arm: print alloc free paths for address in registers

In case of a use after free kernel oops, the freeing path of the object
is required to debug futher. In most of cases the object address is
present in one of the registers.

Thus check the register's address and if it belongs to slab, print its
alloc and free path.

e.g. in the below issue register r6 belongs to slab, and a use after
free issue occurred on one of its dereferenced values:

Unable to handle kernel paging request at virtual address 6b6b6b6f
....
pc : [<c0538afc>] lr : [<c0465674>] psr: 60000013
sp : c8927d40 ip : ffffefff fp : c8aa8020
r10: c8927e10 r9 : 00000001 r8 : 00400cc0
r7 : 00000000 r6 : c8ab0180 r5 : c1804a80 r4 : c8aa8008
r3 : c1a5661c r2 : 00000000 r1 : 6b6b6b6b r0 : c139bf48
.....
Register r6 information: slab kmalloc-64 start c8ab0140 data offset 64 pointer offset 0 size 64 allocated at meminfo_proc_show+0x40/0x4fc
meminfo_proc_show+0x40/0x4fc
seq_read_iter+0x18c/0x4c4
proc_reg_read_iter+0x84/0xac
generic_file_splice_read+0xe8/0x17c
splice_direct_to_actor+0xb8/0x290
do_splice_direct+0xa0/0xe0
do_sendfile+0x2d0/0x438
sys_sendfile64+0x12c/0x140
ret_fast_syscall+0x0/0x58
0xbeeacde4
Free path:
meminfo_proc_show+0x5c/0x4fc
seq_read_iter+0x18c/0x4c4
proc_reg_read_iter+0x84/0xac
generic_file_splice_read+0xe8/0x17c
splice_direct_to_actor+0xb8/0x290
do_splice_direct+0xa0/0xe0
do_sendfile+0x2d0/0x438
sys_sendfile64+0x12c/0x140
ret_fast_syscall+0x0/0x58
0xbeeacde4

Link: https://lkml.kernel.org/r/1615891032-29160-3-git-send-email-maninder1.s@samsung.com
Co-developed-by: Vaneet Narang <v.narang@samsung.com>
Signed-off-by: Vaneet Narang <v.narang@samsung.com>
Signed-off-by: Maninder Singh <maninder1.s@samsung.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Paul E. McKenney <paulmck@kernel.org>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Maninder Singh and committed by

Linus Torvalds 5 years ago 5aa6b70e f7c8ce44

+13

3 changed files

expand all

arch

arm

include

asm

bug.h

kernel

process.c

traps.c

arch/arm/include/asm/bug.h

··· 88 88 struct mm_struct; 89 89 void show_pte(const char *lvl, struct mm_struct *mm, unsigned long addr); 90 90 extern void __show_regs(struct pt_regs *); 91 + extern void __show_regs_alloc_free(struct pt_regs *regs); 91 92 92 93 #endif

+11

arch/arm/kernel/process.c

··· 92 92 ledtrig_cpu(CPU_LED_IDLE_END); 93 93 } 94 94 95 + void __show_regs_alloc_free(struct pt_regs *regs) 96 + { 97 + int i; 98 + 99 + /* check for r0 - r12 only */ 100 + for (i = 0; i < 13; i++) { 101 + pr_alert("Register r%d information:", i); 102 + mem_dump_obj((void *)regs->uregs[i]); 103 + } 104 + } 105 + 95 106 void __show_regs(struct pt_regs *regs) 96 107 { 97 108 unsigned long flags;

arch/arm/kernel/traps.c

··· 287 287 288 288 print_modules(); 289 289 __show_regs(regs); 290 + __show_regs_alloc_free(regs); 290 291 pr_emerg("Process %.*s (pid: %d, stack limit = 0x%p)\n", 291 292 TASK_COMM_LEN, tsk->comm, task_pid_nr(tsk), end_of_stack(tsk)); 292 293

Configure Feed

Configure Feed