Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp4697392rdb; Fri, 15 Sep 2023 09:32:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGDkmJkG6qhwmjvD1u684PZxsrzz11w5A5/kYYMjLAQ3MKfII5XlGXWlfpKC6yonmYbEGVh X-Received: by 2002:a92:d20d:0:b0:34f:b824:5844 with SMTP id y13-20020a92d20d000000b0034fb8245844mr2641022ily.3.1694795528022; Fri, 15 Sep 2023 09:32:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694795527; cv=none; d=google.com; s=arc-20160816; b=j9YQFI0BHctp8vW5jeCHRWPL3d4wHzgCJ94LUwESvXO016OoUJGimoT5HouqYcsYi4 PweJO8eXXHIE5rVHqHNOGRHJ/z9St9vJ0byavccUQRt9R9N8rpfQqMGcKWh/mHBuHL4G ZaXyPNNVpwojMdlGztIlp8afw03k3DXLWvhzmlpfx9UT2CCtBKdiwBl41wnC0WXiMcF1 zjYWvtIBLn/kXYnf3k5yIKwp1U72SmO8czyjlhvv+UuTef4XA3K8gbINbFyUY+jGb7lw Pc7s1GrIIV1FftybyUBE74zqMPnKSIMm0lACro69N05dPMLprJB770t1l3O0zp/m0PQq Qhlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=Y3DxUvEg+3g6OhCwS+K/sONLa3J3FFOGvmkB4cPhPPQ=; fh=hxrcP/evkFXgdiqiA6zEdvE31LUTUVye/z/fSCqBw68=; b=JY9RM7UtKHuNsU4A85XVCzDREsDbYXY5XSluI5iRux8HkVGB7V9gxOUqDhNR+Vtqv7 PZfJjXsYKRBu918/WSGj7qyMI9vPCK0AqP7LOym1lzJw2KRJkxXR6veY71dbbg5e8bxc 0OisoMKDy3KjMMUoavvtx1ocmfj+Ys+qgl7KYCbhoaEfvPi5S3HZ7P24VPGviZq2/rPH vo8MqHLNxJCY3pwWl/nZGJslVzKlRwl1DJgNIFLfQa+I6QssCrtJr0NUfVBWtp6EE58h 9QyQT1KzQ7U2Ud0ELnT2hovJ1H0hJGUdZiB7fq9igSDr2IaoTwo0XV/P23DFjOw3AbEv Qadg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=jM9yoZmg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id c15-20020a63da0f000000b00574035fd472si3504168pgh.31.2023.09.15.09.32.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Sep 2023 09:32:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=jM9yoZmg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 8AD458371189; Fri, 15 Sep 2023 03:59:50 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234014AbjIOK7r (ORCPT + 99 others); Fri, 15 Sep 2023 06:59:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54176 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233884AbjIOK7q (ORCPT ); Fri, 15 Sep 2023 06:59:46 -0400 Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com [IPv6:2a00:1450:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71461D3 for ; Fri, 15 Sep 2023 03:59:41 -0700 (PDT) Received: by mail-ej1-x649.google.com with SMTP id a640c23a62f3a-993d7ca4607so152492866b.1 for ; Fri, 15 Sep 2023 03:59:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1694775580; x=1695380380; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Y3DxUvEg+3g6OhCwS+K/sONLa3J3FFOGvmkB4cPhPPQ=; b=jM9yoZmgXs7EqL1Jxcr3PrzkI1HmyIq50nPIQf1AQTR91kFWFnSUVKrUGXF8bBgwRR QIiURFlFD7QW0CC4frsPrl/cyYAWHx0CavTt9lVVRlHu8W00lI8Q2WhfmHckiL/1J6Hg jUzkDkBXS5H2AMd/p9DUpbGnVDvPwYexmUhygIICOwLPuuJWxE6MOGyENv60pcvZucst ZuINFfczGmlxBLbuKE2+GsvqgkhxQQEdllr0T5j+j86+rQGPtOqxUAUeQidd6OI31sW9 eFzjjVNQA8lic2JJHFFxQPpTYB1TiMPdym0mE/VDtK4ClVamHDnE8cXBCofN/I3MdPSA D/ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694775580; x=1695380380; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Y3DxUvEg+3g6OhCwS+K/sONLa3J3FFOGvmkB4cPhPPQ=; b=GD5dF8yJE2EwpJQNw0meEv4FL+OZGel/+M5rIf1xj2tzlHBeufkDSsxNJMJxzMnepu PsJ8oIJarxXPI6UXHDYwf79G/aEAVVse3+0VW+6mbSQtYw3UambqwlyVE84YSDGIOj8O CnbPZTDe7/nrjfCSh8aByIpmrFJXQZlHkO46hkxvsa6PSy9RALuAx0jICdJs632/JjwU oFuvbIBlKwUPCw64uvnhQ4wcSH4scJqkBBO4K42mhMMjXQRMmd+eq2FDXiij+7fTMR/t i+aHhwwuiNOWzKMI2INsOYl19Ln4PLGUrT6oyifEYdLTxj7cnQmKh9AMeBdId5hJnMnO oASQ== X-Gm-Message-State: AOJu0YwpTKOWPdX4a03OHmzkF1YCM6sBLH7U4LuyW3kUK1Tr2qbg5Sce MVdi2pla1FkQIlK89QAn/dk3+3Ci+yAOojZrwg== X-Received: from mr-cloudtop2.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:2a6]) (user=matteorizzo job=sendgmr) by 2002:a17:907:cb13:b0:9a1:cac8:6448 with SMTP id um19-20020a170907cb1300b009a1cac86448mr7245ejc.2.1694775579655; Fri, 15 Sep 2023 03:59:39 -0700 (PDT) Date: Fri, 15 Sep 2023 10:59:20 +0000 In-Reply-To: <20230915105933.495735-1-matteorizzo@google.com> Mime-Version: 1.0 References: <20230915105933.495735-1-matteorizzo@google.com> X-Mailer: git-send-email 2.42.0.459.ge4e396fd5e-goog Message-ID: <20230915105933.495735-2-matteorizzo@google.com> Subject: [RFC PATCH 01/14] mm/slub: don't try to dereference invalid freepointers From: Matteo Rizzo To: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, vbabka@suse.cz, roman.gushchin@linux.dev, 42.hyeyoo@gmail.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, corbet@lwn.net, luto@kernel.org, peterz@infradead.org Cc: jannh@google.com, matteorizzo@google.com, evn@google.com, poprdi@google.com, jordyzomer@google.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Fri, 15 Sep 2023 03:59:50 -0700 (PDT) slab_free_freelist_hook tries to read a freelist pointer from the current object even when freeing a single object. This is invalid because single objects don't actually contain a freelist pointer when they're freed and the memory contains other data. This causes problems for checking the integrity of freelist in get_freepointer. Signed-off-by: Matteo Rizzo --- mm/slub.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/slub.c b/mm/slub.c index f7940048138c..a7dae207c2d2 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1820,7 +1820,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, do { object = next; - next = get_freepointer(s, object); + /* Single objects don't actually contain a freepointer */ + if (object != old_tail) + next = get_freepointer(s, object); /* If object's reuse doesn't have to be delayed */ if (!slab_free_hook(s, object, slab_want_init_on_free(s))) { -- 2.42.0.459.ge4e396fd5e-goog