Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp783151ybz; Wed, 15 Apr 2020 18:59:26 -0700 (PDT) X-Google-Smtp-Source: APiQypIB2kTic0hyR5qWbyB/0chCvfcaCPKXU6R1+J6b7IPf/yqjIetLmbUZA6jVvo7IY3AX7pp+ X-Received: by 2002:a17:906:3399:: with SMTP id v25mr7315743eja.217.1587002366748; Wed, 15 Apr 2020 18:59:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587002366; cv=none; d=google.com; s=arc-20160816; b=tW2rJaYYYwdBLQcXl50ceN4vwpPyUsiQbXQ34bUuNBiiMZpyFRDjCiSYLTa3zyhD84 uoiE8kLiKMoIXggvuBvbZmSmgAvkfADQiiv4ynBfCwDEdolCBAyAELGodEroAK5ZhIvi QFvPETuHTfZgfNw9jDYdlas/1SaIp8ByVYtvtM8G8SpHUvSfZvpRrSTVpZ/mLec2tJMr 5uQPD/tZIt8piaLhBVoYLnRlj0333glzHpgNpARvKoXhxw4Wu0j1d/u9N20T9EbcloiG qvrpS8WFQhOel1TPk3igABjrOQ66YD6037eEt52Bj+h3o7ejlbP4PE4SG0tAX5KU6sKx k0Dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Hj+w2b8MlzXiZplgu3jb4eTtjZmFrNnBBz27RkzElPo=; b=kATtkP7jp3jxxLJ2Qa1kSFDsWxDEox3BbOQPmnf9Rx6YSAuJU+k5tyZunmoNuRB3Dw y3zhejL+V5BHHyo41bvxJKCOh8Gj5RyA5WXIaJgmCOqfK9FtH5Y6kXSb0jp7eUYThyox DOg/qDMQND79L2lMiVVt+apXjK8qO7hchsQyu2uu/Pxg5M22lCDpGcGb1SxYUgcIXAjC xa3raCr9L6xkJ5ojfTcArTMA/LgauE6YVrvVzPGYRvemXT2XY2vnM+NSrTEQQPQN/Gcv m1VkSeTahbVKT1L5XEOAPdWpcKGRMRQOfg8kr6JYs2qKM4G5vmZSwW/X0xupWyskQ7dc S0ew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DzHggght; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id sd16si10573946ejb.106.2020.04.15.18.59.03; Wed, 15 Apr 2020 18:59:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DzHggght; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2411694AbgDOSIN (ORCPT + 99 others); Wed, 15 Apr 2020 14:08:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S2405877AbgDOSIK (ORCPT ); Wed, 15 Apr 2020 14:08:10 -0400 Received: from mail-oi1-x242.google.com (mail-oi1-x242.google.com [IPv6:2607:f8b0:4864:20::242]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66089C061A0E for ; Wed, 15 Apr 2020 11:08:10 -0700 (PDT) Received: by mail-oi1-x242.google.com with SMTP id r25so4416670oij.4 for ; Wed, 15 Apr 2020 11:08:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Hj+w2b8MlzXiZplgu3jb4eTtjZmFrNnBBz27RkzElPo=; b=DzHggghtb9lsQ0Q5rBTqUiusLkpGRDErRwTCQaNB7sZoQf5TAYp0xUiSksirx/4JsR m7Apwvq72YGO9sUcFLt6/dyDGwdBmW2m2599IIObTzfKOD0FDWT6kbJ+ekPD6sXSG2xf AVP4hGdSZeM5wQ4RHQ5dfxMHkcYaboDyrJO1L8M3CiVBb4n12/jlgzn+zg4tuVPI8vZt eyDJmgSj0sCige7YQ6ntjy35dEfEh5FsmqVl0Miqj7owZ49B+kREg/rLwtz/zlj80g++ glY+vLySWV0GRC0blaC7+OKeq+DDghUZ4SYNDZlxXkMNvRyrbBHg10WQPxiR8JKOmgbF bJeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Hj+w2b8MlzXiZplgu3jb4eTtjZmFrNnBBz27RkzElPo=; b=n/jNne4KxGkL6T/F41zX4kQSpnaO7SCIKga8ee9fRzQZKRyx7PZphhzeqqoeVtf5g/ r7WmNUXOPUckuh1jj+ZcGdkYFG8VKrb+p8LloX+0i5WzoI+58M+zjU1tc+kGG3Hf2LBP Km8oQY8D2quWjVYhitz3nZT5WeGCD15oS903GfdllTzFhnwX03imj7bakrMdXTTx9joj fsaGcpT36lO8kAnj/EDsA3VyZXKHp5DCdTu2KuzSADU/rHb/RK+hOnBNKHzqYPljrlKc ZrHgyc5KbSzVamqL/W9tc1MDrYY3nWPqtgjJm7wGhMoL3B1tEQ98b8hb6Hc39mHE29Tn P9QA== X-Gm-Message-State: AGi0PuarF9dgyn/lH48BFXi0rD1jdldSU4AqECuZw1vILgba8MYHYsFu v2PrVgqPl72Rx2npTeXDzJJWQOEFmSvmENKdJp5khg== X-Received: by 2002:a05:6808:4e:: with SMTP id v14mr385130oic.70.1586974089086; Wed, 15 Apr 2020 11:08:09 -0700 (PDT) MIME-Version: 1.0 References: <202004151054.BD695840@keescook> In-Reply-To: <202004151054.BD695840@keescook> From: Marco Elver Date: Wed, 15 Apr 2020 20:07:57 +0200 Message-ID: Subject: Re: [PATCH] slub: Avoid redzone when choosing freepointer location To: Kees Cook Cc: Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Linux Memory Management List , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 15 Apr 2020 at 19:55, Kees Cook wrote: > > Marco Elver reported system crashes when booting with "slub_debug=Z". > The freepointer location (s->offset) was not taking into account that > the "inuse" size that includes the redzone area should not be used by > the freelist pointer. Change the calculation to save the area of the > object that an inline freepointer may be written into. > > Reported-by: Marco Elver > Link: https://lore.kernel.org/linux-mm/20200415164726.GA234932@google.com > Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object") > Signed-off-by: Kees Cook Works for me, thank you! Tested-by: Marco Elver > --- > mm/slub.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/mm/slub.c b/mm/slub.c > index 332d4b459a90..9bf44955c4f1 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -3533,6 +3533,7 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > { > slab_flags_t flags = s->flags; > unsigned int size = s->object_size; > + unsigned int freepointer_area; > unsigned int order; > > /* > @@ -3541,6 +3542,13 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > * the possible location of the free pointer. > */ > size = ALIGN(size, sizeof(void *)); > + /* > + * This is the area of the object where a freepointer can be > + * safely written. If redzoning adds more to the inuse size, we > + * can't use that portion for writing the freepointer, so > + * s->offset must be limited within this for the general case. > + */ > + freepointer_area = size; > > #ifdef CONFIG_SLUB_DEBUG > /* > @@ -3582,13 +3590,13 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) > */ > s->offset = size; > size += sizeof(void *); > - } else if (size > sizeof(void *)) { > + } else if (freepointer_area > sizeof(void *)) { > /* > * Store freelist pointer near middle of object to keep > * it away from the edges of the object to avoid small > * sized over/underflows from neighboring allocations. > */ > - s->offset = ALIGN(size / 2, sizeof(void *)); > + s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); > } > > #ifdef CONFIG_SLUB_DEBUG > -- > 2.20.1 > > > -- > Kees Cook