From 5a18a6da18a11684fe94315b256d79b8f995d862 Mon Sep 17 00:00:00 2001
From: Alexander Potapenko <glider@google.com>
Date: Sat, 22 May 2021 17:41:56 -0700
Subject: [PATCH] UPSTREAM: kasan: slab: always reset the tag in
 get_freepointer_safe()

With CONFIG_DEBUG_PAGEALLOC enabled, the kernel should also untag the
object pointer, as done in get_freepointer().

Failing to do so reportedly leads to SLUB freelist corruptions that
manifest as boot-time crashes.

Link: https://lkml.kernel.org/r/20210514072228.534418-1-glider@google.com
Signed-off-by: Alexander Potapenko <glider@google.com>
Cc: Marco Elver <elver@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Elliot Berman <eberman@codeaurora.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Bug: 181230759
Test: run on QEMU with CONFIG_DEBUG_PAGEALLOC
(cherry picked from commit f70b00496f2a0669fdb19a783e613bdbdedcf901)
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: Ifb512c0241465d8035d55a161bcc304d5b2287d5
---
 mm/slub.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/slub.c b/mm/slub.c
index 5b64953ae7b3..3b1a50ae8273 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -278,6 +278,7 @@ static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
 	if (!debug_pagealloc_enabled_static())
 		return get_freepointer(s, object);
 
+	object = kasan_reset_tag(object);
 	freepointer_addr = (unsigned long)object + s->offset;
 	copy_from_kernel_nofault(&p, (void **)freepointer_addr, sizeof(p));
 	return freelist_ptr(s, p, freepointer_addr);