From aead1981a71ebbd368baa3e67b9e1e1469580d45 Mon Sep 17 00:00:00 2001 From: wangmingrong1 Date: Thu, 19 Jun 2025 15:56:18 +0800 Subject: [PATCH] kasan: Potential recursive registration shadow area error When initializing a memory block, the shadow area record of the first memory block is used first.When uninitializing, unpoison is required, otherwise the memory will be marked incorrectly. The following case will cause problems: void *mem = malloc(1024); struct mm_heap_s *a = mm_initialize("hello", mem, 1024); int *b = mm_malloc(a, sizeof(int *)); *b = 100; printf("Hello, World!! %d\n", *b); mm_free(a, b); mm_uninitialize(a); free(mem); Signed-off-by: wangmingrong1 --- mm/kasan/generic.c | 5 ++++- mm/kasan/sw_tags.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c index 1a736d28be..dfd62a61f5 100644 --- a/mm/kasan/generic.c +++ b/mm/kasan/generic.c @@ -268,10 +268,13 @@ void kasan_unregister(FAR void *addr) { if (g_region[i]->begin == (uintptr_t)addr) { + size_t size = g_region[i]->end - g_region[i]->begin; g_region_count--; memmove(&g_region[i], &g_region[i + 1], (g_region_count - i) * sizeof(g_region[0])); - break; + spin_unlock_irqrestore(&g_lock, flags); + kasan_unpoison(addr, size); + return; } } diff --git a/mm/kasan/sw_tags.c b/mm/kasan/sw_tags.c index 8bfaa821a4..2df66485c1 100644 --- a/mm/kasan/sw_tags.c +++ b/mm/kasan/sw_tags.c @@ -217,10 +217,13 @@ void kasan_unregister(FAR void *addr) { if (g_region[i]->begin == (uintptr_t)addr) { + size_t size = g_region[i]->end - g_region[i]->begin; g_region_count--; memmove(&g_region[i], &g_region[i + 1], (g_region_count - i) * sizeof(g_region[0])); - break; + spin_unlock_irqrestore(&g_lock, flags); + kasan_unpoison(addr, size); + return; } }