Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
MIME-Version: 1.0
References: <20190701173042.221453-1-henryburns@google.com>
 <CAMJBoFPbRcdZ+NnX17OQ-sOcCwe+ZAsxcDJoR0KDkgBY9WXvpg@mail.gmail.com> <CAGQXPTjX=7aD9MQAs2kJthFvPdd3x8Nh53oc=wZCXH_dvDJ=Vg@mail.gmail.com>
In-Reply-To: <CAGQXPTjX=7aD9MQAs2kJthFvPdd3x8Nh53oc=wZCXH_dvDJ=Vg@mail.gmail.com>
From:   Vitaly Wool <vitalywool@gmail.com>
Date:   Wed, 3 Jul 2019 08:02:31 +0200
Message-ID: <CAMJBoFMBLv9OpXtQkOAyZ-vw5Ktk1tYtvfT=GPPx8jnKBN01rg@mail.gmail.com>
Subject: Re: [PATCH] mm/z3fold: Fix z3fold_buddy_slots use after free
To:     Henry Burns <henryburns@google.com>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Vitaly Vul <vitaly.vul@sony.com>,
        Mike Rapoport <rppt@linux.vnet.ibm.com>,
        Xidong Wang <wangxidong_97@163.com>,
        Shakeel Butt <shakeelb@google.com>,
        Jonathan Adams <jwadams@google.com>,
        Linux-MM <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Tue, Jul 2, 2019 at 6:57 PM Henry Burns <henryburns@google.com> wrote:
>
> On Tue, Jul 2, 2019 at 12:45 AM Vitaly Wool <vitalywool@gmail.com> wrote:
> >
> > Hi Henry,
> >
> > On Mon, Jul 1, 2019 at 8:31 PM Henry Burns <henryburns@google.com> wrote:
> > >
> > > Running z3fold stress testing with address sanitization
> > > showed zhdr->slots was being used after it was freed.
> > >
> > > z3fold_free(z3fold_pool, handle)
> > >   free_handle(handle)
> > >     kmem_cache_free(pool->c_handle, zhdr->slots)
> > >   release_z3fold_page_locked_list(kref)
> > >     __release_z3fold_page(zhdr, true)
> > >       zhdr_to_pool(zhdr)
> > >         slots_to_pool(zhdr->slots)  *BOOM*
> >
> > Thanks for looking into this. I'm not entirely sure I'm all for
> > splitting free_handle() but let me think about it.
> >
> > > Instead we split free_handle into two functions, release_handle()
> > > and free_slots(). We use release_handle() in place of free_handle(),
> > > and use free_slots() to call kmem_cache_free() after
> > > __release_z3fold_page() is done.
> >
> > A little less intrusive solution would be to move backlink to pool
> > from slots back to z3fold_header. Looks like it was a bad idea from
> > the start.
> >
> > Best regards,
> >    Vitaly
>
> We still want z3fold pages to be movable though. Wouldn't moving
> the backink to the pool from slots to z3fold_header prevent us from
> enabling migration?

That is a valid point but we can just add back pool pointer to
z3fold_header. The thing here is, there's another patch in the
pipeline that allows for a better (inter-page) compaction and it will
somewhat complicate things, because sometimes slots will have to be
released after z3fold page is released (because they will hold a
handle to another z3fold page). I would prefer that we just added back
pool to z3fold_header and changed zhdr_to_pool to just return
zhdr->pool, then had the compaction patch valid again, and then we
could come back to size optimization.

Best regards,
   Vitaly