Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp2384457imn; Tue, 2 Aug 2022 00:14:22 -0700 (PDT) X-Google-Smtp-Source: AGRyM1s2XZJsbBzmYcXSJu9OHHY0ZADXHhJCdilSCa5CuYvRS2y1qBbnhUio02YExJPIHWchP0Q/ X-Received: by 2002:a63:1259:0:b0:41b:5589:fa8f with SMTP id 25-20020a631259000000b0041b5589fa8fmr15820935pgs.481.1659424462109; Tue, 02 Aug 2022 00:14:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659424462; cv=none; d=google.com; s=arc-20160816; b=K6kOnZ4KRfkKdMbb6b/68WrAEv4t6eCghAxn1Oi9UCYCQQGew45nTqLwoGHPpCaBnN pjX6tBt5DwN1DR0sc6NpjzhbU3x3qj69s8LdS1r6x5OrU2v6g91eBiuvQQdgggt4pTe2 u/94HDCfF+raMcEd/vGNgtRULP6vkFeTFFn72qSPFRjQHt3ADBLpqkGA7oG+iqNGSk9u oR7/1JE63PYhCmujep/qh092YgcGJ6+0IpqOjWrK4G2Oh+aeMDHKGAr9Jap+5v1Qtgwr jZBw74VAtBOl+CW1h/iR5/c6rRhR7xx+pLmyVewlYC2X3W2iaAqIlkAmXU6n3gYInWAN 5M6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=6vKqhsUzixhYOBMktOXVTY43Yh0tm2BA/2sZ3OGVl9Q=; b=t0vXEbWqbuIr6aCRo2/7lQ1CKOmxvCGGZVTG+EWrnAgTlPxUgJxsSiloZ22bb4tViJ MNDZamStHunuW6NazRQtIswp9uwEQK7yTNlO74RIP+B59WJRsVvKZVGSs/tk2Pfx1lYG nW6QDy0bdumTpzWUSIhlauQ+RGCOMSNIHxanjADW+3IsK4HjJftNOZnfTkI/WXEmdUxn iudqf3KKgsNOwlbqi+k9BSNEiF7TYf+nU8DSIVc2z+rpYUCikN9COnwdRnSt4OwUhhB5 MpxLtWlRTInGnlY9MwbJ+4dSl8AGbBu1OoyTnH+YIPo12l0SS+VCA88zB8ltEFH7iAOg a55A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=gHKO1or5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m8-20020a170902db0800b0016eeb21047bsi6308575plx.315.2022.08.02.00.14.07; Tue, 02 Aug 2022 00:14:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=gHKO1or5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235668AbiHBHHT (ORCPT + 99 others); Tue, 2 Aug 2022 03:07:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46834 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235759AbiHBHGz (ORCPT ); Tue, 2 Aug 2022 03:06:55 -0400 Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E20449B40 for ; Tue, 2 Aug 2022 00:06:54 -0700 (PDT) Received: by mail-lj1-x22e.google.com with SMTP id a13so14628637ljr.11 for ; Tue, 02 Aug 2022 00:06:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=6vKqhsUzixhYOBMktOXVTY43Yh0tm2BA/2sZ3OGVl9Q=; b=gHKO1or5+vev0QVbmdNrUU3OWjemyPo5ATbnfrhdrg+z5WzYXVlmiVbesXNNH9cm6J oNQ0nQJ91NrjdrfG4mTjQZfZtTdkI7nb9GgSwltsvT5oz8ze9yT/3DmZ4xieCeJXG9CK OvNJ1ftbi7solG2Uvq2i/Ri3u9Fg4PMurXlf8KJjTxy4s82f1tEX5aNn0CMyLa2mLmdF 2tbopaFMnfsa8CrGZCURw14BDYsYhJfID/wJdg8PK93GnS6VtfumI3FynONlX8rsbVkU mws4og1LhI8BgJO53mu0BDE5wXmqJhgy922KcysQlLcDfVXw8fXiFWgac9U74xKr+Tqi 5xnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=6vKqhsUzixhYOBMktOXVTY43Yh0tm2BA/2sZ3OGVl9Q=; b=mlvQu/9+YyXxQuZOx7hcgp85LDzT6TKNTlPUNrE/EvvhraozyRRxu9OFeR0ue47vcg tODoBCE2IQPnouHxKXI9nHYa1wkD82RPwkkPI9xBStKhkA8LlwCjfdS6U3mJbh6ZtZCZ s8xFYct98yI0v8lHI5KoG7ZTkHQbyAp1zkpScWptWm1RkRCbC1wLEIgq6GP1ewTNfG+G 9ayaRXTTgW7qhEmEWejjxSJLrQBfHX9/+cc3XZAWh7Z3awiA5LqWB1nYa4AricuTJJZQ 2eTAHUf7kO4MfIr2Mn0iO8+j9jVAADUOCBRvWaxIuOBCAgK7pZmqSUs1edGpH+T56x+4 9+Xw== X-Gm-Message-State: AJIora9V2drgQ0oN7xzeEG9oqC7Uj80jpmqzfRx1Z0wwpRcr6OmCyJX1 axof83NJ1gQwT/t9FuU7nO+mreZxuKC5XCwA/sWrhQ== X-Received: by 2002:a2e:bd0e:0:b0:25a:88b3:9af6 with SMTP id n14-20020a2ebd0e000000b0025a88b39af6mr6507869ljq.363.1659424012668; Tue, 02 Aug 2022 00:06:52 -0700 (PDT) MIME-Version: 1.0 References: <20220727071042.8796-4-feng.tang@intel.com> <0e545088-d140-4c84-bbb2-a3be669740b2@suse.cz> In-Reply-To: From: Dmitry Vyukov Date: Tue, 2 Aug 2022 09:06:41 +0200 Message-ID: Subject: Re: [mm/slub] 3616799128: BUG_kmalloc-#(Not_tainted):kmalloc_Redzone_overwritten To: Feng Tang Cc: Vlastimil Babka , "Sang, Oliver" , lkp , LKML , "linux-mm@kvack.org" , "lkp@lists.01.org" , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, "Hansen, Dave" , Robin Murphy , John Garry , Kefeng Wang , Andrey Konovalov , Andrey Ryabinin , Alexander Potapenko , "kasan-dev@googlegroups.com" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2 Aug 2022 at 08:55, Feng Tang wrote: > > On Mon, Aug 01, 2022 at 10:23:23PM +0800, Vlastimil Babka wrote: > > On 8/1/22 08:21, Feng Tang wrote: > [snip] > > > Cc kansan mail list. > > > > > > This is really related with KASAN debug, that in free path, some > > > kmalloc redzone ([orig_size+1, object_size]) area is written by > > > kasan to save free meta info. > > > > > > The callstack is: > > > > > > kfree > > > slab_free > > > slab_free_freelist_hook > > > slab_free_hook > > > __kasan_slab_free > > > ____kasan_slab_free > > > kasan_set_free_info > > > kasan_set_track > > > > > > And this issue only happens with "kmalloc-16" slab. Kasan has 2 > > > tracks: alloc_track and free_track, for x86_64 test platform, most > > > of the slabs will reserve space for alloc_track, and reuse the > > > 'object' area for free_track. The kasan free_track is 16 bytes > > > large, that it will occupy the whole 'kmalloc-16's object area, > > > so when kmalloc-redzone is enabled by this patch, the 'overwritten' > > > error is triggered. > > > > > > But it won't hurt other kmalloc slabs, as kasan's free meta won't > > > conflict with kmalloc-redzone which stay in the latter part of > > > kmalloc area. > > > > > > So the solution I can think of is: > > > * skip the kmalloc-redzone for kmalloc-16 only, or > > > * skip kmalloc-redzone if kasan is enabled, or > > > * let kasan reserve the free meta (16 bytes) outside of object > > > just like for alloc meta > > > > Maybe we could add some hack that if both kasan and SLAB_STORE_USER is > > enabled, we bump the stored orig_size from <16 to 16? Similar to what > > __ksize() does. > > How about the following patch: > > --- > diff --git a/mm/slub.c b/mm/slub.c > index added2653bb0..33bbac2afaef 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -830,6 +830,16 @@ static inline void set_orig_size(struct kmem_cache *s, > if (!slub_debug_orig_size(s)) > return; > > +#ifdef CONFIG_KASAN > + /* > + * When kasan is enabled, it could save its free meta data in the > + * start part of object area, so skip the kmalloc redzone check > + * for small kmalloc slabs to avoid the data conflict. > + */ > + if (s->object_size <= 32) > + orig_size = s->object_size; > +#endif > + > p += get_info_end(s); > p += sizeof(struct track) * 2; > > I extend the size to 32 for potential's kasan meta data size increase. > This is tested locally, if people are OK with it, I can ask for 0Day's > help to verify this. Where is set_orig_size() function defined? Don't see it upstream nor in linux-next. This looks fine but my only concern is that this should not increase memory consumption when slub debug tracking is not enabled, which should be the main operation mode when KASAN is enabled. But I can't figure this out w/o context. > Thanks, > Feng > > > > > > I don't have way to test kasan's SW/HW tag configuration, which > > > is only enabled on arm64 now. And I don't know if there will > > > also be some conflict. > > > > > > Thanks, > > > Feng > > > > > > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/YujKCxu2lJJFm73P%40feng-skl.