Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1502295ybx; Thu, 7 Nov 2019 12:48:12 -0800 (PST) X-Google-Smtp-Source: APXvYqwUodJg0sLn14yOUPoyc1cor5Ud5d9xrltzOjFQdv+GPmboisIaI51mqPW9SA5uXi3AEV98 X-Received: by 2002:a05:6402:1b04:: with SMTP id by4mr6123013edb.218.1573159692600; Thu, 07 Nov 2019 12:48:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573159692; cv=none; d=google.com; s=arc-20160816; b=Y5tdBN+bxltGVn30b4sI9uUPxiLdNjW4DoU4YMY78nmkZSqYvZD058yBBFau4dfI9d 9HV3/67IKQrrT/01c6Q/1kGLBwsKU3Wmp6IqIAhRKl6S4gg9fNwCgVd4CbNKOlhOZy0o tQK/zUHqi0aLwpUKxXon8BoulITEGS5OpPsei7GAgOFW4MOXhi1V/phMWPjBh1zVe9X2 sZZmWS+gPbvMkW90FUXqwlGMvKzjcAsRuo2ePeiySaDCJyHfDuhnhGKBgOyvbezFCL7x YhqTffixOggUZ55H4T3yLyIL7yis6QA6xnngpksUoYU8Aft5jR1UiGdZtDS1GJRbF40F v/Gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature; bh=YknM6fFCF8e0j4TWGuwlJuiUFneXRP0vedkCIJ4TRls=; b=xUcczLs+HRvIyPXZY5E9HBVKz6uIPEiW7FkryFWiOq6ZDoB6RFNWXBbcglb7qxu+Xr 3NV3TIUpEOpYdLz9oyvBeKWOqyTyrmXGve6l+kW2YMn6usoKYEQzZx866zcrvn8mwwJk ZmQs+DnXFylDKkaOzq6Dili86KvZImvrSqLV/i8d/jiNccmax61i6ewpD5OFwRIICSJx qgmwxWOtqnIw78s3qlz0lF/BfOMMLWOTsB9ctxPBfZfCRcuHUYzLSZh6jcdtI1IgLwSl mAiuDWLOIyWmpr1JZKtbgyh3dnxzSA01CDGESaa3Hb7W1pe9xRBG3Wc8LFgbJv5NDnQd TqJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="lVG/ns7c"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b31si2599215edb.113.2019.11.07.12.47.49; Thu, 07 Nov 2019 12:48:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="lVG/ns7c"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726912AbfKGUo5 (ORCPT + 99 others); Thu, 7 Nov 2019 15:44:57 -0500 Received: from mail-pg1-f193.google.com ([209.85.215.193]:43733 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725916AbfKGUo4 (ORCPT ); Thu, 7 Nov 2019 15:44:56 -0500 Received: by mail-pg1-f193.google.com with SMTP id l24so2725381pgh.10 for ; Thu, 07 Nov 2019 12:44:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:mime-version; bh=YknM6fFCF8e0j4TWGuwlJuiUFneXRP0vedkCIJ4TRls=; b=lVG/ns7colpNwDtCgyq6NTV079wL7G7CIkieWIHyJW22recTdWYIEFnWL7b7WJvjA0 4lPlQHWwe4YsG9nE3CVYMQ1/zLnVJdd4Te1gbryi9tvHbGKKOwJZcReA04ZCSLxB6lWU JfLnwPW9RUUtJT7t56R72mMHXzhSbzjkEBXGlb4CR0l3PXC241KvMbrkm4S4bVqoDbn0 k8K64K7EtmIqAbscLatQ8USn42gCTFYbbcGXhLAj5JfbNdRMnT2Eit4p/YPV6oNNtooZ lHpBt2g5hOgzFJIPXP6aSRXExT7b3Gp9tBYRWjQG+EceXoCH1KE+n8aS0N5weHliRK6h YMrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:user-agent:mime-version; bh=YknM6fFCF8e0j4TWGuwlJuiUFneXRP0vedkCIJ4TRls=; b=UNx5UUg8BZE2pb14xc9kF+O40Qqa5Gjc2gYtr6sSefnkzG/duC+SxiHW6n/glCpMAX jl1S8p1kaf2DtLUNXh/Tom0ZPvL/wc3WHIZcowobT94sYDk0fl8K3lHDwy/DHJf9FKeH hvS3rFlpJBCnAsOAjsUEB+44/9WPaPUCaUmWZXRC4WCCWM/ofEeht6ulypCpSOOsBpU7 Y2jD4MVNizSZDOt9zqAh38/vN08ziZ2CPWH8bWh3OUFR2CmbBwOHiwu/0rDGjBXtcnhE 3MQUcB4ohymPkhvw8DZZoza6kMaZFNsW+BXDJws5b86Fb8KzOpJLOxb5UzdIfTeCIXmw J4yQ== X-Gm-Message-State: APjAAAVAn/vzlDGBt4Qn5EDQJrzea84NJnpiMijJkdBJ304jiUkisv8s idWmfSIZ2d/1EQJLUPfnD0BiMw== X-Received: by 2002:aa7:83c2:: with SMTP id j2mr6845841pfn.225.1573159495441; Thu, 07 Nov 2019 12:44:55 -0800 (PST) Received: from [2620:15c:17:3:3a5:23a7:5e32:4598] ([2620:15c:17:3:3a5:23a7:5e32:4598]) by smtp.gmail.com with ESMTPSA id c13sm4679779pfi.0.2019.11.07.12.44.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2019 12:44:54 -0800 (PST) Date: Thu, 7 Nov 2019 12:44:54 -0800 (PST) From: David Rientjes X-X-Sender: rientjes@chino.kir.corp.google.com To: Laura Abbott cc: Alexander Potapenko , Andrew Morton , netdev@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, "David S. Miller" , Kees Cook , clipos@ssi.gouv.fr, Vlastimil Babka , Thibaut Sautereau Subject: Re: [PATCH] mm: slub: Really fix slab walking for init_on_free In-Reply-To: <20191106222208.26815-1-labbott@redhat.com> Message-ID: References: <20191106222208.26815-1-labbott@redhat.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 6 Nov 2019, Laura Abbott wrote: > Commit 1b7e816fc80e ("mm: slub: Fix slab walking for init_on_free") > fixed one problem with the slab walking but missed a key detail: > When walking the list, the head and tail pointers need to be updated > since we end up reversing the list as a result. Without doing this, > bulk free is broken. One way this is exposed is a NULL pointer with > slub_debug=F: > > ============================================================================= > BUG skbuff_head_cache (Tainted: G T): Object already free > ----------------------------------------------------------------------------- > > INFO: Slab 0x000000000d2d2f8f objects=16 used=3 fp=0x0000000064309071 flags=0x3fff00000000201 > BUG: kernel NULL pointer dereference, address: 0000000000000000 > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP PTI > CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B T 5.3.8 #1 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:print_trailer+0x70/0x1d5 > Code: 28 4d 8b 4d 00 4d 8b 45 20 81 e2 ff 7f 00 00 e8 86 ce ef ff 8b 4b 20 48 89 ea 48 89 ee 4c 29 e2 48 c7 c7 90 6f d4 89 48 01 e9 <48> 33 09 48 33 8b 70 01 00 00 e8 61 ce ef ff f6 43 09 04 74 35 8b > RSP: 0018:ffffbf7680003d58 EFLAGS: 00010046 > RAX: 000000000000005d RBX: ffffa3d2bb08e540 RCX: 0000000000000000 > RDX: 00005c2d8fdc2000 RSI: 0000000000000000 RDI: ffffffff89d46f90 > RBP: 0000000000000000 R08: 0000000000000242 R09: 000000000000006c > R10: 0000000000000000 R11: 0000000000000030 R12: ffffa3d27023e000 > R13: fffff11080c08f80 R14: ffffa3d2bb047a80 R15: 0000000000000002 > FS: 0000000000000000(0000) GS:ffffa3d2be400000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 000000007a6c4000 CR4: 00000000000006f0 > Call Trace: > > free_debug_processing.cold.37+0xc9/0x149 > ? __kfree_skb_flush+0x30/0x40 > ? __kfree_skb_flush+0x30/0x40 > __slab_free+0x22a/0x3d0 > ? tcp_wfree+0x2a/0x140 > ? __sock_wfree+0x1b/0x30 > kmem_cache_free_bulk+0x415/0x420 > ? __kfree_skb_flush+0x30/0x40 > __kfree_skb_flush+0x30/0x40 > net_rx_action+0x2dd/0x480 > __do_softirq+0xf0/0x246 > irq_exit+0x93/0xb0 > do_IRQ+0xa0/0x110 > common_interrupt+0xf/0xf > > > Given we're now almost identical to the existing debugging > code which correctly walks the list, combine with that. > > Link: https://lkml.kernel.org/r/20191104170303.GA50361@gandi.net > Reported-by: Thibaut Sautereau > Fixes: 1b7e816fc80e ("mm: slub: Fix slab walking for init_on_free") > Signed-off-by: Laura Abbott Acked-by: David Rientjes