Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1131729ybt; Tue, 7 Jul 2020 08:27:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxDIjR4xM/qeGsgK4ZcCAxQqkMfWjuO6oJbjUn6/mBCSZoWLrgzrMvQxoV8M626XcohQgdp X-Received: by 2002:a05:6402:1841:: with SMTP id v1mr48723654edy.198.1594135663399; Tue, 07 Jul 2020 08:27:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594135663; cv=none; d=google.com; s=arc-20160816; b=C60RMkW+RszxJX1yCxvz4VkRJH8kBjp57lEG18z21RmLah+U2RMc6EJz+U0KXLsjei AIHGAS/pI3sE0woMUsb/Wc2ha/s2C2lFBiGShKF+yOn1JUpGwu7tVNgy0OyPpTk1pm6M qYQbTc9e2mkA0gJOz/n3YkEevrHVlFviBd/qxD/vSRzmiJe7Pvd8v7Mdw4exZZfRVt05 UlTY0HwEVxV9KxXnr/xI7FNpEON+7hfNMTxC6BVZb/DwU5JONFpE1lxO3rQ0eRpHCj7Y nK/psHMeIGzV9sIFnUXqot/+dduBZAbezHGg4hxsZ070KGe7oiC1lzQf66Icuuej6YxN LTgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=a5II0k3ZisWmSBu5V+jH5lJJUEYo0AF+27e2QyjK8UY=; b=fy1wN7RDDNNn7VL4mqeEmcoo/PGp5ZO0lhpD6nN2ryyTrn7/OHoyWmYJrujzIUJH/J /xECrci0kp3jZMVfOVhXLrEVmfPRNDlK0tKO508gUmdDxozy5BMDvZVE616QfdARrd81 mk1N4wKXyNL/kWKEOp0QlZeLS7FJFSPCXkaoE4KBoC4NSULtLI++1Nwc8kf8i6UdiUe0 seGk97kPGF03puvC3fYmtIvKiTIP1xtEsQc4IIuWgim2EJRF4IfiYpCU9uzI9561BZxm bhd6dJy4R0xtrpiEA1WBPk2aE/4FcMSRUMLyOR8Oi6m/HUAP3pHBIVqTFeTqAqTvfZBn Qc0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QmQefiMo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x14si14603609ejb.713.2020.07.07.08.27.19; Tue, 07 Jul 2020 08:27:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QmQefiMo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730036AbgGGPYF (ORCPT + 99 others); Tue, 7 Jul 2020 11:24:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:37462 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728784AbgGGPYD (ORCPT ); Tue, 7 Jul 2020 11:24:03 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 23B772078D; Tue, 7 Jul 2020 15:24:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594135442; bh=ARQn63/cA+sXajjk2N9qQFRbaVwFQixHf4gcjaprjcM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QmQefiMoWvw1P3MYmBIHiBOdvzMjIFw1yOBpYARR+O4AMZ7NwdRx0P/awzaniYVST 74RSnrFZoEvQGmin4r2s0dzvFxVfSk4HTqLV3gw/Fp+YuUrkSex2XR9jmYaZ3xxD8Q o8OMYOS827n1d59ocbwwBNnNrk7xD8vtmGI2SuBI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qian Cai , Andrew Morton , Glauber Costa , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Linus Torvalds , Sasha Levin Subject: [PATCH 5.7 025/112] mm/slub: fix stack overruns with SLUB_STATS Date: Tue, 7 Jul 2020 17:16:30 +0200 Message-Id: <20200707145802.186777620@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200707145800.925304888@linuxfoundation.org> References: <20200707145800.925304888@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qian Cai [ Upstream commit a68ee0573991e90af2f1785db309206408bad3e5 ] There is no need to copy SLUB_STATS items from root memcg cache to new memcg cache copies. Doing so could result in stack overruns because the store function only accepts 0 to clear the stat and returns an error for everything else while the show method would print out the whole stat. Then, the mismatch of the lengths returns from show and store methods happens in memcg_propagate_slab_attrs(): else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf)) buf = mbuf; max_attr_size is only 2 from slab_attr_store(), then, it uses mbuf[64] in show_stat() later where a bounch of sprintf() would overrun the stack variable. Fix it by always allocating a page of buffer to be used in show_stat() if SLUB_STATS=y which should only be used for debug purpose. # echo 1 > /sys/kernel/slab/fs_cache/shrink BUG: KASAN: stack-out-of-bounds in number+0x421/0x6e0 Write of size 1 at addr ffffc900256cfde0 by task kworker/76:0/53251 Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019 Workqueue: memcg_kmem_cache memcg_kmem_cache_create_func Call Trace: number+0x421/0x6e0 vsnprintf+0x451/0x8e0 sprintf+0x9e/0xd0 show_stat+0x124/0x1d0 alloc_slowpath_show+0x13/0x20 __kmem_cache_create+0x47a/0x6b0 addr ffffc900256cfde0 is located in stack of task kworker/76:0/53251 at offset 0 in frame: process_one_work+0x0/0xb90 this frame has 1 object: [32, 72) 'lockdep_map' Memory state around the buggy address: ffffc900256cfc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc900256cfd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900256cfd80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ^ ffffc900256cfe00: 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 ffffc900256cfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: __kmem_cache_create+0x6ac/0x6b0 Workqueue: memcg_kmem_cache memcg_kmem_cache_create_func Call Trace: __kmem_cache_create+0x6ac/0x6b0 Fixes: 107dab5c92d5 ("slub: slub-specific propagation changes") Signed-off-by: Qian Cai Signed-off-by: Andrew Morton Cc: Glauber Costa Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Link: http://lkml.kernel.org/r/20200429222356.4322-1-cai@lca.pw Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- mm/slub.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/slub.c b/mm/slub.c index 63f372366ec59..660f4324c0972 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -5681,7 +5681,8 @@ static void memcg_propagate_slab_attrs(struct kmem_cache *s) */ if (buffer) buf = buffer; - else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf)) + else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf) && + !IS_ENABLED(CONFIG_SLUB_STATS)) buf = mbuf; else { buffer = (char *) get_zeroed_page(GFP_KERNEL); -- 2.25.1