Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp652269iog;
        Thu, 30 Jun 2022 07:43:29 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1vsY/qU1Dhm8Yanl0JGgTiIHzCobffnpOEe5Jub244ov88xey8hpet57TviqdecatVynBT3
X-Received: by 2002:a05:6402:3988:b0:434:e2a8:8459 with SMTP id fk8-20020a056402398800b00434e2a88459mr12099099edb.253.1656600209343;
        Thu, 30 Jun 2022 07:43:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656600209; cv=none;
        d=google.com; s=arc-20160816;
        b=nq9KMDTSqoPySs3EB+1xP9X4v2IcREl6Ejl1W+aNj47DAENYIx4x0oEkyC9FEBIX7M
         4irMk6gSYOvAFaprzHCwlPW8Xy+ZHvZ7Fm7AANh4vsl1llSznLcT5A5anhXbmFNn6j5Z
         IB8gpw03Olla+y7O4XlOYhZjTSrQ8KaIJEI7N4VfW5aq4u4IRhkpc6j/UDv7yJtUJ4sf
         7jPugQLB+GX2PdnBkTEGLnRxG8nhPuF0N2/GG1+i/o3Cp9PkZMgotvIJCTKQ7zXO5sOG
         t/DZ/EyUKjNZMwwUZEiGZky8q7ewTCSmaqgZKU5pYpvUlEvSx8bIwOsKeCjIifBroVfC
         J3mA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=MElpy0fMx4D1nZa6hS/Mk5tJjLB7n1QNG4VvcSLfrxQ=;
        b=0+96r8BB8wmSfIimYXM2d3maldEr93VY+8F5jDlF0NsuLVjHX4BhHIuCksoF7zbTV7
         S5+phcgRj78/SpYem4zpj54rPBU6+L4Wmp1k4565LOfW6Pn8ul6i8pgXlFQ/2OizUCzg
         dOrlL4EdvCuOApJ18zjcza0wGs655g7D5DtDXLVmYNtLjvhkGxGAc3xBy0rm7CTQgY/I
         fuiwqtnLUSP6Fb2PctWPK8T+6EEGevT2xBWsXvCDMNbyWzvNkWSnicezohQaYewpogn8
         Dt4dUBkZBndu9rgiH5pFIC/ScQVqnzCdopuJ1z249nzYbzeRSlcQNc2B63+xzDdLzf/K
         SwPQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WfF7Ie33;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id m7-20020aa7d347000000b00435c517de46si22914736edr.394.2022.06.30.07.43.04;
        Thu, 30 Jun 2022 07:43:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WfF7Ie33;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236666AbiF3OIl (ORCPT <rfc822;aleksandr.v.piskunov@gmail.com>
        + 99 others); Thu, 30 Jun 2022 10:08:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57676 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236949AbiF3OH7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Jun 2022 10:07:59 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0338776E96;
        Thu, 30 Jun 2022 06:54:55 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 2F962B82AF0;
        Thu, 30 Jun 2022 13:54:51 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 918F8C34115;
        Thu, 30 Jun 2022 13:54:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1656597290;
        bh=P3AupUgDyXW+430uK+Ri8zPTDcyspi0YtaT5rbVwYac=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=WfF7Ie33XckdQYLKZaMLTL5atoOcMQFmbU/dSAyjP2jAYGSKgpqb02JqVWb6+7Bt5
         0bBgA/S4TQYT/EzFEgZNhQSVHgK4ckvp56pAlz6Zu9j1uXQG1DCDfO5e4sNUqtkiQC
         DItNqDXnunPPRCoIuk6UkCerh/PsnCwQMnvYQKAA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Rustam Kovhaev <rkovhaev@gmail.com>,
        "Darrick J. Wong" <djwong@kernel.org>,
        Leah Rumancik <leah.rumancik@gmail.com>
Subject: [PATCH 5.15 05/28] xfs: use kmem_cache_free() for kmem_cache objects
Date:   Thu, 30 Jun 2022 15:47:01 +0200
Message-Id: <20220630133233.084521867@linuxfoundation.org>
X-Mailer: git-send-email 2.37.0
In-Reply-To: <20220630133232.926711493@linuxfoundation.org>
References: <20220630133232.926711493@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Rustam Kovhaev <rkovhaev@gmail.com>

[ Upstream commit c30a0cbd07ecc0eec7b3cd568f7b1c7bb7913f93 ]

For kmalloc() allocations SLOB prepends the blocks with a 4-byte header,
and it puts the size of the allocated blocks in that header.
Blocks allocated with kmem_cache_alloc() allocations do not have that
header.

SLOB explodes when you allocate memory with kmem_cache_alloc() and then
try to free it with kfree() instead of kmem_cache_free().
SLOB will assume that there is a header when there is none, read some
garbage to size variable and corrupt the adjacent objects, which
eventually leads to hang or panic.

Let's make XFS work with SLOB by using proper free function.

Fixes: 9749fee83f38 ("xfs: enable the xfs_defer mechanism to process extents to free")
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/xfs/xfs_extfree_item.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/xfs/xfs_extfree_item.c
+++ b/fs/xfs/xfs_extfree_item.c
@@ -482,7 +482,7 @@ xfs_extent_free_finish_item(
 			free->xefi_startblock,
 			free->xefi_blockcount,
 			&free->xefi_oinfo, free->xefi_skip_discard);
-	kmem_free(free);
+	kmem_cache_free(xfs_bmap_free_item_zone, free);
 	return error;
 }
 
@@ -502,7 +502,7 @@ xfs_extent_free_cancel_item(
 	struct xfs_extent_free_item	*free;
 
 	free = container_of(item, struct xfs_extent_free_item, xefi_list);
-	kmem_free(free);
+	kmem_cache_free(xfs_bmap_free_item_zone, free);
 }
 
 const struct xfs_defer_op_type xfs_extent_free_defer_type = {
@@ -564,7 +564,7 @@ xfs_agfl_free_finish_item(
 	extp->ext_len = free->xefi_blockcount;
 	efdp->efd_next_extent++;
 
-	kmem_free(free);
+	kmem_cache_free(xfs_bmap_free_item_zone, free);
 	return error;
 }