Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp3056479ybz;
        Mon, 27 Apr 2020 09:12:49 -0700 (PDT)
X-Google-Smtp-Source: APiQypKSwVJdvUrIyP/Nfj6um6NHgXfFedDH9DcEFSR7oUh8uLDs8yC5JxcQM2P2yONITf7mYuuW
X-Received: by 2002:a17:906:695:: with SMTP id u21mr19705772ejb.187.1588003969230;
        Mon, 27 Apr 2020 09:12:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588003969; cv=none;
        d=google.com; s=arc-20160816;
        b=c5GXblsi78MyVnRJ30OzXZz19Bes/5Z7dCkOPH5OSQL0VEDA+W0H/WPHEeWA9TlCt1
         KX/UOVqjibkxxPd5bGOGZXi2MbH+LLSuUZWzPL4qWRFX0vVaIztobAddXB/bTg6EQYR6
         VJaipro72F3VNnaSI7mIMBxItCU3VfgMyo4BdWM1q1hGc2Z1Xtwn0qprDBTaFIp2dgyB
         ai5gPKg7d88STUqdBDw7DC0UwBnSa6d9o7SmYd2D84LMzHA7ZHaVstv+xe83ECR67eE+
         ORLRqhRzXFFM2n14iYIcVLaUBSHITfP3ZlLnwuAED85gbQAjSd7W6G/Rx1wAXMrPm56+
         dQIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=GKpbotCB6Rdfni8k+adSvUqTKHA/4j0V2Crd+Mn5j/8=;
        b=rgnPes1+gEd0TskR01MlqB/77WihMQhvRgYqFqSLlDLBo2DneDey2gdlN4ro4cUR4g
         blwzesSjhTHqoNaOwwxOgKzUslIkIKliqgF/1tU3cw0C1hjt6SFGfgF1xkqcQwqlsB4p
         Ej4i+OxIQE3F7K4SqhhlI7m1VkSkWL+zKi9Z2d5JYe5xAkUNGnkSYK1yJKY0qJ49IlMn
         UHozCIiAL4vcFGA4T4UcMO+j+zlNG3c/2SdplwTrIXxZY5qK0L760sWNSHjFOdUy/x+b
         M0ar2eWB5hUo1wxibPQk78zPPVdb2Jq/f9Ry6tlQ2h1VL09OsGIMI6ZZ2qHHBd4/O5NW
         cT+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i2si12962eds.101.2020.04.27.09.12.25;
        Mon, 27 Apr 2020 09:12:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728203AbgD0QKc (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Mon, 27 Apr 2020 12:10:32 -0400
Received: from gentwo.org ([3.19.106.255]:35258 "EHLO gentwo.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726000AbgD0QKc (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 27 Apr 2020 12:10:32 -0400
Received: by gentwo.org (Postfix, from userid 1002)
        id 82DFF3F4ED; Mon, 27 Apr 2020 16:10:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
        by gentwo.org (Postfix) with ESMTP id 81ACC3E8A0;
        Mon, 27 Apr 2020 16:10:31 +0000 (UTC)
Date:   Mon, 27 Apr 2020 16:10:31 +0000 (UTC)
From:   Christopher Lameter <cl@linux.com>
X-X-Sender: cl@www.lameter.com
To:     Waiman Long <longman@redhat.com>
cc:     Pekka Enberg <penberg@kernel.org>,
        David Rientjes <rientjes@google.com>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Kees Cook <keescook@chromium.org>, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, Changbin Du <changbin.du@gmail.com>,
        Matthew Wilcox <willy@infradead.org>
Subject: Re: [PATCH v2] mm/slub: Fix incorrect interpretation of s->offset
In-Reply-To: <20200427140822.18619-1-longman@redhat.com>
Message-ID: <alpine.DEB.2.21.2004271606390.26716@www.lameter.com>
References: <20200427140822.18619-1-longman@redhat.com>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 27 Apr 2020, Waiman Long wrote:

>
> To fix it, use the check "s->offset == s->inuse" in the new helper
> function freeptr_after_object() instead. Also add another helper function
> get_info_end() to return the end of info block (inuse + free pointer
> if not overlapping with object).
>
> Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object")
> Signed-off-by: Waiman Long <longman@redhat.com>
> ---
>  mm/slub.c | 37 ++++++++++++++++++++++---------------
>  1 file changed, 22 insertions(+), 15 deletions(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index 0e736d66bb42..68f1b4b1c309 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -551,15 +551,29 @@ static void print_section(char *level, char *text, u8 *addr,
>  	metadata_access_disable();
>  }
>
> +static inline bool freeptr_after_object(struct kmem_cache *s)

bool freeptr_outside_of_object()?

> +{
> +	return s->offset == s->inuse;

s->offset >= s->inuse?

There may be a redzone after the object.


> +static inline unsigned int get_info_end(struct kmem_cache *s)

static inline track_offset()?