From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0AB1C33C99 for ; Tue, 7 Jan 2020 11:52:21 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id A03472077B for ; Tue, 7 Jan 2020 11:52:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jmI+Bmgk" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A03472077B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 2B27C8E0026; Tue, 7 Jan 2020 06:52:21 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 262818E001E; Tue, 7 Jan 2020 06:52:21 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1519C8E0026; Tue, 7 Jan 2020 06:52:21 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0018.hostedemail.com [216.40.44.18]) by kanga.kvack.org (Postfix) with ESMTP id F07098E001E for ; Tue, 7 Jan 2020 06:52:20 -0500 (EST) Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with SMTP id 93CE152AC for ; Tue, 7 Jan 2020 11:52:20 +0000 (UTC) X-FDA: 76350675240.04.pain97_88caf21791e22 X-HE-Tag: pain97_88caf21791e22 X-Filterd-Recvd-Size: 6181 Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67]) by imf21.hostedemail.com (Postfix) with ESMTP for ; Tue, 7 Jan 2020 11:52:19 +0000 (UTC) Received: by mail-pj1-f67.google.com with SMTP id m13so9168974pjb.2 for ; Tue, 07 Jan 2020 03:52:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=3+cah5PTr1gkFpOjDaXHqdb0YIt+El5E8ruaycvD2ko=; b=jmI+BmgkKvSOc9P1cQwC3rRbWkYjioe6stqMZ8X567mYN5YPZguJZb2y9DqEqY8h02 Rxt1Ky+qOETqUK/bPqSXT2+wZBqitz+R1Mmss3WlmzUrdaf3KBsOZ0aXCEDNCmZzALPo Eg3iTWbDtL21BzNaKaNDhaFyvSNelOGKTqwAzSlw1IBBgVNFeEoA7zOrla/M7gAuD6Fz u8q0mmfsdVQGfmZXENMtisUz0fUBr+EiMNmj2yFkiznlxWzFYeyOEGzYflZ9DSgGkjx1 Pv2GFwFwgBRoS1eXraa+EeTKTHglWsHn6sPmGhMoTksGxClkSWp4UcalCi0v3MvMPEos yvig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=3+cah5PTr1gkFpOjDaXHqdb0YIt+El5E8ruaycvD2ko=; b=sq3cR5y5o0ebW1/MEYhOjjNOAYoAhH4SuHc6zJckHiNCL0LILsRvm21UPBfH9gU/rx ERr0XkG50UAn7eiQss5RD/PQKf2mIzShKQ19UC8Iw69PKLz1iUjHvlaWkkxNEjVBIji4 dhplLoaVfRIU+FYBIgjicQiykZnaQMbxJedOllrx6LSYysW+XRFfCSaW+dLv567sTEDA /wAH6tFvGe69jmpQtZcUMCUDY6dz7zmlBKSN93jjSCatltLxmmNEDZo5utAzb5K3bw1y 8Paw09JA+mgO8+svGcvPZpumNh4ZZi0VVXJqEHmamqkJrwpkEFCd3wA1YghnH0tgWLlb qXOg== X-Gm-Message-State: APjAAAUfHrwFfVSu2nUJuiOIOqUMTFMCEGGBw/WvesV/L3gWG6ividTq bllrnA4FokOU9bSNrgET7Lg= X-Google-Smtp-Source: APXvYqwLYlCXpwxhHoNrRiD3HoAnuYypuxagNQct5LzcUe3IW46gP/rA2canqKXkmx9zZEBHNxhENQ== X-Received: by 2002:a17:902:fe8b:: with SMTP id x11mr103468509plm.83.1578397938858; Tue, 07 Jan 2020 03:52:18 -0800 (PST) Received: from localhost ([43.224.245.181]) by smtp.gmail.com with ESMTPSA id p18sm2039878pjo.3.2020.01.07.03.52.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Jan 2020 03:52:18 -0800 (PST) From: lijiazi X-Google-Original-From: lijiazi To: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton Cc: lijiazi , linux-mm@kvack.org Subject: [PATCH v2] slub: call BUG if next_object is not valid Date: Tue, 7 Jan 2020 19:51:58 +0800 Message-Id: <1578397918-22017-1-git-send-email-lijiazi@xiaomi.com> X-Mailer: git-send-email 2.7.4 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: If current object's memory is corrupted, there is a high probability that next_objext stored in it will be rewritten as an illegal value. It's better to check next_object this time than to encounter a illegal pointer in next slub alloc like the following: [80138.529667] Unable to handle kernel paging request at virtual address 0069145a08d9a20d [80138.529674] Mem abort info: [80138.529677] ESR = 0x96000004 [80138.529683] Exception class = DABT (current EL), IL = 32 bits [80138.529688] SET = 0, FnV = 0 [80138.529692] EA = 0, S1PTW = 0 [80138.529695] Data abort info: [80138.529699] ISV = 0, ISS = 0x00000004 [80138.529703] CM = 0, WnR = 0 [80138.529708] [0069145a08d9a20d] address between user and kernel address ranges [80138.529716] Internal error: Oops: 96000004 1 PREEMPT SMP [80138.529722] Modules linked in: wlan(O) rmnet_perf(O) rmnet_shs(O) [80138.529812] CPU: 1 PID: 1074 Comm: cnss_diag Tainted: G S W O 4.19.72-perf-gdee6978 #1 [80138.529824] pstate: 60400005 (nZCv daif +PAN -UAO) [80138.529840] pc : __kmalloc_track_caller+0x1d0/0x318 [80138.529845] lr : __kmalloc_track_caller+0x60/0x318 [80138.529849] sp : ffffff8011f6b980 [80138.529852] x29: ffffff8011f6b9e0 x28: ffffffa187f15248 [80138.529858] x27: ffffffede4856580 x26: ffffff8011f6bab8 [80138.529864] x25: ffffffa18a238000 x24: ffffffec8681f980 [80138.529870] x23: 2369145a08d9a20d x22: ffffffec8681f980 [80138.529877] x21: ffffffa188e8c964 x20: 00000000000001c0 [80138.529884] x19: 00000000007102c0 x18: 0000000000000000 [80138.529890] x17: 0000000000000000 x16: 0000000000000000 [80138.529897] x15: 0000007fffffffff x14: 0000000002a46f01 [80138.529903] x13: 0000000000000000 x12: ffffffee38964760 [80138.529909] x11: dc96ebb941026589 x10: 2369145a08d9a20d [80138.529916] x9 : 0000000002a46ef9 x8 : ffffffede4856580 [80138.529922] x7 : 0000000000000000 x6 : 0000000000000004 [80138.529929] x5 : 0000000000000003 x4 : 00000000007000c0 [80138.529935] x3 : ffffff8011f6bba4 x2 : ffffffa188e8c964 [80138.529942] x1 : 00000000007102c0 x0 : 0000000000000000 [80138.530481] Call trace: [80138.530488] __kmalloc_track_caller+0x1d0/0x318 [80138.530498] __alloc_skb+0x94/0x198 [80138.530504] alloc_skb_with_frags+0x5c/0x198 [80138.530511] sock_alloc_send_pskb+0x1d0/0x2c8 [80138.530520] unix_dgram_sendmsg+0x234/0xa80 [80138.530525] sock_write_iter+0xb8/0x110 [80138.530532] do_iter_readv_writev+0x118/0x158 [80138.530540] do_iter_write+0x7c/0x190 [80138.530544] vfs_writev+0x84/0xe8 [80138.530549] do_writev+0x78/0x118 [80138.530554] __arm64_sys_writev+0x1c/0x28 [80138.530564] el0_svc_common+0xa0/0x158 [80138.530569] el0_svc_handler+0x6c/0x88 [80138.530578] el0_svc+0x8/0xc Signed-off-by: lijiazi --- Changes in v2: - bug only if CONFIG_DEBUG_VM is enabled. - only check when next_object is not NULL. Reported-by: kernel test robot --- mm/slub.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/slub.c b/mm/slub.c index a0b335d..cfdfd49 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2744,6 +2744,7 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, } else { void *next_object = get_freepointer_safe(s, object); + VM_BUG_ON(next_object && !virt_addr_valid(next_object)); /* * The cmpxchg will only match if there was no additional * operation and if we are on the right processor. -- 2.7.4