From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1DC8C25B74 for ; Thu, 30 May 2024 11:36:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 003E76B0093; Thu, 30 May 2024 07:36:49 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ECF366B0095; Thu, 30 May 2024 07:36:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D48776B0096; Thu, 30 May 2024 07:36:48 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id B47176B0093 for ; Thu, 30 May 2024 07:36:48 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 5EB821C0F4E for ; Thu, 30 May 2024 11:36:48 +0000 (UTC) X-FDA: 82174860096.05.7C1C011 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf04.hostedemail.com (Postfix) with ESMTP id 09B9640008 for ; Thu, 30 May 2024 11:36:44 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=0AyRuKv1; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=0lQCY9YY; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=2BHH0Yb7; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=er4IELe+; spf=pass (imf04.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1717069005; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=H1QmM+PZxNZugaPg+B7WVk4t3FLpVQo+v6IALRKoCrc=; b=VLKSttMArRxbNV+7BqrSm0U4gUEK2iZr8Bd/anTOsjeEgC8za8Nrpk38W+HckSuj0UC2oZ gmNNe5+uOFUeglkM56pQ4HIb9HWxO0Iq7wzZ5nKJd/aemImz+4gytaXAePmjxoitRsY/SF X813c/SIpbbEmirHIwwngd5XAnPgKGw= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=0AyRuKv1; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=0lQCY9YY; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=2BHH0Yb7; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=er4IELe+; spf=pass (imf04.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1717069005; a=rsa-sha256; cv=none; b=4ltSpM7IVOG/vRc15WkJMfaddlSnkzC8hvLnwhIKb2Jh3+rFc7vMpKx0tMN2bJMg73w7k6 yNZ+i5xWMbsyeLq0CqDzYjbWMRyPNO3gntvL2WABWrxrLkLr89FDJrofTOtbd3ab8JSBa0 BPTVV//6SovzYytj6IxqSATTDX2nzR4= Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id EA32B3385A; Thu, 30 May 2024 11:36:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1717069003; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=H1QmM+PZxNZugaPg+B7WVk4t3FLpVQo+v6IALRKoCrc=; b=0AyRuKv1vythWcSTdy1g48/592iuwuIdGIYiofYIzvqH/0pVWC2+jUTs1mxHKc2f0LdAFx mA81O2lBgEGdUVhuCIoqKXI4uoUAZbiZyLK344dCFRtjwEp1vkHCaDs1UQbWxzjo+482LH 9CefmwZ+pxy4Np98+sTFvt9UDVOX4N4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1717069003; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=H1QmM+PZxNZugaPg+B7WVk4t3FLpVQo+v6IALRKoCrc=; b=0lQCY9YYDPr5qaoH9UYdyeEj+TFgclq7kF9qRqEgYbG9RqXrHbvYjgEBToUwTqxqV6m8Nl bzlmVVJ9LsLti8Ag== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1717069002; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=H1QmM+PZxNZugaPg+B7WVk4t3FLpVQo+v6IALRKoCrc=; b=2BHH0Yb7z4cWMNV1bVRhRt0P9S8N08DRzgrc3LbzoB/bv9oCoKaK68GvcQQtVfqfVyyTJ4 EugQ32DGvM+PrHYpc/eLfciZF9MVZfMnp1RdSyL0DmVLuksHH3vkywkxYX/zVUHBG5JrCd L9r1nSjpBdp+SckXHheYnKltuXa68kI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1717069002; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=H1QmM+PZxNZugaPg+B7WVk4t3FLpVQo+v6IALRKoCrc=; b=er4IELe+o2+gbvJlo1Y1jU4/BbqOBF8JW2ocgEemsvuNLv9HjKTsV8cfxhTrAhRJ1m7jbz veA43i6IZSPrmrDw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id D0ECF13A83; Thu, 30 May 2024 11:36:42 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 2+nHMspkWGYXPAAAD6G6ig (envelope-from ); Thu, 30 May 2024 11:36:42 +0000 Message-ID: <9dd5c65d-036a-4920-bd7a-90e302cf21a8@suse.cz> Date: Thu, 30 May 2024 13:37:22 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] codetag: avoid race at alloc_slab_obj_exts To: Thadeu Lima de Souza Cascardo , linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, kernel-dev@igalia.com, Suren Baghdasaryan , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Kees Cook , "Gustavo A. R. Silva" References: <20240527183007.1595037-1-cascardo@igalia.com> From: Vlastimil Babka Content-Language: en-US In-Reply-To: <20240527183007.1595037-1-cascardo@igalia.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Action: no action X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 09B9640008 X-Stat-Signature: 8peajpef6y1secx8oohhcqyy75u7tkjw X-Rspam-User: X-HE-Tag: 1717069004-435093 X-HE-Meta: U2FsdGVkX18VmGn1McpMI34O2Wh50/9jpEpTqBYjhEuOR/UXym+DdOnQY3/akxAD5QJY/2XHuO+/LK4U/VmOhO/8XWKjVuLKTz/ohZeBw9DVz53jtuVWUaBxrBKu85DifqyXT7alrcmhleO4+tEQFr5dlqcdr7mKE4zAB+Q6+IXYr1k5Zy7szjBLnnvhh0sPuVmlHCoAv4mWrSYuwtD9a95lhllslzhWuA0Yh3uF2Zb9Rf3Z0BQ954u0a04XvGci2dIZtBd0N9L36XLD01lF//JON0S+5u8OytXG/2UnWhy7XSLR45PtJ9F8vM0BqZD+WysIhHakmiRIr4fz8vLvPY6W2J1I/ybLQrvKx0hK08xzGfN1gp78HLzX266luXzjVZaBl07acma/Pvial2//cDxt8qp2a1lZQzCxSKF0Gnh0xIay8DQuB1hGc/GmP14rWIyLEHy1iBvZNIYmip2+3YhvFP9wsdm8kEiRlslrd8+U4Tv0BP31p15QfqGx1Ps4BXrLQsJBhTByRDPVcxiHKQIMcSKp507YFqjB0zVumyIevDAh5z78hc4dxlh4xRpNDd1RQI5Myuk+8MbVC8ftj/uPfnPuZiynBU9V/MY2YTvt48jvnQHjieXnrQLwPrpTSNigwv+inXDIyxZ0GoHY3HKZ03XHQ/ZUuizk2EXWB+1R5MH+eVIgp39WLH1fxSJhpqcy/2++D9Dktikv/f7w6sF1f0V5ETCINt63Xiz0DPAWKr/YMlq9PRkvdMZGDiaq0KtaKN5JgJwObO4u0gOsKV2fPj557wB2X90Qw42Ey8EPKzBY2kuKD/sfAs7E/BZ30YbwCsxQxFYZp+ktTw1Swvcz7/qYp4iJWFl93OPMEVlgZTwnL9kX0mhmpekiw7+23XhFr8WvqckGsq4hTF3PTGJuvV81AV12NpkXyI33wERLa+M7v2jgkxqMbH2py2/ynaEgAubfm0OSdOoL1s4 Xm2CNWAx WlchlVmA7u9aVm61CwhvxEgRznxAregD+Rj0WFRkoGV6Cjkv4aNWidBmdGxwBVWdOxWjHC3E9T9Q3ALDDYM/0MDzdlEqHoivJWYCrC1xfjcYtG2lIyiHTJAI0VgOOHUhD3KgHwud/yUnAm5g1hTpcSZS03e9einq5R5Q3m3vpYCPLxKKqmXnkNL/U6GelEl3cKZHG0bFuL4NAJo5rpZ8y8IqpL5XRyUnBgSE38CJx/Y8ngj7A6/BjBN7LyyeVG4SvamMbmD/6LtXe4cDc7VG43x+zn4F47epHUJoQhqd8uiJR8LWDWHoajExMLqfansWqNJr+MttPIe5MXiWiNYzI7ABO4FMHCwuVwFGyc4r1o4fRzE3+UZA8x+qcTp/uOdoABiwr1LSaner2lOV3decE1vyxgrA0VuStt88hAIeZi73DbrOYHgjto1jdvsA+pz78y7eI9D/Fs35QMmISmiqS4Fslfg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 5/27/24 8:30 PM, Thadeu Lima de Souza Cascardo wrote: > When CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning may > be noticed: > > [ 48.299584] ------------[ cut here ]------------ > [ 48.300092] alloc_tag was not set > [ 48.300528] WARNING: CPU: 2 PID: 1361 at include/linux/alloc_tag.h:130 alloc_tagging_slab_free_hook+0x84/0xc7 > [ 48.301305] Modules linked in: > [ 48.301553] CPU: 2 PID: 1361 Comm: systemd-udevd Not tainted 6.10.0-rc1-00003-gac8755535862 #176 > [ 48.302196] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > [ 48.302752] RIP: 0010:alloc_tagging_slab_free_hook+0x84/0xc7 > [ 48.303169] Code: 8d 1c c4 48 85 db 74 4d 48 83 3b 00 75 1e 80 3d 65 02 86 04 00 75 15 48 c7 c7 11 48 1d 85 c6 05 55 02 86 04 01 e8 64 44 a5 ff <0f> 0b 48 8b 03 48 85 c0 74 21 48 83 f8 01 74 14 48 8b 50 20 48 f7 > [ 48.304411] RSP: 0018:ffff8880111b7d40 EFLAGS: 00010282 > [ 48.304916] RAX: 0000000000000000 RBX: ffff88800fcc9008 RCX: 0000000000000000 > [ 48.305455] RDX: 0000000080000000 RSI: ffff888014060000 RDI: ffffed1002236f97 > [ 48.305979] RBP: 0000000000001100 R08: fffffbfff0aa73a1 R09: 0000000000000000 > [ 48.306473] R10: ffffffff814515e5 R11: 0000000000000003 R12: ffff88800fcc9000 > [ 48.306943] R13: ffff88800b2e5cc0 R14: ffff8880111b7d90 R15: 0000000000000000 > [ 48.307529] FS: 00007faf5d1908c0(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 > [ 48.308223] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 48.308710] CR2: 000058fb220c9118 CR3: 00000000110cc000 CR4: 0000000000750ef0 > [ 48.309274] PKRU: 55555554 > [ 48.309804] Call Trace: > [ 48.310029] > [ 48.310290] ? show_regs+0x84/0x8d > [ 48.310722] ? alloc_tagging_slab_free_hook+0x84/0xc7 > [ 48.311298] ? __warn+0x13b/0x2ff > [ 48.311580] ? alloc_tagging_slab_free_hook+0x84/0xc7 > [ 48.311987] ? report_bug+0x2ce/0x3ab > [ 48.312292] ? handle_bug+0x8c/0x107 > [ 48.312563] ? exc_invalid_op+0x34/0x6f > [ 48.312842] ? asm_exc_invalid_op+0x1a/0x20 > [ 48.313173] ? this_cpu_in_panic+0x1c/0x72 > [ 48.313503] ? alloc_tagging_slab_free_hook+0x84/0xc7 > [ 48.313880] ? putname+0x143/0x14e > [ 48.314152] kmem_cache_free+0xe9/0x214 > [ 48.314454] putname+0x143/0x14e > [ 48.314712] do_unlinkat+0x413/0x45e > [ 48.315001] ? __pfx_do_unlinkat+0x10/0x10 > [ 48.315388] ? __check_object_size+0x4d7/0x525 > [ 48.315744] ? __sanitizer_cov_trace_pc+0x20/0x4a > [ 48.316167] ? __sanitizer_cov_trace_pc+0x20/0x4a > [ 48.316757] ? getname_flags+0x4ed/0x500 > [ 48.317261] __x64_sys_unlink+0x42/0x4a > [ 48.317741] do_syscall_64+0xe2/0x149 > [ 48.318171] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 48.318602] RIP: 0033:0x7faf5d8850ab > [ 48.318891] Code: fd ff ff e8 27 dd 01 00 0f 1f 80 00 00 00 00 f3 0f 1e fa b8 5f 00 00 00 0f 05 c3 0f 1f 40 00 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 41 2d 0e 00 f7 d8 > [ 48.320649] RSP: 002b:00007ffc44982b38 EFLAGS: 00000246 ORIG_RAX: 0000000000000057 > [ 48.321182] RAX: ffffffffffffffda RBX: 00005ba344a44680 RCX: 00007faf5d8850ab > [ 48.321667] RDX: 0000000000000000 RSI: 00005ba344a44430 RDI: 00007ffc44982b40 > [ 48.322139] RBP: 00007ffc44982c00 R08: 0000000000000000 R09: 0000000000000007 > [ 48.322598] R10: 00005ba344a44430 R11: 0000000000000246 R12: 0000000000000000 > [ 48.323071] R13: 00007ffc44982b40 R14: 0000000000000000 R15: 0000000000000000 > [ 48.323596] > > This is due to a race when two objects are allocated from the same slab, > which did not have an obj_exts allocated for. > > In such a case, the two threads will notice the NULL obj_exts and after one > assigns slab->obj_exts, the second one will happily do the exchange if it > reads this new assigned value. > > In order to avoid that, verify that the read obj_exts does not point to an > allocated obj_exts before doing the exchange. > > Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations") > Signed-off-by: Thadeu Lima de Souza Cascardo > Cc: Suren Baghdasaryan Acked-by: Vlastimil Babka Thanks! > --- > mm/slub.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/mm/slub.c b/mm/slub.c > index 0809760cf789..1373ac365a46 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -1952,7 +1952,7 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s, > #ifdef CONFIG_MEMCG > new_exts |= MEMCG_DATA_OBJEXTS; > #endif > - old_exts = slab->obj_exts; > + old_exts = READ_ONCE(slab->obj_exts); > handle_failed_objexts_alloc(old_exts, vec, objects); > if (new_slab) { > /* > @@ -1961,7 +1961,8 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s, > * be simply assigned. > */ > slab->obj_exts = new_exts; > - } else if (cmpxchg(&slab->obj_exts, old_exts, new_exts) != old_exts) { > + } else if ((old_exts & ~OBJEXTS_FLAGS_MASK) || > + cmpxchg(&slab->obj_exts, old_exts, new_exts) != old_exts) { > /* > * If the slab is already in use, somebody can allocate and > * assign slabobj_exts in parallel. In this case the existing