The quilt patch titled
Subject: kasan: better identify bug types for tag-based modes
has been removed from the -mm tree. Its filename was
kasan-better-identify-bug-types-for-tag-based-modes.patch
This patch was dropped because it was merged into the mm-stable branch
of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
------------------------------------------------------
From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Subject: kasan: better identify bug types for tag-based modes
Date: Mon, 5 Sep 2022 23:05:48 +0200
Identify the bug type for the tag-based modes based on the stack trace
entries found in the stack ring.
If a free entry is found first (meaning that it was added last), mark the
bug as use-after-free. If an alloc entry is found first, mark the bug as
slab-out-of-bounds. Otherwise, assign the common bug type.
This change returns the functionalify of the previously dropped
CONFIG_KASAN_TAGS_IDENTIFY.
Link: https://lkml.kernel.org/r/13ce7fa07d9d995caedd1439dfae4d51401842f2.1662411800.git.andreyknvl@xxxxxxxxxx
Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Reviewed-by: Marco Elver <elver@xxxxxxxxxx>
Cc: Alexander Potapenko <glider@xxxxxxxxxx>
Cc: Andrey Ryabinin <ryabinin.a.a@xxxxxxxxx>
Cc: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Cc: Evgenii Stepanov <eugenis@xxxxxxxxxx>
Cc: Peter Collingbourne <pcc@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
mm/kasan/report_tags.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
--- a/mm/kasan/report_tags.c~kasan-better-identify-bug-types-for-tag-based-modes
+++ a/mm/kasan/report_tags.c
@@ -10,7 +10,7 @@
extern struct kasan_stack_ring stack_ring;
-static const char *get_bug_type(struct kasan_report_info *info)
+static const char *get_common_bug_type(struct kasan_report_info *info)
{
/*
* If access_size is a negative number, then it has reason to be
@@ -37,9 +37,8 @@ void kasan_complete_mode_report_info(str
bool is_free;
bool alloc_found = false, free_found = false;
- info->bug_type = get_bug_type(info);
-
- if (!info->cache || !info->object)
+ if (!info->cache || !info->object) {
+ info->bug_type = get_common_bug_type(info);
return;
}
@@ -84,6 +83,13 @@ void kasan_complete_mode_report_info(str
info->free_track.pid = pid;
info->free_track.stack = stack;
free_found = true;
+
+ /*
+ * If a free entry is found first, the bug is likely
+ * a use-after-free.
+ */
+ if (!info->bug_type)
+ info->bug_type = "use-after-free";
} else {
/* Second alloc of the same object. Give up. */
if (alloc_found)
@@ -92,8 +98,19 @@ void kasan_complete_mode_report_info(str
info->alloc_track.pid = pid;
info->alloc_track.stack = stack;
alloc_found = true;
+
+ /*
+ * If an alloc entry is found first, the bug is likely
+ * an out-of-bounds.
+ */
+ if (!info->bug_type)
+ info->bug_type = "slab-out-of-bounds";
}
}
write_unlock_irqrestore(&stack_ring.lock, flags);
+
+ /* Assign the common bug type if no entries were found. */
+ if (!info->bug_type)
+ info->bug_type = get_common_bug_type(info);
}
_
Patches currently in -mm which might be from andreyknvl@xxxxxxxxxx are
kasan-fix-array-bounds-warnings-in-tests.patch
