From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40BB5EE6457 for ; Fri, 15 Sep 2023 10:59:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D081E6B034C; Fri, 15 Sep 2023 06:59:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CB8A26B034E; Fri, 15 Sep 2023 06:59:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B82036B034F; Fri, 15 Sep 2023 06:59:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id A5D326B034C for ; Fri, 15 Sep 2023 06:59:43 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 7E2A280BFD for ; Fri, 15 Sep 2023 10:59:43 +0000 (UTC) X-FDA: 81238536246.09.D73B4C7 Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) by imf14.hostedemail.com (Postfix) with ESMTP id A96DA100033 for ; Fri, 15 Sep 2023 10:59:41 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=vqbQrWlN; spf=pass (imf14.hostedemail.com: domain of 3GzkEZQsKCMw4sBBw690HH6y66y3w.u64305CF-442Dsu2.69y@flex--matteorizzo.bounces.google.com designates 209.85.208.73 as permitted sender) smtp.mailfrom=3GzkEZQsKCMw4sBBw690HH6y66y3w.u64305CF-442Dsu2.69y@flex--matteorizzo.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1694775581; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Y3DxUvEg+3g6OhCwS+K/sONLa3J3FFOGvmkB4cPhPPQ=; b=jjrUK06m0o6U9DMPqNyDhbBZdWFTQjYvo0bY2Idr3TAeu2oxH1Y43vgJ9aVJECpapbfj2l Yk3MRUo2Z9ch0qe9ioRYSU9EnsYSy7OBteecXyzormUowe5b7WpylDJl2lgqcU5XYfu+Tx /PVy1cGxf65eZK8HghxFrivu0Qx7NLs= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1694775581; a=rsa-sha256; cv=none; b=fV1+9Er1ocnzxlBOGf8e1QS2KQOrZibd/IFlWSRYcnlVHazWiSHbV/bexwfn5xEADfgWy+ fJOrcrPDAfUOMLsMeMTjl1BKWiVuVL3E8zeHOt2cvJQTPZa+8ucp37BOIt8ol7YIB559GT EqltuWZxPwjqEncT2loNZFtEKaIGHTI= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=vqbQrWlN; spf=pass (imf14.hostedemail.com: domain of 3GzkEZQsKCMw4sBBw690HH6y66y3w.u64305CF-442Dsu2.69y@flex--matteorizzo.bounces.google.com designates 209.85.208.73 as permitted sender) smtp.mailfrom=3GzkEZQsKCMw4sBBw690HH6y66y3w.u64305CF-442Dsu2.69y@flex--matteorizzo.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-51d981149b5so1389271a12.3 for ; Fri, 15 Sep 2023 03:59:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1694775580; x=1695380380; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Y3DxUvEg+3g6OhCwS+K/sONLa3J3FFOGvmkB4cPhPPQ=; b=vqbQrWlNZduC7r7MnmfoSe9lJpQMSfQ6F7WkrgAaMmRckmr3ekKNGMzL5/LbLmZvlD HNfzghSZRDRoJHXPaLdyv04jBQB9mflw8jeUkmnqXvjsgq7u+Fw/2+T7VMRGkujQclwH 7cw3i95rVg7P1YTq8dfk1z35LRey7X775GGEMTzpjHD0qH2VmqFmAXQ1Ffv8uDlq8FuO 16Gn5ai0MnRDRh+lI/aHDOzfJKO6cbDz9fL0pU2GUoBqTA9FVi1DbbGHrUS9kvzxg8an rAMuzWX1XjXGJ0x+fbOs82YdfPHXAEA/kSxtMfMAFcaIX7a14pBGab5AIT3IA5FKPCaM +Fig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694775580; x=1695380380; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Y3DxUvEg+3g6OhCwS+K/sONLa3J3FFOGvmkB4cPhPPQ=; b=MEEdiy1OupAGtryUszguad52LjT7FwetPdxhAkD3TYm1uHTCkyU76e2y0Qy56Pm1Uc SHfq0XF7I3kv8UoQVDd4sDtqpHgsatxHP6+87O1N93Tx0wwdep3FrrdVwqSklBeAuHV9 eNji2jdWlzBdWbTdfhGOCW5DGPPHhIkNfb12R1JEC7+AIOjwNMGteGkIvycMaEwVdvWn Rk1X4htjGixoycQCocEJVwBTQ+v5Nt2W0/TbJKon5k44YxPxiZSYandLZHQZrn3nQKBQ bHrvPaLKIFKSb1jeje9W+fiKVasUPAsXKGj1yQbhKK7/989Wliwi/EE9ea1MoGK/qSoo PhFw== X-Gm-Message-State: AOJu0YzTEkzPRNj54cezHzv/eS3nmFrmXCVVMmFgZDGcmV7jcmskZpPx 9AQltdZrxq4tiLk8gmqZrsjtLB2t0YvoHJ7b6w== X-Google-Smtp-Source: AGHT+IFQRtSOFovuH5GEqReIKr5W2Ia+jznFnJVU0a2nrbLVpMe5HKKOvwnQcx9qn1Ns4cZ4yXwA2xDWIO7cNyXrLQ== X-Received: from mr-cloudtop2.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:2a6]) (user=matteorizzo job=sendgmr) by 2002:a17:907:cb13:b0:9a1:cac8:6448 with SMTP id um19-20020a170907cb1300b009a1cac86448mr7245ejc.2.1694775579655; Fri, 15 Sep 2023 03:59:39 -0700 (PDT) Date: Fri, 15 Sep 2023 10:59:20 +0000 In-Reply-To: <20230915105933.495735-1-matteorizzo@google.com> Mime-Version: 1.0 References: <20230915105933.495735-1-matteorizzo@google.com> X-Mailer: git-send-email 2.42.0.459.ge4e396fd5e-goog Message-ID: <20230915105933.495735-2-matteorizzo@google.com> Subject: [RFC PATCH 01/14] mm/slub: don't try to dereference invalid freepointers From: Matteo Rizzo To: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, vbabka@suse.cz, roman.gushchin@linux.dev, 42.hyeyoo@gmail.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, corbet@lwn.net, luto@kernel.org, peterz@infradead.org Cc: jannh@google.com, matteorizzo@google.com, evn@google.com, poprdi@google.com, jordyzomer@google.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: A96DA100033 X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: 861gtgntnosgacjo8j194fo1socwnzch X-HE-Tag: 1694775581-769853 X-HE-Meta: U2FsdGVkX18NZAdZQ/i0pH0eV9Ai9OXyKoB0a6zqkqGvEynH4N8X3uSSRMvE47oHFpVSfHEQNmDOtNl3czppQUbtwjao/AYxOkidtPok50abx7It2HfRjZX9a8oa91w19r00eCBv45EtaWTsTbLRrjCg5EIX5xl0LKaQvO0nrRiGRFoMV5eVFDNd2+3Y1drPzdj8JX2Cl70/cwtAOpf2dgrljhtpBa2sifQb94yCo4bFOvovu7FxDE7MprfGGtgMsO5ipAqPl87bj99zGMBgeeMV6DNZLIim4XNY75AuF6JDt5Nj8dvhRr1heeQRxnPJ3Z3FE9aQPbGeUlYhgtlpNsQ/cL+DSgJaZElPHOAoaNdCvgSiJBjs6N6vXwJ3ygNAyK/mZ1dfj5/g2g4UQI0Qn6TtFgPVV3woZlhVBeDWe1eKMw1QDA6+0xmqf4DsmzG8IN0rysCQO9otsEJEipi2ABQrxA/nF5k1rgZKz9c2mVOcWf3dZWA+yBx8SihnlbLTh+zZEHUgf3Hrkli9/8iTXi6n9hFT7lDjnFa4WQuw5swU77wtLvkXsMKhap4Mw3l15kMKuXuds1Zb1iQwJV1gH6BCaQLdqfeDoaRwGlvSj0qBrxlfnoUWHWsh4QGhDGHx4alZglsANhjPxlfc0Jq5zR1dr0xOymXrb1YOMQ6M63KYVvzutf4elK5FHsvwhUWgEvtRCMLDjffUE7RSwqdJg2THZTxUrJLr++8+w75z59IzphpNYshJmBcfcz1udxHeDY16HRxwMV3nV5RL89QiFPj5AXt1p912fvBOdc9vK3T4B7LibOj7gCQzf9uNnYQ6AfROzORdw/koV6q5RQrCeNu/XQoXNHqdZb99ayq3myesYR4sdSV8jT+kwhOsA6e7SVqUvdVMz4scY8DzwI+sM3aBgGlxaeGouLOSEHx8vV8Z1++IVX4o22Wd14lZifwXsllKqyml3GEgxJEI/W+ qZSfxNfJ yjNNlonjsHZ/N52f8Uh04x53J0QxCz+myWyWJ8HVhiCxj6iiSjsjz1IQuSf8SH6EKNl7h0LlGL+KZx3AunLsN+J7bt6G3HkdFfhFE3yU+V+3jEZ/hcNdMq9jonH0c8flQ6U1GfEvz8+rXythmM5K3QLvYpHE1PbZoxuYtjeqytrdQIhcFgX2LSk4chXl3N69/WC3JM7GLR4k/8wM9TWMfDqFPqZV6L4G4KLJhREChfOuf3YvlZba7A03u2L8GRoLPPZ4x+OdDObe0tmVLWp2YXXuzgaoL/NOunISpjOynq6GRROFLJJwEEVtwdNjdcqv+c9WPYc/mWTj3s83QHTq2tFRiEzmgZP+yBJvXyuzHkH2Ro8Dk8QAnbPEab3AeM1N6on7lGNQS2cMdGgwwo8kXvOy4fRjRNG0cEcZ8joDJxbC7sfHsbQE7JMivwijxXltKkNwYbY/2WQsKNpF8dKuFsPfJXGH2P4xzkEmJsPo5l9DHB0QnDVdYAVu6VxEo5CwJekM+zmgXTM1Ek5ALM7Y5vMtoWNMCnB/jzkrcPPsMNIisc8SRR8E+lJAH4Be6r4TPog3kq0JW6KhBDJT1C5k1GwG+uqrc3NcvvQ8ZVHuf/RJbFWc= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: slab_free_freelist_hook tries to read a freelist pointer from the current object even when freeing a single object. This is invalid because single objects don't actually contain a freelist pointer when they're freed and the memory contains other data. This causes problems for checking the integrity of freelist in get_freepointer. Signed-off-by: Matteo Rizzo --- mm/slub.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/slub.c b/mm/slub.c index f7940048138c..a7dae207c2d2 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1820,7 +1820,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, do { object = next; - next = get_freepointer(s, object); + /* Single objects don't actually contain a freepointer */ + if (object != old_tail) + next = get_freepointer(s, object); /* If object's reuse doesn't have to be delayed */ if (!slab_free_hook(s, object, slab_want_init_on_free(s))) { -- 2.42.0.459.ge4e396fd5e-goog