From: Andrey Konovalov andreyknvl@gmail.com
[ Upstream commit f16de0bcdb55bf18e2533ca625f3e4b4952f254c ]
kasan_rcu_uaf() writes to freed memory via kasan_rcu_reclaim(), which is only safe with the GENERIC mode (as it uses quarantine). For other modes, this test corrupts kernel memory, which might result in a crash.
Turn the write into a read.
Link: https://lkml.kernel.org/r/b6f2c3bf712d2457c783fa59498225b66a634f62.162877980... Signed-off-by: Andrey Konovalov andreyknvl@gmail.com Reviewed-by: Marco Elver elver@google.com Cc: Alexander Potapenko glider@google.com Cc: Andrey Ryabinin aryabinin@virtuozzo.com Cc: Dmitry Vyukov dvyukov@google.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- lib/test_kasan_module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/test_kasan_module.c b/lib/test_kasan_module.c index 2d68db6ae67b..1c6e06136f78 100644 --- a/lib/test_kasan_module.c +++ b/lib/test_kasan_module.c @@ -73,7 +73,7 @@ static noinline void __init kasan_rcu_reclaim(struct rcu_head *rp) struct kasan_rcu_info, rcu);
kfree(fp); - fp->i = 1; + ((volatile struct kasan_rcu_info *)fp)->i; }
static noinline void __init kasan_rcu_uaf(void)