Set this value in kasan_mark_slab_invalid; at this point we're
allocating a new slab and the structures within it have not yet
been allocated. This allows us to avoid reporting a misleading
"use after free".
Details
- Reviewers
markj
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Passed - Unit
No Test Coverage - Build Status
Buildable 53624 Build 50515: arc lint + arc unit
Event Timeline
@markj I don't know enough about the UMA code to be 100% certain that this is correct, but I think it's right -- we only call this from keg_alloc_slab, which is assigning never-before-used pages to a zone, right?
keg_alloc_slab() allocates a slab (i.e., one or more virtually contiguous pages) from the system page allocator. Slabs may be released back to the page allocator under memory pressure or when they have been unused for a long time, after which point they could be re-imported. So "never-before-used" isn't really right. It's certainly possible for a use-after-free to occur across the recycling of a slab, so KASAN_UMA_FREED isn't always incorrect.
I think this change just gives a more accurate report string in the case where something is scribbling over "random" kernel memory? Of course, it's not really possible to precisely distinguish that from a real use-after-free. We could alternately extend the panic message to say "use-after-free or memory scribbler". I don't object to the patch though.
Note that the change as-is isn't complete: after a slab is allocated, a per-CPU bucket will be populated with some items from the cache, and kasan_mark_item_invalid() will overwrite the state bytes, setting them back to KASAN_UMA_FREED even though they are still conceptually still in the NEVERUSED state.