Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp643133ybz;
        Wed, 29 Apr 2020 06:55:30 -0700 (PDT)
X-Google-Smtp-Source: APiQypK8rtyvobMEr6ahoiRP2NvtWnRhEMP+Z4QFg0URfjGjxP80BA18tWFrl5l0/hLRfL0JJhP8
X-Received: by 2002:aa7:c714:: with SMTP id i20mr2541046edq.230.1588168530633;
        Wed, 29 Apr 2020 06:55:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588168530; cv=none;
        d=google.com; s=arc-20160816;
        b=FN1EQwZVLhn/Afkt13oAIAEE0gMKGk5gIqUVpM26IlLIyVsBdP2WrGFrzwxYblYO2l
         Mw+17gSiy2vIvamU8y3kM4NkLDitZeRY5rPMEDmO9Rvj9xAksX6XqseKwC6pFq0LJLOn
         fOb7GYpDqWraYiTw2y5BBnOfzRFAovdokhS67E/g/EFtepUN+EJfzxo2o4LKjtVW1UnU
         Lufy+XdGX7OV02Eo1t7CC5UF31YeM/R5Zy2ZOtG0Z1VECfwIOYkGDKKKq3EZ2qSdxOyo
         7Z3uVcp5t4WMkdJYv+Ow2O9j+ZpnW0r6/qCnqrEjr1jpE4TnH5zvmndh+5xrLmAqXAbQ
         DeZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=zNYpmHCNWRdwy/mbtNAwcRmJ54i+5/rj40CYVMgSK/A=;
        b=EZ1yGafn6iX2ueFT0YxvKVOP7s2/9UqffhiLznYgTjUGzkWjRgm81FlsbwnbSs8FtN
         MJGHU48C5BJfMsr7UBfrBQMEDBnOV+h+MxLL7mftsgLB80H9R0Kunsva/4XBfyrs89th
         r11hwMtOojU85bBy9I3zz+Xrxyn4al48KeI9fvX+KW/aiFERitCIAARpEqGRtg5Jwk9d
         EpwIbwTmvQL6V5gm9kHxSaVy5vUMZJr5awrxQxY8HUx3LD1fn0liK1aCoGZPsEGa682u
         51abmqRJtgLN0epu8ksys5q6F59LMdE+fqbU0T6Iey8GC5H+DZOwYoY5LAeEs3dm0JSh
         TqlA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=U1Gfux+r;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id fx19si3878241ejb.39.2020.04.29.06.55.07;
        Wed, 29 Apr 2020 06:55:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=U1Gfux+r;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727082AbgD2Nxu (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Wed, 29 Apr 2020 09:53:50 -0400
Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:54526 "EHLO
        us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1726885AbgD2Nxt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Apr 2020 09:53:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1588168427;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc; bh=zNYpmHCNWRdwy/mbtNAwcRmJ54i+5/rj40CYVMgSK/A=;
        b=U1Gfux+rhJZA8E3QDbMnwisw3xGwLdA2ekKCkbgBpOx8V6+gvHRoNeNDnkEd9cG/CGuW+Y
        PPcZ5Xc6RXCqYx7N0NBW1OSCeEFGf4g5Ifv7FEO+Us/o03dIA6r/zVOqgOXqx8VXWuDJ14
        akz7Xwm+QDKkOlcMdkyaZ1i7zsUeE7A=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-487-miAjJIwhMPK1EtEf-KDYaA-1; Wed, 29 Apr 2020 09:53:42 -0400
X-MC-Unique: miAjJIwhMPK1EtEf-KDYaA-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3EDB445F;
        Wed, 29 Apr 2020 13:53:40 +0000 (UTC)
Received: from llong.com (ovpn-115-218.rdu2.redhat.com [10.10.115.218])
        by smtp.corp.redhat.com (Postfix) with ESMTP id B90EA5D782;
        Wed, 29 Apr 2020 13:53:34 +0000 (UTC)
From:   Waiman Long <longman@redhat.com>
To:     Christoph Lameter <cl@linux.com>,
        Pekka Enberg <penberg@kernel.org>,
        David Rientjes <rientjes@google.com>,
        Joonsoo Kim <iamjoonsoo.kim@lge.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Kees Cook <keescook@chromium.org>
Cc:     linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        Changbin Du <changbin.du@gmail.com>,
        Matthew Wilcox <willy@infradead.org>,
        Markus Elfring <Markus.Elfring@web.de>,
        Waiman Long <longman@redhat.com>
Subject: [PATCH v3] mm/slub: Fix incorrect interpretation of s->offset
Date:   Wed, 29 Apr 2020 09:53:28 -0400
Message-Id: <20200429135328.26976-1-longman@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In a couple of places in the slub memory allocator, the code uses
"s->offset" as a check to see if the free pointer is put right after the
object. That check is no longer true with commit 3202fa62fb43 ("slub:
relocate freelist pointer to middle of object").

As a result, echoing "1" into the validate sysfs file, e.g. of dentry,
may cause a bunch of "Freepointer corrupt" error reports like the
following to appear with the system in panic afterwards.

[   38.579769] =============================================================================
[   38.580845] BUG dentry(666:pmcd.service) (Tainted: G    B): Freepointer corrupt
[   38.581948] -----------------------------------------------------------------------------

To fix it, use the check "s->offset == s->inuse" in the new helper
function freeptr_outside_object() instead. Also add another helper function
get_info_end() to return the end of info block (inuse + free pointer
if not overlapping with object).

Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object")
Signed-off-by: Waiman Long <longman@redhat.com>
---
 mm/slub.c | 45 ++++++++++++++++++++++++++++++---------------
 1 file changed, 30 insertions(+), 15 deletions(-)

 [v3: Change function name to freeptr_outside_object(), update check & add comment]

diff --git a/mm/slub.c b/mm/slub.c
index 9bf44955c4f1..b762450fc9f0 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -551,15 +551,32 @@ static void print_section(char *level, char *text, u8 *addr,
 	metadata_access_disable();
 }
 
+/*
+ * See comment in calculate_sizes().
+ */
+static inline bool freeptr_outside_object(struct kmem_cache *s)
+{
+	return s->offset >= s->inuse;
+}
+
+/*
+ * Return offset of the end of info block which is inuse + free pointer if
+ * not overlapping with object.
+ */
+static inline unsigned int get_info_end(struct kmem_cache *s)
+{
+	if (freeptr_outside_object(s))
+		return s->inuse + sizeof(void *);
+	else
+		return s->inuse;
+}
+
 static struct track *get_track(struct kmem_cache *s, void *object,
 	enum track_item alloc)
 {
 	struct track *p;
 
-	if (s->offset)
-		p = object + s->offset + sizeof(void *);
-	else
-		p = object + s->inuse;
+	p = object + get_info_end(s);
 
 	return p + alloc;
 }
@@ -686,10 +703,7 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)
 		print_section(KERN_ERR, "Redzone ", p + s->object_size,
 			s->inuse - s->object_size);
 
-	if (s->offset)
-		off = s->offset + sizeof(void *);
-	else
-		off = s->inuse;
+	off = get_info_end(s);
 
 	if (s->flags & SLAB_STORE_USER)
 		off += 2 * sizeof(struct track);
@@ -782,7 +796,7 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
  * object address
  * 	Bytes of the object to be managed.
  * 	If the freepointer may overlay the object then the free
- * 	pointer is the first word of the object.
+ *	pointer is at the middle of the object.
  *
  * 	Poisoning uses 0x6b (POISON_FREE) and the last byte is
  * 	0xa5 (POISON_END)
@@ -816,11 +830,7 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
 
 static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p)
 {
-	unsigned long off = s->inuse;	/* The end of info */
-
-	if (s->offset)
-		/* Freepointer is placed after the object. */
-		off += sizeof(void *);
+	unsigned long off = get_info_end(s);	/* The end of info */
 
 	if (s->flags & SLAB_STORE_USER)
 		/* We also have user information there */
@@ -907,7 +917,7 @@ static int check_object(struct kmem_cache *s, struct page *page,
 		check_pad_bytes(s, page, p);
 	}
 
-	if (!s->offset && val == SLUB_RED_ACTIVE)
+	if (!freeptr_outside_object(s) && val == SLUB_RED_ACTIVE)
 		/*
 		 * Object and freepointer overlap. Cannot check
 		 * freepointer while object is allocated.
@@ -3587,6 +3597,11 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 		 *
 		 * This is the case if we do RCU, have a constructor or
 		 * destructor or are poisoning the objects.
+		 *
+		 * The assumption that s->offset >= s->inuse means free
+		 * pointer is outside of the object is used in the
+		 * freeptr_outside_object() function. If that is no
+		 * longer true, the function needs to be modified.
 		 */
 		s->offset = size;
 		size += sizeof(void *);
-- 
2.18.1