This is an automated email from the ASF dual-hosted git repository.
acassis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit aead1981a71ebbd368baa3e67b9e1e1469580d45
Author: wangmingrong1 <wangmingro...@xiaomi.com>
AuthorDate: Thu Jun 19 15:56:18 2025 +0800
kasan: Potential recursive registration shadow area error
When initializing a memory block, the shadow area record of the first
memory block is used first.When uninitializing, unpoison is required,
otherwise the memory will be marked incorrectly.
The following case will cause problems:
void *mem = malloc(1024);
struct mm_heap_s *a = mm_initialize("hello", mem, 1024);
int *b = mm_malloc(a, sizeof(int *));
*b = 100;
printf("Hello, World!! %d\n", *b);
mm_free(a, b);
mm_uninitialize(a);
free(mem);
Signed-off-by: wangmingrong1 <wangmingro...@xiaomi.com>
---
mm/kasan/generic.c | 5 ++++-
mm/kasan/sw_tags.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c
index 1a736d28be..dfd62a61f5 100644
--- a/mm/kasan/generic.c
+++ b/mm/kasan/generic.c
@@ -268,10 +268,13 @@ void kasan_unregister(FAR void *addr)
{
if (g_region[i]->begin == (uintptr_t)addr)
{
+ size_t size = g_region[i]->end - g_region[i]->begin;
g_region_count--;
memmove(&g_region[i], &g_region[i + 1],
(g_region_count - i) * sizeof(g_region[0]));
- break;
+ spin_unlock_irqrestore(&g_lock, flags);
+ kasan_unpoison(addr, size);
+ return;
}
}
diff --git a/mm/kasan/sw_tags.c b/mm/kasan/sw_tags.c
index 8bfaa821a4..2df66485c1 100644
--- a/mm/kasan/sw_tags.c
+++ b/mm/kasan/sw_tags.c
@@ -217,10 +217,13 @@ void kasan_unregister(FAR void *addr)
{
if (g_region[i]->begin == (uintptr_t)addr)
{
+ size_t size = g_region[i]->end - g_region[i]->begin;
g_region_count--;
memmove(&g_region[i], &g_region[i + 1],
(g_region_count - i) * sizeof(g_region[0]));
- break;
+ spin_unlock_irqrestore(&g_lock, flags);
+ kasan_unpoison(addr, size);
+ return;
}
}
