Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1203600lqa;
        Mon, 29 Apr 2024 00:56:17 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWZiU12TC+gDlKhSwUMgXlUCI3xob9eL1dBj5kFWoSaX/9+OFwyShMdTezvzFilfmZBgtMh3gsIgcUG9IWbKfHzblwUi0ArpLvOAXzF1w==
X-Google-Smtp-Source: AGHT+IE7R9izcmPh9FoRQrc2mv2GlnQyh/7DwYUfLci/eUfkUYc2Z3Mr9e23+wWZ0kCDdye3tsgG
X-Received: by 2002:a50:a6da:0:b0:56d:f405:9a42 with SMTP id f26-20020a50a6da000000b0056df4059a42mr6534669edc.2.1714377377194;
        Mon, 29 Apr 2024 00:56:17 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714377377; cv=pass;
        d=google.com; s=arc-20160816;
        b=TOOlok0tjLPdBhBmIfb7mGB+7L/QJSv7b/zcxlLgMRobliySF1TPG0O90iidBzMWif
         W04F1RDKdkilo8emkWlNMs8HCcitJ5RE39+UpArO719W9dtL0GByiB09dpjn+ZDAyBUB
         Xr4lniB9Bh5wieJ72Mxv5nUGKPjTp18O2q0LFs9E0OeaS0KH6xUnkSk73Ss4mv5epahu
         bkdvnyOva2EbI78Q1J6K3xHeads8hs0MMxv4etCOjZMN/4gQJEaMOu9WXTkw2W0U+UR7
         XJ0eLEh0zymjZHR5aR0He4s+tl+e3A+qMHpTKOpAyLNarVFi97ggG7XzdOwhLM1fhwiT
         OMpQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id:dkim-signature;
        bh=qRFrm6wJpTdJo02mNwFpZgTYCwsjhC4CDet4zevy5n8=;
        fh=KhqX3qq8oJR4nW80fM2P9EkR1NEss2tpWJJy1ENHQ8g=;
        b=Pa1IAwN7ZXfBwhRjPx2QJ7h8gHjjO+gFlbJ9n5jAkDhHJXTm6QrhVQxkxjRPe18kIQ
         f/ypI0gJq9RcRK604619UnG9f3CupUTt1HjcdaS7DGMMwWMorzCcoo3RKCYLYJDBysBv
         KZm4BNgKFFhaxOJwUFyL4Fw2pMaiCgxCz45netZWEYp58vMk+vCn3y4mJZ1gmkEkqGIK
         Nidv6l2j6CjhXDP18E9UITQfo2a3NvlLEvg1NgrXDmpmN7a79JL0hOYzXFLBYN4+Nx8Y
         P37hgE9VjgZR0+3/qSFusRLHkWaglIQX8zsZy/AJWraOSTR5L1RtUhKw1w03oDdimP1i
         uNJA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@clip-os.org header.s=gm1 header.b=ZVb+L3fw;
       arc=pass (i=1 spf=pass spfdomain=clip-os.org dkim=pass dkdomain=clip-os.org dmarc=pass fromdomain=clip-os.org);
       spf=pass (google.com: domain of linux-kernel+bounces-161885-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161885-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=clip-os.org
Return-Path: <linux-kernel+bounces-161885-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id s20-20020aa7c554000000b0056bd9adc7b7si13615319edr.525.2024.04.29.00.56.17
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 29 Apr 2024 00:56:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-161885-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@clip-os.org header.s=gm1 header.b=ZVb+L3fw;
       arc=pass (i=1 spf=pass spfdomain=clip-os.org dkim=pass dkdomain=clip-os.org dmarc=pass fromdomain=clip-os.org);
       spf=pass (google.com: domain of linux-kernel+bounces-161885-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161885-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=clip-os.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id E91331F21A3A
	for <linux.lists.archive@gmail.com>; Mon, 29 Apr 2024 07:56:16 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 19B2615E88;
	Mon, 29 Apr 2024 07:56:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=clip-os.org header.i=@clip-os.org header.b="ZVb+L3fw"
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48B5614AA3
	for <linux-kernel@vger.kernel.org>; Mon, 29 Apr 2024 07:56:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714377369; cv=none; b=LRPAV+8GZsvZCmeDeCHBouU+GSIGtjp1bj9ab4WTL95342QptGSNXvbLxf3v3uDuqrBlTE05ZcYUu3C8XLMCC8aD57fUJ3QsAzM+fS/rVp2E+NnJiJbDgS/VObw7y5Qt9Qc+yLoWaznaRqjwfSrq+piYTbeHLpPym7HVH9uamkg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714377369; c=relaxed/simple;
	bh=eWilt8G5gLl7+AXu+4/dX6hli8GN8Nanfu09syNcIdA=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=XxLNg3xq2u5QJtSvcJbvIAzKbperFjPFvLH/MnOWgqqp0JScAwhfD966IutCbJoej7lhqoVZzKK1MFBSToP7+rrzpYEkd1o7GwOxCcRWIaM2oCEff+jn7T+ANIR3B06NOY7878tQElxJuYHSJ/3JFiu9KB3qJ/TKQt6xrm9gQ7Y=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=clip-os.org; spf=pass smtp.mailfrom=clip-os.org; dkim=pass (2048-bit key) header.d=clip-os.org header.i=@clip-os.org header.b=ZVb+L3fw; arc=none smtp.client-ip=217.70.183.195
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=clip-os.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=clip-os.org
Received: by mail.gandi.net (Postfix) with ESMTPSA id 2F26160005;
	Mon, 29 Apr 2024 07:55:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clip-os.org; s=gm1;
	t=1714377358;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=qRFrm6wJpTdJo02mNwFpZgTYCwsjhC4CDet4zevy5n8=;
	b=ZVb+L3fwl4phMyrApv6CGFbaRYimX1adE0s/u893Huzsi1cR9O/9q8yOIyvqdp+yDwWoFv
	abkLETToqKRrwLM1ecrEyLXs6IJDiDu/ajqjfNntI6qLAk9KHd6nE6TRZqMHHKexLQmy3g
	Pdrfkdr8CjpBqmdzcThNs2fTAn4oCrC4eUPVyP5r9/uMGt6ObZXo4UEGElZD268RBXgSwr
	B4v1XR7mPz6LBsGtgTrkveLfhTK5BjXYZHdWu1Otpr8egk9e2jLtpQeafik03iC+unr5N/
	pg8fIe1yMk4DN0xjO+fOTi4lTM3rUaV0m73eQ5W5jRzwPvvjLS/SFEjwUn3+fQ==
Message-ID: <1136cf64-c1b6-4909-b64e-0c754276024c@clip-os.org>
Date: Mon, 29 Apr 2024 09:55:55 +0200
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH] slub: Fixes freepointer encoding for single free
To: Xiongwei Song <sxwjean@gmail.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, cl@linux.com,
 penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com,
 akpm@linux-foundation.org, vbabka@suse.cz, roman.gushchin@linux.dev,
 42.hyeyoo@gmail.com
References: <Zij_fGjRS_rK-65r@archlinux>
 <CAEVVKH8Oagbih8E8YNPpNhyh75fWnBLdod+eEGQm9i8ciNv7sQ@mail.gmail.com>
 <47011bf2-4000-4fd8-9dd3-4c6b6a1c4a80@clip-os.org>
 <CAEVVKH9rwS6vR5_AjHyjS0vknyZvHabooE+c+k_5XNn2Rdac6w@mail.gmail.com>
Content-Language: en-US
From: Nicolas Bouchinet <nicolas.bouchinet@clip-os.org>
In-Reply-To: <CAEVVKH9rwS6vR5_AjHyjS0vknyZvHabooE+c+k_5XNn2Rdac6w@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-GND-Sasl: nicolas.bouchinet@clip-os.org


On 4/26/24 15:14, Xiongwei Song wrote:
> On Fri, Apr 26, 2024 at 8:18 PM Nicolas Bouchinet
> <nicolas.bouchinet@clip-os.org> wrote:
>> On 4/26/24 11:20, Xiongwei Song wrote:
>>> On Wed, Apr 24, 2024 at 8:48 PM Nicolas Bouchinet
>>> <nicolas.bouchinet@clip-os.org> wrote:
>>>> From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
>>>>
>>>> Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing
>>>> separately") splits single and bulk object freeing in two functions
>>>> slab_free() and slab_free_bulk() which leads slab_free() to call
>>>> slab_free_hook() directly instead of slab_free_freelist_hook().
>>>>
>>>> If `init_on_free` is set, slab_free_hook() zeroes the object.
>>>> Afterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are
>>>> set, the do_slab_free() slowpath executes freelist consistency
>>>> checks and try to decode a zeroed freepointer which leads to a
>>>> "Freepointer corrupt" detection in check_object().
>>>>
>>>> Object's freepointer thus needs to be properly set using
>>>> set_freepointer() after init_on_free.
>>>>
>>>> To reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the
>>>> command line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`.
>>>>
>>>> dmesg sample log:
>>>> [   10.708715] =============================================================================
>>>> [   10.710323] BUG kmalloc-rnd-05-32 (Tainted: G    B           T ): Freepointer corrupt
>>>> [   10.712695] -----------------------------------------------------------------------------
>>>> [   10.712695]
>>>> [   10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2)
>>>> [   10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c
>>> If init_on_free is set,  slab_free_hook() zeros the object first, then
>>> do_slab_free() calls
>>> set_freepointer() to set the fp value, so there are 8 bytes non-zero
>>> at the moment?
>>> Hence, the issue is not related to init_on_free?
>>>
>>> The fp=0x7ee4f480ce0ecd7c here is beyond kernel memory space, is the issue from
>>> CONFIG_SLAB_FREELIST_HARDENED enabled?
>> My understanding of the bug is that slab_free_hook() indeed zeroes the
>> object and its metadata first, then calls do_slab_free() and directly
>> calls __slab_free(), head an tail parameters being set to the object.
>>
>> If `slub_debug=F` (SLAB_CONSISTENCY_CHECKS) is set, the following call
>> path can be executed :
>>
>> free_to_partial_list() ->
>>
>> free_debug_processing() ->
>>
>> free_consistency_checks() ->
>>
>> check_object() ->
>>
>> check_valid_pointer(get_freepointer())
> I understand the call path. I meant here the freepointer is not ZERO
> but an illegal
> value( fp=0x7ee4f480ce0ecd7c),


Yes this is the reason of this patch. The freepointer is an illegal 
value because the memory range where it sits has been overridden by 
zeroes, set_freepointer() is never called and thus the freepointer is 
never properly set.


  The illegal value is obtained after zeroes has been decoded by 
get_freepointer()->freelist_ptr_decode().


>   then check_valid_pointer return 1 with
> it's last line
> and then check_object() printed out the error message. I'm not sure if I
> misunderstood you.


check_valid_pointer() returns 0 since object < base, the object being 
the decoded fp (0x7ee4f480ce0ecd7c < 0xffff.* base addr), hence 
check_object() returns 0, not 1.

This is why the "Object at 0x%p not freed" slab_fix() is called in 
free_debug_processing().


>
> Thank,
> Xiongwei
>