From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=lzY1=6F=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EF7C4C54FCB
	for <linux-mm@archiver.kernel.org>; Tue, 21 Apr 2020 01:13:44 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id B3ED5214AF
	for <linux-mm@archiver.kernel.org>; Tue, 21 Apr 2020 01:13:44 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="jwq7gSC3"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B3ED5214AF
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 663D18E0007; Mon, 20 Apr 2020 21:13:44 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 613688E0003; Mon, 20 Apr 2020 21:13:44 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 503698E0007; Mon, 20 Apr 2020 21:13:44 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0139.hostedemail.com [216.40.44.139])
	by kanga.kvack.org (Postfix) with ESMTP id 39DCD8E0003
	for <linux-mm@kvack.org>; Mon, 20 Apr 2020 21:13:44 -0400 (EDT)
Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id EF196181AEF23
	for <linux-mm@kvack.org>; Tue, 21 Apr 2020 01:13:43 +0000 (UTC)
X-FDA: 76730089926.20.angle40_5ac1d51bf6c33
X-HE-Tag: angle40_5ac1d51bf6c33
X-Filterd-Recvd-Size: 3894
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf35.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue, 21 Apr 2020 01:13:43 +0000 (UTC)
Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 888D5208E4;
	Tue, 21 Apr 2020 01:13:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1587431622;
	bh=GzzBu3dFbzopCN6CBOGAQrAkrrm2BxrMimVnf4xzO1g=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=jwq7gSC35Db+5f17sj+IWX0pLCFjl/6kwssNV4yYRoA4E1vPcQu90eVD0Sgh17gMn
	 D0PsarIvSCgwORsgGHG6DWe78Qwiw99O6De4p7OZp+FxaKUSJgAIlLovIqDqfvicG3
	 53VdXwdFxiaEHChcAx6YiqmRyu+jvuaS7ZP5PyhU=
Date: Mon, 20 Apr 2020 18:13:42 -0700
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, cl@linux.com, elver@google.com,
 iamjoonsoo.kim@lge.com, keescook@chromium.org, linux-mm@kvack.org,
 mm-commits@vger.kernel.org, penberg@kernel.org, rientjes@google.com,
 torvalds@linux-foundation.org
Subject:  [patch 02/15] slub: avoid redzone when choosing
 freepointer location
Message-ID: <20200421011342.uT_Lmuhuv%akpm@linux-foundation.org>
In-Reply-To: <20200420181310.c18b3c0aa4dc5b3e5ec1be10@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Kees Cook <keescook@chromium.org>
Subject: slub: avoid redzone when choosing freepointer location

Marco Elver reported system crashes when booting with "slub_debug=Z".  The
freepointer location (s->offset) was not taking into account that the
"inuse" size that includes the redzone area should not be used by the
freelist pointer.  Change the calculation to save the area of the object
that an inline freepointer may be written into.

Link: http://lkml.kernel.org/r/202004151054.BD695840@keescook
Link: https://lore.kernel.org/linux-mm/20200415164726.GA234932@google.com
Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Marco Elver <elver@google.com>
Tested-by: Marco Elver <elver@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/slub.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/mm/slub.c~slub-avoid-redzone-when-choosing-freepointer-location
+++ a/mm/slub.c
@@ -3533,6 +3533,7 @@ static int calculate_sizes(struct kmem_c
 {
 	slab_flags_t flags = s->flags;
 	unsigned int size = s->object_size;
+	unsigned int freepointer_area;
 	unsigned int order;
 
 	/*
@@ -3541,6 +3542,13 @@ static int calculate_sizes(struct kmem_c
 	 * the possible location of the free pointer.
 	 */
 	size = ALIGN(size, sizeof(void *));
+	/*
+	 * This is the area of the object where a freepointer can be
+	 * safely written. If redzoning adds more to the inuse size, we
+	 * can't use that portion for writing the freepointer, so
+	 * s->offset must be limited within this for the general case.
+	 */
+	freepointer_area = size;
 
 #ifdef CONFIG_SLUB_DEBUG
 	/*
@@ -3582,13 +3590,13 @@ static int calculate_sizes(struct kmem_c
 		 */
 		s->offset = size;
 		size += sizeof(void *);
-	} else if (size > sizeof(void *)) {
+	} else if (freepointer_area > sizeof(void *)) {
 		/*
 		 * Store freelist pointer near middle of object to keep
 		 * it away from the edges of the object to avoid small
 		 * sized over/underflows from neighboring allocations.
 		 */
-		s->offset = ALIGN(size / 2, sizeof(void *));
+		s->offset = ALIGN(freepointer_area / 2, sizeof(void *));
 	}
 
 #ifdef CONFIG_SLUB_DEBUG
_