d134 100644 (file)
@@ -243,22 +243,8 @@ static void describe_object(struct kmem_cache *cache, void *object,
        describe_object_addr(cache, object, addr);
 }
 
-void kasan_report_double_free(struct kmem_cache *cache, void *object,
-                       s8 shadow)
-{
-       unsigned long flags;
-
-       kasan_start_report(&flags);
-       pr_err("BUG: Double free or freeing an invalid pointer\n");
-       pr_err("Unexpected shadow byte: 0x%hhX\n", shadow);
-       dump_stack();
-       describe_object(cache, object, NULL);
-       kasan_end_report(&flags);
-}
-
-static void print_address_description(struct kasan_access_info *info)
+static void print_address_description(void *addr)
 {
-       void *addr = (void *)info->access_addr;
        struct page *page = addr_to_page(addr);
 
        dump_stack();
@@ -333,6 +319,18 @@ static void print_shadow_for_address(const void *addr)
        }
 }
 
+void kasan_report_double_free(struct kmem_cache *cache, void *object,
+                               void *ip)
+{
+       unsigned long flags;
+
+       kasan_start_report(&flags);
+       pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", ip);
+       print_address_description(object);
+       print_shadow_for_address(object);
+       kasan_end_report(&flags);
+}
+
 static void kasan_report_error(struct kasan_access_info *info)
 {
        unsigned long flags;
@@ -344,7 +342,7 @@ static void kasan_report_error(struct kasan_access_info *info)
        if (!addr_has_shadow(info)) {
                dump_stack();
        } else {
-               print_address_description(info);
+               print_address_description((void *)info->access_addr);
                print_shadow_for_address(info->first_bad_addr);
        }