Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp643133ybz; Wed, 29 Apr 2020 06:55:30 -0700 (PDT) X-Google-Smtp-Source: APiQypK8rtyvobMEr6ahoiRP2NvtWnRhEMP+Z4QFg0URfjGjxP80BA18tWFrl5l0/hLRfL0JJhP8 X-Received: by 2002:aa7:c714:: with SMTP id i20mr2541046edq.230.1588168530633; Wed, 29 Apr 2020 06:55:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588168530; cv=none; d=google.com; s=arc-20160816; b=FN1EQwZVLhn/Afkt13oAIAEE0gMKGk5gIqUVpM26IlLIyVsBdP2WrGFrzwxYblYO2l Mw+17gSiy2vIvamU8y3kM4NkLDitZeRY5rPMEDmO9Rvj9xAksX6XqseKwC6pFq0LJLOn fOb7GYpDqWraYiTw2y5BBnOfzRFAovdokhS67E/g/EFtepUN+EJfzxo2o4LKjtVW1UnU Lufy+XdGX7OV02Eo1t7CC5UF31YeM/R5Zy2ZOtG0Z1VECfwIOYkGDKKKq3EZ2qSdxOyo 7Z3uVcp5t4WMkdJYv+Ow2O9j+ZpnW0r6/qCnqrEjr1jpE4TnH5zvmndh+5xrLmAqXAbQ DeZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=zNYpmHCNWRdwy/mbtNAwcRmJ54i+5/rj40CYVMgSK/A=; b=EZ1yGafn6iX2ueFT0YxvKVOP7s2/9UqffhiLznYgTjUGzkWjRgm81FlsbwnbSs8FtN MJGHU48C5BJfMsr7UBfrBQMEDBnOV+h+MxLL7mftsgLB80H9R0Kunsva/4XBfyrs89th r11hwMtOojU85bBy9I3zz+Xrxyn4al48KeI9fvX+KW/aiFERitCIAARpEqGRtg5Jwk9d EpwIbwTmvQL6V5gm9kHxSaVy5vUMZJr5awrxQxY8HUx3LD1fn0liK1aCoGZPsEGa682u 51abmqRJtgLN0epu8ksys5q6F59LMdE+fqbU0T6Iey8GC5H+DZOwYoY5LAeEs3dm0JSh TqlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=U1Gfux+r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id fx19si3878241ejb.39.2020.04.29.06.55.07; Wed, 29 Apr 2020 06:55:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=U1Gfux+r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727082AbgD2Nxu (ORCPT + 99 others); Wed, 29 Apr 2020 09:53:50 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:54526 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726885AbgD2Nxt (ORCPT ); Wed, 29 Apr 2020 09:53:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588168427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=zNYpmHCNWRdwy/mbtNAwcRmJ54i+5/rj40CYVMgSK/A=; b=U1Gfux+rhJZA8E3QDbMnwisw3xGwLdA2ekKCkbgBpOx8V6+gvHRoNeNDnkEd9cG/CGuW+Y PPcZ5Xc6RXCqYx7N0NBW1OSCeEFGf4g5Ifv7FEO+Us/o03dIA6r/zVOqgOXqx8VXWuDJ14 akz7Xwm+QDKkOlcMdkyaZ1i7zsUeE7A= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-487-miAjJIwhMPK1EtEf-KDYaA-1; Wed, 29 Apr 2020 09:53:42 -0400 X-MC-Unique: miAjJIwhMPK1EtEf-KDYaA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3EDB445F; Wed, 29 Apr 2020 13:53:40 +0000 (UTC) Received: from llong.com (ovpn-115-218.rdu2.redhat.com [10.10.115.218]) by smtp.corp.redhat.com (Postfix) with ESMTP id B90EA5D782; Wed, 29 Apr 2020 13:53:34 +0000 (UTC) From: Waiman Long To: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Kees Cook Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Changbin Du , Matthew Wilcox , Markus Elfring , Waiman Long Subject: [PATCH v3] mm/slub: Fix incorrect interpretation of s->offset Date: Wed, 29 Apr 2020 09:53:28 -0400 Message-Id: <20200429135328.26976-1-longman@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In a couple of places in the slub memory allocator, the code uses "s->offset" as a check to see if the free pointer is put right after the object. That check is no longer true with commit 3202fa62fb43 ("slub: relocate freelist pointer to middle of object"). As a result, echoing "1" into the validate sysfs file, e.g. of dentry, may cause a bunch of "Freepointer corrupt" error reports like the following to appear with the system in panic afterwards. [ 38.579769] ============================================================================= [ 38.580845] BUG dentry(666:pmcd.service) (Tainted: G B): Freepointer corrupt [ 38.581948] ----------------------------------------------------------------------------- To fix it, use the check "s->offset == s->inuse" in the new helper function freeptr_outside_object() instead. Also add another helper function get_info_end() to return the end of info block (inuse + free pointer if not overlapping with object). Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object") Signed-off-by: Waiman Long --- mm/slub.c | 45 ++++++++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 15 deletions(-) [v3: Change function name to freeptr_outside_object(), update check & add comment] diff --git a/mm/slub.c b/mm/slub.c index 9bf44955c4f1..b762450fc9f0 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -551,15 +551,32 @@ static void print_section(char *level, char *text, u8 *addr, metadata_access_disable(); } +/* + * See comment in calculate_sizes(). + */ +static inline bool freeptr_outside_object(struct kmem_cache *s) +{ + return s->offset >= s->inuse; +} + +/* + * Return offset of the end of info block which is inuse + free pointer if + * not overlapping with object. + */ +static inline unsigned int get_info_end(struct kmem_cache *s) +{ + if (freeptr_outside_object(s)) + return s->inuse + sizeof(void *); + else + return s->inuse; +} + static struct track *get_track(struct kmem_cache *s, void *object, enum track_item alloc) { struct track *p; - if (s->offset) - p = object + s->offset + sizeof(void *); - else - p = object + s->inuse; + p = object + get_info_end(s); return p + alloc; } @@ -686,10 +703,7 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) print_section(KERN_ERR, "Redzone ", p + s->object_size, s->inuse - s->object_size); - if (s->offset) - off = s->offset + sizeof(void *); - else - off = s->inuse; + off = get_info_end(s); if (s->flags & SLAB_STORE_USER) off += 2 * sizeof(struct track); @@ -782,7 +796,7 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, * object address * Bytes of the object to be managed. * If the freepointer may overlay the object then the free - * pointer is the first word of the object. + * pointer is at the middle of the object. * * Poisoning uses 0x6b (POISON_FREE) and the last byte is * 0xa5 (POISON_END) @@ -816,11 +830,7 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) { - unsigned long off = s->inuse; /* The end of info */ - - if (s->offset) - /* Freepointer is placed after the object. */ - off += sizeof(void *); + unsigned long off = get_info_end(s); /* The end of info */ if (s->flags & SLAB_STORE_USER) /* We also have user information there */ @@ -907,7 +917,7 @@ static int check_object(struct kmem_cache *s, struct page *page, check_pad_bytes(s, page, p); } - if (!s->offset && val == SLUB_RED_ACTIVE) + if (!freeptr_outside_object(s) && val == SLUB_RED_ACTIVE) /* * Object and freepointer overlap. Cannot check * freepointer while object is allocated. @@ -3587,6 +3597,11 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) * * This is the case if we do RCU, have a constructor or * destructor or are poisoning the objects. + * + * The assumption that s->offset >= s->inuse means free + * pointer is outside of the object is used in the + * freeptr_outside_object() function. If that is no + * longer true, the function needs to be modified. */ s->offset = size; size += sizeof(void *); -- 2.18.1