From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B72D0C83004 for ; Wed, 29 Apr 2020 22:24:13 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 73EA720757 for ; Wed, 29 Apr 2020 22:24:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=lca.pw header.i=@lca.pw header.b="iOr8ewoJ" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 73EA720757 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=lca.pw Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id F25368E0005; Wed, 29 Apr 2020 18:24:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EAEAA8E0001; Wed, 29 Apr 2020 18:24:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D4FE88E0005; Wed, 29 Apr 2020 18:24:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0091.hostedemail.com [216.40.44.91]) by kanga.kvack.org (Postfix) with ESMTP id B900E8E0001 for ; Wed, 29 Apr 2020 18:24:12 -0400 (EDT) Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 826918248047 for ; Wed, 29 Apr 2020 22:24:12 +0000 (UTC) X-FDA: 76762321944.03.scent10_79484452f414 X-HE-Tag: scent10_79484452f414 X-Filterd-Recvd-Size: 5894 Received: from mail-qk1-f193.google.com (mail-qk1-f193.google.com [209.85.222.193]) by imf07.hostedemail.com (Postfix) with ESMTP for ; Wed, 29 Apr 2020 22:24:11 +0000 (UTC) Received: by mail-qk1-f193.google.com with SMTP id k81so1092185qke.5 for ; Wed, 29 Apr 2020 15:24:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lca.pw; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=N5mT0UrjUVQ+LKtL+fJLsV3ZSWofkUiis5zRHwPIn6g=; b=iOr8ewoJWDPUm01VpYhUnSr9hu0AeEv6mfKoy4WSbmPz+/U2GA7+WDNRk0WJsTr04U WhxArBkqGiHwH0eVdTIWnoL2lyOAaBVi4x1F0X0nEES18bInCY3AoJMlIib4tpDmAdxs X7eeSjHDlUpSG+PL0co1Tyuc+DJhSQ4t8uQ+LuavTBCLciYgDVJx3PVtAcyjl3j4wKri +DOHBcB3E07UZcN0SYf130nFWdo5rAhUExJzxtOhx+0LMeZ6/Fs5yr2STov3KzQztfHR x1GxeerLoqqe9mY/rx8xoHFNGVexQMEVsKc0iGMkuGORAV/L/eIfTdeeManhzMDJZbM2 w42A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=N5mT0UrjUVQ+LKtL+fJLsV3ZSWofkUiis5zRHwPIn6g=; b=TgCCAmj14rcUi0UyQQI75IaLOUwgF2sZUN1Gius/iF2zXcg2cHO29189LRvaqGy6zI JjXFCnB3/xg1E/DrhUKbjimXxTRB9XKx0yXXstaH35QfokQ0w5MJQ90NGmIj6c8fTLsK add+dvqhibUa2AwMAil37V7jTmgrf+lrsm99SMhs16iIoZkmP+e/EoR92+ybqy86ejMJ EkTSiMGoOVGXEeW6f9rEKuGBl8bGO+fyleJ5xMEJocJ3SWzdeELELMVcGYGAh2JK1koU 5U5LhY4FLCJ9bCtr2Wch2xZZWphQg6vtHPviQKTH6357iiFFqZfWy5XcJgHVHrGGs0Dz arfQ== X-Gm-Message-State: AGi0PuZX4GhhHbxTuPWZF5dum2jxopCc9SfSVUzw53MCqET8cYUcBHkF CetD9Lxgn3aN92/72ZS6aJ1V8A== X-Google-Smtp-Source: APiQypLmSLmxNDDWl0UnrQSTpUW2GmUZbQRHdvicW/k4j+I6MtsmkbywTZggJAVAGijrzMf1lY8ehQ== X-Received: by 2002:a37:e54:: with SMTP id 81mr644968qko.284.1588199049619; Wed, 29 Apr 2020 15:24:09 -0700 (PDT) Received: from ovpn-113-19.phx2.redhat.com (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43]) by smtp.gmail.com with ESMTPSA id v27sm517889qtb.35.2020.04.29.15.24.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Apr 2020 15:24:08 -0700 (PDT) From: Qian Cai To: akpm@linux-foundation.org Cc: cl@linux.com, rientjes@google.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Qian Cai Subject: [PATCH] mm/slub: fix stack overruns with SLUB_STATS Date: Wed, 29 Apr 2020 18:23:56 -0400 Message-Id: <20200429222356.4322-1-cai@lca.pw> X-Mailer: git-send-email 2.21.0 (Apple Git-122.2) MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: There is no need to copy SLUB_STATS items from root memcg cache to new memcg cache copies. Doing so could result in stack overruns because the store function only accepts 0 to clear the stat and returns an error for everything else while the show method would print out the whole stat. Then, the mismatch of the lengths returns from show and store methods happens in memcg_propagate_slab_attrs(), else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf)) buf =3D mbuf; max_attr_size is only 2 from slab_attr_store(), then, it uses mbuf[64] in show_stat() later where a bounch of sprintf() would overrun the stack variable. Fix it by always allocating a page of buffer to be used in show_stat() if SLUB_STATS=3Dy which should only be used for debug purpose= . # echo 1 > /sys/kernel/slab/fs_cache/shrink BUG: KASAN: stack-out-of-bounds in number+0x421/0x6e0 Write of size 1 at addr ffffc900256cfde0 by task kworker/76:0/53251 Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 0= 7/10/2019 Workqueue: memcg_kmem_cache memcg_kmem_cache_create_func Call Trace: dump_stack+0xa7/0xea print_address_description.constprop.5.cold.7+0x64/0x384 __kasan_report.cold.8+0x76/0xda kasan_report+0x41/0x60 __asan_store1+0x6d/0x70 number+0x421/0x6e0 vsnprintf+0x451/0x8e0 sprintf+0x9e/0xd0 show_stat+0x124/0x1d0 alloc_slowpath_show+0x13/0x20 __kmem_cache_create+0x47a/0x6b0 addr ffffc900256cfde0 is located in stack of task kworker/76:0/53251 at = offset 0 in frame: process_one_work+0x0/0xb90 this frame has 1 object: [32, 72) 'lockdep_map' Memory state around the buggy address: ffffc900256cfc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc900256cfd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900256cfd80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ^ ffffc900256cfe00: 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 ffffc900256cfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Kernel panic - not syncing: stack-protector: Kernel stack is corrupted i= n: __kmem_cache_create+0x6ac/0x6b0 Workqueue: memcg_kmem_cache memcg_kmem_cache_create_func Call Trace: dump_stack+0xa7/0xea panic+0x23e/0x452 __stack_chk_fail+0x22/0x30 __kmem_cache_create+0x6ac/0x6b0 Fixes: 107dab5c92d5 ("slub: slub-specific propagation changes") Signed-off-by: Qian Cai --- mm/slub.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/slub.c b/mm/slub.c index 9bf44955c4f1..57731f29dde3 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -5639,7 +5639,8 @@ static void memcg_propagate_slab_attrs(struct kmem_= cache *s) */ if (buffer) buf =3D buffer; - else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf)) + else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf) && + !IS_ENABLED(CONFIG_SLUB_STATS)) buf =3D mbuf; else { buffer =3D (char *) get_zeroed_page(GFP_KERNEL); --=20 2.21.0 (Apple Git-122.2)