[Devel] [PATCH RHEL9 COMMIT] mm/kmemleak: Fix use of uninitialized pointer in percpu object creation

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jul 12 18:32:43 MSK 2024 

The commit is pushed to "branch-rh9-5.14.0-427.22.1.vz9.62.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-427.22.1.vz9.62.2
------>
commit ffb512bc0e698321c23d49590981ae37bb06b5cd
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Fri Jul 12 15:00:00 2024 +0800

    mm/kmemleak: Fix use of uninitialized pointer in percpu object creation
    
    After ms commit ad1a3e15fcd3b ("kmemleak: fix kmemleak false positive
    report with HW tag-based kasan enable") [1], the untagged_ptr is also
    used in rbtree search loop, the patch [2] was not correctly updated in
    rebase, so untagged_ptr is used uninitialized in percpu case.
    
    Fix it by always setting untagged_ptr. Also, while on it, also use
    untagged_ptr for min/max_percpu_addr.
    
    https://virtuozzo.atlassian.net/browse/PSBM-156004
    Fixes: c9438a892d597 ("mm/kmemleak: Add support for percpu memory leak detect") [2]
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 mm/kmemleak.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d1a5d27e5269..8e5f957ba71e 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -685,11 +685,11 @@ static void __create_object(unsigned long ptr, size_t size,
 
 	raw_spin_lock_irqsave(&kmemleak_lock, flags);
 
+	untagged_ptr = (unsigned long)kasan_reset_tag((void *)ptr);
 	if (object->flags & OBJECT_PERCPU) {
-		min_percpu_addr = min(min_percpu_addr, ptr);
-		max_percpu_addr = max(max_percpu_addr, ptr + size);
+		min_percpu_addr = min(min_percpu_addr, untagged_ptr);
+		max_percpu_addr = max(max_percpu_addr, untagged_ptr + size);
 	} else {
-		untagged_ptr = (unsigned long)kasan_reset_tag((void *)ptr);
 		/*
 		 * Only update min_addr and max_addr with object
 		 * storing virtual address.
@@ -1342,11 +1342,11 @@ static void add_pointer_to_gray_list(struct kmemleak_object *scanned, unsigned l
 	unsigned long untagged_ptr;
 	unsigned long excess_ref;
 
+	untagged_ptr = (unsigned long)kasan_reset_tag((void *)pointer);
 	if (pcpu) {
-		if (pointer < min_percpu_addr || pointer >= max_percpu_addr)
+		if (untagged_ptr < min_percpu_addr || untagged_ptr >= max_percpu_addr)
 			return;
 	} else {
-		untagged_ptr = (unsigned long)kasan_reset_tag((void *)pointer);
 		if (untagged_ptr < min_addr || untagged_ptr >= max_addr)
 			return;
 	}

More information about the Devel mailing list