From 0c94c90ad60b3601b6b22af205b820413d17a5f6 Mon Sep 17 00:00:00 2001
From: tao zeng <tao.zeng@amlogic.com>
Date: Thu, 30 Aug 2018 14:08:18 +0800
Subject: [PATCH] kasan: fix bug report in mali driver

PD#172700

When kasan enabled, following bug will report:
==================================================================
BUG: KASAN: use-after-free in mali_allocation_unref+0x1b8/0x350 [mali]
Read of size 8 at addr ffffffc04c0b6378 by task BootAnimation/3034

CPU: 3 PID: 3034 Comm: BootAnimation Tainted: G    B      O    4.9.113 #5
Hardware name: Amlogic (DT)
Call trace:
[<ffffff900908ecc0>] dump_backtrace+0x0/0x368
[<ffffff900908f0cc>] show_stack+0x24/0x30
[<ffffff900963bdb0>] dump_stack+0xa0/0xc8
[<ffffff90092ba140>] print_address_description+0x68/0x258
[<ffffff90092ba694>] kasan_report+0x264/0x338
[<ffffff90092b8cd4>] __asan_load8+0x84/0x98
[<ffffff900260bce8>] mali_allocation_unref+0x1b8/0x350 [mali]
[<ffffff900260ab74>] _mali_ukk_mem_free+0xcc/0x190 [mali]
[<ffffff900260e4a0>] mem_free_wrapper+0x110/0x1c0 [mali]
[<ffffff90026129c0>] mali_ioctl+0x210/0x4b8 [mali]
[<ffffff900935c8d8>] compat_SyS_ioctl+0xe0/0x1218
[<ffffff9009083f00>] el0_svc_naked+0x34/0x38

Allocated by task 3034:
save_stack_trace_tsk+0x0/0x268
save_stack_trace+0x24/0x30
kasan_kmalloc+0xd8/0x188
kasan_slab_alloc+0x14/0x20
kmem_cache_alloc+0x118/0x258
mmap_region+0x390/0x7a8
do_mmap+0x308/0x470
vm_mmap_pgoff+0x140/0x168
SyS_mmap_pgoff+0x98/0x118
el0_svc_naked+0x34/0x38

Freed by task 3034:
save_stack_trace_tsk+0x0/0x268
save_stack_trace+0x24/0x30
kasan_slab_free+0x88/0x188
kmem_cache_free+0x68/0x268
remove_vma+0x94/0xa8
do_munmap+0x340/0x500
SyS_munmap+0x58/0x80
el0_svc_naked+0x34/0x38

The buggy address belongs to the object at ffffffc04c0b62d0
which belongs to the cache vm_area_struct of size 176
The buggy address is located 168 bytes inside of
176-byte region [ffffffc04c0b62d0, ffffffc04c0b6380)
The buggy address belongs to the page:
page:ffffffbf01302d80 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x851af00000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffffffc04c0b6200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc04c0b6280: 00 00 fc fc fc fc fc fc fc fc fb fb fb fb fb fb
>ffffffc04c0b6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffffffc04c0b6380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffffffc04c0b6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
==================================================================

Once UI have any update, this report will print. It is because
cpu_mapping.vma not cleared in mali_mem_vma_close hook and used
in mali_allocation_unref function.

Change-Id: Ic6319b6e6c6255324736d82cf0d386b6f61a39b8
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
---
 mali/linux/mali_memory.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mali/linux/mali_memory.c b/mali/linux/mali_memory.c
index 78fdd05..f159514 100755
--- a/mali/linux/mali_memory.c
+++ b/mali/linux/mali_memory.c
@@ -64,6 +64,7 @@ static void mali_mem_vma_close(struct vm_area_struct *vma)
 
 		mali_session_memory_lock(session);
 		vma->vm_private_data = NULL;
+		alloc->cpu_mapping.vma = NULL;
 		mali_session_memory_unlock(session);
 
 		mali_allocation_unref(&alloc);
-- 
2.20.1