On Tue, 13 Feb 2024 14:39:58 +1100 Benjamin Gray <bgray@xxxxxxxxxxxxx> wrote:
> release_free_meta() accesses the shadow directly through the path
>
> kasan_slab_free
> __kasan_slab_free
> kasan_release_object_meta
> release_free_meta
> kasan_mem_to_shadow
>
> There are no kasan_arch_is_ready() guards here, allowing an oops when
> the shadow is not initialized. The oops can be seen on a Power8 KVM
> guest.
>
> This patch adds the guard to release_free_meta(), as it's the first
> level that specifically requires the shadow.
>
> It is safe to put the guard at the start of this function, before the
> stack put: only kasan_save_free_info() can initialize the saved stack,
> which itself is guarded with kasan_arch_is_ready() by its caller
> poison_slab_object(). If the arch becomes ready before
> release_free_meta() then we will not observe KASAN_SLAB_FREE_META in the
> object's shadow, so we will not put an uninitialized stack either.
>
> ...
>
> --- a/mm/kasan/generic.c
> +++ b/mm/kasan/generic.c
> @@ -522,6 +522,9 @@ static void release_alloc_meta(struct kasan_alloc_meta *meta)
>
> static void release_free_meta(const void *object, struct kasan_free_meta *meta)
> {
> + if (!kasan_arch_is_ready())
> + return;
> +
> /* Check if free meta is valid. */
> if (*(u8 *)kasan_mem_to_shadow(object) != KASAN_SLAB_FREE_META)
> return;
I'll add
Fixes: 63b85ac56a64 ("kasan: stop leaking stack trace handles")
