On Tue, Nov 17, 2020 at 2:12 PM Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
>
> > void __kasan_poison_slab(struct page *page)
> > {
> > @@ -272,11 +305,9 @@ void * __must_check __kasan_init_slab_obj(struct kmem_cache *cache,
> > struct kasan_alloc_meta *alloc_meta;
> >
> > if (kasan_stack_collection_enabled()) {
> > - if (!(cache->flags & SLAB_KASAN))
> > - return (void *)object;
>
> Is it a subtle change in behavior?
> Previously we had an early return and also did not set tag, now we
> only skip memset but set tag... was it a bug before?...
This is a change in behavior, see the patch description. We now always
sanitize an object's contents, but only store/update the metadata when
it fits. I'll update the patch title, as it might sound confusing, as
it kind of implies we're not changing the behavior.
> > @@ -135,7 +135,12 @@ static void qlink_free(struct qlist_node *qlink, struct kmem_cache *cache)
> > if (IS_ENABLED(CONFIG_SLAB))
> > local_irq_save(flags);
> >
> > + /*
> > + * As the object now gets freed from the quaratine, assume that its
> > + * free track is now longer valid.
>
> typo: _no_ longer valid
Will fix!
>
> > + */
> > *(u8 *)kasan_mem_to_shadow(object) = KASAN_KMALLOC_FREE;
> > +
> > ___cache_free(cache, object, _THIS_IP_);
> >
> > if (IS_ENABLED(CONFIG_SLAB))
> > @@ -168,6 +173,9 @@ void quarantine_put(struct kmem_cache *cache, void *object)
> > struct qlist_head temp = QLIST_INIT;
> > struct kasan_free_meta *meta = kasan_get_free_meta(cache, object);
> >
> > + if (!meta)
> > + return;
>
> Humm... is this possible? If yes, we would be leaking the object here...
> Perhaps BUG_ON with a comment instead.
No, this isn't possible. Will turn this into a warning and add a comment.
Thanks!
