KASan/arm64: Instrument atomic memory access |
||
Issue descriptionIn http://crosbug.com/p/51396, we identified a bug where a reference count is decreased on a object that had already been freed: [ 50.638456] ============================================================================= [ 50.646583] BUG kmalloc-192 (Not tainted): Poison overwritten [ 50.652282] ----------------------------------------------------------------------------- [ 50.652282] [ 50.661860] Disabling lock debugging due to kernel taint [ 50.667130] INFO: 0xffffffc050f9f608-0xffffffc050f9f608. First byte 0x6a instead of 0x6b [ 50.675167] INFO: Allocated in mtk_drm_framebuffer_init.part.0+0x4c/0xc0 age=77 cpu=0 pid=5598 [ 50.683715] alloc_debug_processing+0x124/0x17c [ 50.688210] __slab_alloc.isra.60.constprop.62+0x4f8/0x670 [ 50.693654] kmem_cache_alloc_trace+0xbc/0x248 [ 50.698063] mtk_drm_framebuffer_init.part.0+0x48/0xc0 [ 50.703161] mtk_drm_mode_fb_create+0x104/0x21c [ 50.707657] internal_framebuffer_create+0x8c4/0x920 [ 50.712582] drm_mode_addfb2+0x54/0x124 [ 50.716390] drm_ioctl+0x518/0x5e0 [ 50.719768] drm_compat_ioctl+0x3c/0x90 [ 50.723572] compat_SyS_ioctl+0x16c/0x1758 [ 50.727637] __sys_trace+0x48/0x4c [ 50.731013] INFO: Freed in mtk_drm_fb_destroy+0xd0/0x120 age=27 cpu=3 pid=5598 [ 50.738177] free_debug_processing+0x260/0x330 [ 50.742586] __slab_free+0x70/0x424 [ 50.746046] kfree+0x28c/0x2c0 [ 50.749075] mtk_drm_fb_destroy+0xcc/0x120 [ 50.753139] drm_framebuffer_free+0x84/0x98 [ 50.757290] drm_framebuffer_unreference+0x8c/0x9c [ 50.762042] drm_framebuffer_remove+0x180/0x1b4 [ 50.766537] drm_mode_rmfb+0x124/0x15c [ 50.770255] drm_ioctl+0x518/0x5e0 [ 50.773630] drm_compat_ioctl+0x3c/0x90 [ 50.777435] compat_SyS_ioctl+0x16c/0x1758 [ 50.781500] __sys_trace+0x48/0x4c [ 50.784876] INFO: Slab 0xffffffbe01fb6a20 objects=28 used=28 fp=0x (null) flags=0x4080 [ 50.793506] INFO: Object 0xffffffc050f9f600 @offset=13824 fp=0xffffffc050f9fa80 [ 50.793506] [ 50.802226] Bytes b4 ffffffc050f9f5f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 50.811632] Object ffffffc050f9f600: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b kkkkkkkkjkkkkkkk [ 50.820867] Object ffffffc050f9f610: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.830101] Object ffffffc050f9f620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.839333] Object ffffffc050f9f630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.848567] Object ffffffc050f9f640: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.857801] Object ffffffc050f9f650: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.867034] Object ffffffc050f9f660: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.876267] Object ffffffc050f9f670: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.885500] Object ffffffc050f9f680: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.894735] Object ffffffc050f9f690: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.903969] Object ffffffc050f9f6a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 50.913202] Object ffffffc050f9f6b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. [ 50.922435] Redzone ffffffc050f9f6c0: bb bb bb bb bb bb bb bb ........ [ 50.931067] Padding ffffffc050f9f800: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 50.940388] Padding ffffffc050f9f810: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 50.949709] Padding ffffffc050f9f820: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 50.959029] Padding ffffffc050f9f830: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 50.968352] CPU: 2 PID: 5478 Comm: chrome Tainted: G B 3.18.0 #166 [ 50.975516] Hardware name: Mediatek Oak rev6 board (DT) [ 50.980697] Call trace: [ 50.983125] [<ffffffc00020a20c>] dump_backtrace+0x0/0x170 [ 50.988484] [<ffffffc00020a398>] show_stack+0x1c/0x28 [ 50.993497] [<ffffffc000b1b8dc>] dump_stack+0xa0/0xf8 [ 50.998509] [<ffffffc000397580>] print_trailer+0x158/0x16c [ 51.003403] anx7814 5-0072: video stream not valid! [ 51.008785] [<ffffffc000397670>] check_bytes_and_report+0xdc/0x140 [ 51.014918] [<ffffffc000397860>] check_object+0x130/0x230 [ 51.020276] [<ffffffc000398768>] alloc_debug_processing+0x104/0x17c [ 51.026496] [<ffffffc000398cd8>] __slab_alloc.isra.60.constprop.62+0x4f8/0x670 [ 51.033662] [<ffffffc000399484>] __kmalloc+0x108/0x294 ... However, KASan only notified us of this on the next kmalloc, and not on the memory access itself. The code path that is followed in this case is: drm_framebuffer_unreference => kref_put(&fb->refcount, drm_framebuffer_free); => atomic_sub_and_test => atomic_sub_return Which does not appear to be instrumented with KASan: > disas drm_framebuffer_unreference 0xffffffc00062aa84 <+108>: add x2, x19, #0x8 0xffffffc00062aa88 <+112>: ldxr w0, [x2] 0xffffffc00062aa8c <+116>: sub w0, w0, #0x1 0xffffffc00062aa90 <+120>: stlxr w1, w0, [x2] 0xffffffc00062aa94 <+124>: cbnz w1, 0xffffffc00062aa88 <drm_framebuffer_unreference+112> 0xffffffc00062aa98 <+128>: dmb ish 0xffffffc00062aa9c <+132>: cbnz w0, 0xffffffc00062aaa8 <drm_framebuffer_unreference+144> 0xffffffc00062aaa0 <+136>: mov x0, x20 0xffffffc00062aaa4 <+140>: bl 0xffffffc00062a980 <drm_framebuffer_free> Can we add such instrumentation?
,
Dec 27 2017
,
Jun 1 2018
glider: I think this is fixed now? |
||
►
Sign in to add a comment |
||
Comment 1 by glider@chromium.org
, Mar 21 2016