On Mon, Jul 4, 2016 at 8:11 PM, Andrey Ryabinin wrote:
> 2016-07-01 20:38 GMT+03:00 Dmitry Vyukov :
>> I've hit a GPF in depot_fetch_stack when it was given
>> bogus stack handle. I think it was caused by a distant
>> out-of-bounds that hit a different object, as the result
>> we treated uninit ga
On Fri, Jul 1, 2016 at 1:41 PM, Andrey Ryabinin wrote:
>
>
> On 07/01/2016 10:53 AM, js1...@gmail.com wrote:
>> From: Joonsoo Kim
>>
>> If we move an item on qlist's tail, we need to update qlist's tail
>> properly. curr->next can be NULL since it is singly linked list
>> so it is invalid for tai
This patch adds new tests for KASAN double-free error detection when the
same slab object is concurrently deallocated.
Signed-off-by: Kuthonuzo Luruo
---
Changes in v5:
- Addressed review comment from Alexander Potapenko: changed allocation
size for double-free tests to an innocuous 100
ly attempt to free
the same object.
- Tested with new double-free tests for 'test_kasan' in accompanying patch.
Signed-off-by: Kuthonuzo Luruo
---
Changes in v5:
- Removed redundant print of 'alloc_state' for pr_err in kasan_slab_free.
Changes in v4:
- Takes use of shadow m
r in kasan_slab_free().
- change allocation size for double-free tests to 100.
v4 link: https://lkml.org/lkml/2016/5/29/62
Patchset is based on linux-next 'next-20160607'.
Kuthonuzo Luruo (2):
mm, kasan: improve double-free detection
kasan: add double-free tests
include/linux/kasan.
This patch adds new tests for KASAN double-free error detection when the
same slab object is concurrently deallocated.
Signed-off-by: Kuthonuzo Luruo
---
Changes in v4:
- There are *no* changes for v4.
Changes in v3:
- concurrent double-free test simplified to use on_each_cpu_mask() instead
ly attempt to free
the same object.
- Tested with new double-free tests for 'test_kasan' in accompanying patch.
Signed-off-by: Kuthonuzo Luruo
---
Changes in v4:
- Takes use of shadow memory in v3 further by storing lock bit in shadow
byte for object header solving the issue of O
rites on header.
v3 link: https://lkml.org/lkml/2016/5/24/577
Patchset is based on linux-next 'next-20160527'.
Kuthonuzo Luruo (2):
mm, kasan: improve double-free detection
kasan: add double-free tests
include/linux/kasan.h |7 ++-
lib/test_kasan.c | 47 +
ly attempt to free
the same object.
- Tested with new double-free tests for 'test_kasan' in accompanying patch.
Signed-off-by: Kuthonuzo Luruo
---
Changes in v3:
- simplified kasan_meta_lock()/unlock() to use generic bit spinlock apis;
kasan_alloc_meta structure modified accordi
This patch adds new tests for KASAN double-free error detection when the
same slab object is concurrently deallocated.
Signed-off-by: Kuthonuzo Luruo
---
Changes in v3:
- concurrent double-free test simplified to use on_each_cpu_mask() instead
of custom threads.
- reduced #threads and removed
Patchset is based on linux-next 'next-20160524'.
Thanks,
Kuthonuzo
Kuthonuzo Luruo (2):
mm, kasan: improve double-free detection
kasan: add double-free tests
include/linux/kasan.h |7 +++-
lib/test_kasan.c | 47 ++
This patch adds a new 'test_kasan' test for KASAN double-free error
detection when the same slab object is concurrently deallocated.
Signed-off-by: Kuthonuzo Luruo
---
Changes in v2:
- This patch is new for v2.
---
lib/test_kasa
#x27;test_kasan' kasan_double_free() test in accompanying
patch.
Signed-off-by: Kuthonuzo Luruo
---
Changes in v2:
- Incorporated suggestions from Dmitry Vyukov. New per-object metadata
lock/unlock functions; kasan_alloc_meta modified to add new state while
using fewer bits overall.
- Double-fre
: improve KASAN
double-free detection". v1 link: https://lkml.org/lkml/2016/5/2/147
SLAB maintainers added to "To:" because of change in mm/slab.c.
Kuthonuzo Luruo (2):
mm, kasan: improve double-free detection
kasan: add kasan_double_free() test
include/linux/kasan.h |8 +++
Hi Alexander/Andrey/Dmitry,
For your consideration/review. Thanks!
Kuthonuzo Luruo
Currently, KASAN may fail to detect concurrent deallocations of the same
object due to a race in kasan_slab_free(). This patch makes double-free
detection more reliable by atomically setting allocation state for
15 matches
Mail list logo
