Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp667137iog;
        Thu, 30 Jun 2022 08:01:33 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1vBt1xUtgYDAWS6LcSC8ReQxaa6+ZMADBM2kx0dZ/EE4ziUWGhbzEbxsj/W3eeJc+76SeFR
X-Received: by 2002:a63:f307:0:b0:411:a0b8:d3a with SMTP id l7-20020a63f307000000b00411a0b80d3amr3520761pgh.543.1656601293719;
        Thu, 30 Jun 2022 08:01:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656601293; cv=none;
        d=google.com; s=arc-20160816;
        b=ErFUECBMlbxXm4DC8rd5zd3SAoyKnfgSM1QI505VNziIM6x6laRyTD1Ri8AnFT2Rsj
         Vhz8HqlbOFwOTzVVUgi4IDbx3b5vXmlCTPOx2ZaDhUnGEep6b5YkKEbuW7FIq1rRFBt3
         w1GdRugHB0pd5fyXmhmDb1Ek0VOeWkOezQIGnsnT5RnhVLr13K6Dxqi5uy+wO5W73qL1
         y1i4CeZeoLr5/1tHGArJ1lP+CU57wCYFdz/x8I5Z/LOwkokzHXbIZiEtO5eRoA8dp8pr
         LfAaS78wU1wXn0UG4TSmCJ7Cv5pCtNBZI/jskqzv2K0Ed7u6f0tC3Cvt+eG0bN/YZ54u
         kWAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=dCTSjz7e7wWCFyUmiPlTI5sktETn/t1ya7tOTJvonbg=;
        b=xO/iixl6TN37Rri8n+QYWOT7vpDhDw0nPhvCSilTQ4QQkkA/Z8OSYeTDlbx72sXuoz
         UyNJRvrKsD7WkPr6+zCzRsuywxrfTv11wzBGa5SUAjEnDt2hM2L2Ho2ypvFIJ3+dncwA
         PGRXByBcc9rfeLaH9yfpZOKyP8sB8M8m/JVRCddl9djNF6OznoE647neEeYb0+t9IgaL
         GqaWKgWUTOrPeTYPJds1li9qNDB6Z3laE2bJ/28SltEnUuaiGRogP1hMi0/gAVW42U86
         9GanT33ehP3RBVuQ2rRJolFV9XcCECX+WDyW6szGODB6DsNwtOuiNcq/27nfYzLQzUI9
         K6dg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LnI4t9mB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id o20-20020a056a0015d400b005253974cdd0si31001875pfu.222.2022.06.30.08.01.13;
        Thu, 30 Jun 2022 08:01:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LnI4t9mB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236718AbiF3OIy (ORCPT <rfc822;aleksandr.v.piskunov@gmail.com>
        + 99 others); Thu, 30 Jun 2022 10:08:54 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57772 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236557AbiF3OG4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Jun 2022 10:06:56 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6EEC04F19E;
        Thu, 30 Jun 2022 06:54:21 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id C64E861FDB;
        Thu, 30 Jun 2022 13:54:14 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D03D8C34115;
        Thu, 30 Jun 2022 13:54:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1656597254;
        bh=SbgGPTyNglffG3TwFHx2LhmFF+pZS8w3mcJvxg7lWy0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=LnI4t9mBjn969MrsJPPTV2tstg8WB2cTq8PDbhaGXQUu7DTlkpchgzrhXMp0UMvg/
         wuNjyxufwqztoRPcM8wUugaPCA6CL+ZyvnarlnnA1Sy/Sq7mdLuu4OSTOMIMSZGFs0
         eQ9iYKAgQKOfxajLww1Z4BXSurLTiGjSejliHLU8=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Rustam Kovhaev <rkovhaev@gmail.com>,
        "Darrick J. Wong" <djwong@kernel.org>,
        Amir Goldstein <amir73il@gmail.com>
Subject: [PATCH 5.10 06/12] xfs: use kmem_cache_free() for kmem_cache objects
Date:   Thu, 30 Jun 2022 15:47:11 +0200
Message-Id: <20220630133230.871663272@linuxfoundation.org>
X-Mailer: git-send-email 2.37.0
In-Reply-To: <20220630133230.676254336@linuxfoundation.org>
References: <20220630133230.676254336@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Rustam Kovhaev <rkovhaev@gmail.com>

commit c30a0cbd07ecc0eec7b3cd568f7b1c7bb7913f93 upstream.

For kmalloc() allocations SLOB prepends the blocks with a 4-byte header,
and it puts the size of the allocated blocks in that header.
Blocks allocated with kmem_cache_alloc() allocations do not have that
header.

SLOB explodes when you allocate memory with kmem_cache_alloc() and then
try to free it with kfree() instead of kmem_cache_free().
SLOB will assume that there is a header when there is none, read some
garbage to size variable and corrupt the adjacent objects, which
eventually leads to hang or panic.

Let's make XFS work with SLOB by using proper free function.

Fixes: 9749fee83f38 ("xfs: enable the xfs_defer mechanism to process extents to free")
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Acked-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/xfs/xfs_extfree_item.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/xfs/xfs_extfree_item.c
+++ b/fs/xfs/xfs_extfree_item.c
@@ -482,7 +482,7 @@ xfs_extent_free_finish_item(
 			free->xefi_startblock,
 			free->xefi_blockcount,
 			&free->xefi_oinfo, free->xefi_skip_discard);
-	kmem_free(free);
+	kmem_cache_free(xfs_bmap_free_item_zone, free);
 	return error;
 }
 
@@ -502,7 +502,7 @@ xfs_extent_free_cancel_item(
 	struct xfs_extent_free_item	*free;
 
 	free = container_of(item, struct xfs_extent_free_item, xefi_list);
-	kmem_free(free);
+	kmem_cache_free(xfs_bmap_free_item_zone, free);
 }
 
 const struct xfs_defer_op_type xfs_extent_free_defer_type = {
@@ -564,7 +564,7 @@ xfs_agfl_free_finish_item(
 	extp->ext_len = free->xefi_blockcount;
 	efdp->efd_next_extent++;
 
-	kmem_free(free);
+	kmem_cache_free(xfs_bmap_free_item_zone, free);
 	return error;
 }