From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD7ECC5320E for ; Mon, 19 Aug 2024 09:22:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 55C3F6B0085; Mon, 19 Aug 2024 05:22:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 50C816B0089; Mon, 19 Aug 2024 05:22:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3FACE6B008A; Mon, 19 Aug 2024 05:22:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 211E66B0085 for ; Mon, 19 Aug 2024 05:22:43 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 769D61210ED for ; Mon, 19 Aug 2024 09:22:42 +0000 (UTC) X-FDA: 82468454964.30.41A8012 Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) by imf23.hostedemail.com (Postfix) with ESMTP id 9774A14000B for ; Mon, 19 Aug 2024 09:22:40 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=ihpOVy4w; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf23.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.167.50 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1724059303; a=rsa-sha256; cv=none; b=d8TX02TnWmNOhdUVb48Y3psSMDzLf96djxY2233kikVGLe988Yhi2q4rjHQJ1tzfsLXmrW 4/OoPC//75gSnIuWkpBEBOd9bumbrZCf6PI53L7zf4U/IwgaUSsTi9m5RQjSvfRTcOrGDQ ggL3LM8CFJWuZ0LGveXkAFHXtg419i0= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=ihpOVy4w; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf23.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.167.50 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1724059303; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8acUMrHdL7UqJxDNE2U/AKmqvPKYV6U9lL9osVmzYCQ=; b=MclXbnisoWrtSz8OXJMU1Z5P0DmIPxMXnx0XegFNnTb/XJPoJalFWx5YvKCkKH9mswkdA/ fy0P0mI1b4+mrsqhDW9qCXIXi6XGP9Nn1LNnofuD/n0juDdhTAxtSRmPS7ipVv7OAUFSCc frRSyC2dbi+QrmDy2RtirP2nEmN6/k4= Received: by mail-lf1-f50.google.com with SMTP id 2adb3069b0e04-52f024f468bso5123676e87.1 for ; Mon, 19 Aug 2024 02:22:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724059359; x=1724664159; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=8acUMrHdL7UqJxDNE2U/AKmqvPKYV6U9lL9osVmzYCQ=; b=ihpOVy4wLjXAhJBlBTGa9B92BfGj9cCH5q3ZCQWOKoDE+5lD3ewIqeO+/uTxWP/2Fy mCjzNq+Y4IvNYC/DEKN8+dH6gTp0MK+5EXkr7C+g/DYtSNfCKxDYBnBDrvONDMbV1N4L BY9dVzLNrjTIO54xVIClVU5mpVPOzGDCjxgbwvB3nV+gUfwtluclVjWbgQRdhR8KHeW0 0DCL9aSC4X1Y40gzJAmUPnEH2UvKoUtbabOKN1By5T/KvYOemqXPuxR+P8rN8HQVd/cD TThEQHV1Cr7mpT100V4nR+lVyNPchtpCV1Ni76rx47dmC/PTirFH4UdqackiRUjt0tYO 41Aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724059359; x=1724664159; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8acUMrHdL7UqJxDNE2U/AKmqvPKYV6U9lL9osVmzYCQ=; b=n5FE4yHdrr/S4nIaiurH1TuqH37e53h+2iDLLXp+OadK6RVexXWGwSsFG0IeEgCy5m Vetu2f/z8mdUTtYxz63DJrY8y/zoPInYUSJVOlpsiFTmx41mbB7CLtJm630MJROHZmBM YnrzQgQODLi3vRossp/kPR2Db9/Jek1V4UpIclcE8D6DQU7s5qRA1FvXboKiFNC0At8O oIX6bTLFCLO7ClzJD9AkR5ezfzwt6PZKGbYH2gDJH7nwAcXr7VO6XfoJYlgtp0PMnPXt GommtzT4xjEweBZeQYFuWJeE/TTdosSjPc3Hwu1qww/0MgL+Qjki8tL34cB0pKTAnmxy hujg== X-Forwarded-Encrypted: i=1; AJvYcCUZ4nkw2ofS+Qkmdoaegn5uSicbun6G5/LW6VYUyDxgG7GB6PCg+2Z6YAZNTnYnWmyrQR0RcOhQC5KylxMSOMHPMuM= X-Gm-Message-State: AOJu0YwV7j2daX6W26y7PeIshBwjB/Xze0O4egZTvfJ2Hq3S1w1CwDi9 vJg8MsbgFseGn7+fDqFgZL/xb43vBKwjrbI8DIgMJPFUv2RCBSejWv7Pbb35d2kL5r0Ss0IXyRs 8aoehn2K0lBSCvsMOPCdjxScWs+4= X-Google-Smtp-Source: AGHT+IHA410JYMbLfKWjDrLWbJMrZefF493+rvfIFELIm0M4r2Hy7T1OlE1Q/fM/1of6bwPGqUPLw80FwhKg8iwpZas= X-Received: by 2002:a05:6512:ad0:b0:52e:a648:a72f with SMTP id 2adb3069b0e04-5331c6dca2fmr8137849e87.45.1724059358543; Mon, 19 Aug 2024 02:22:38 -0700 (PDT) MIME-Version: 1.0 References: <20240819064115.385086-1-peng.fan@oss.nxp.com> In-Reply-To: <20240819064115.385086-1-peng.fan@oss.nxp.com> From: Hyeonggon Yoo <42.hyeyoo@gmail.com> Date: Mon, 19 Aug 2024 18:22:26 +0900 Message-ID: Subject: Re: [RFC] mm, slub: avoid zeroing kmalloc redzone To: "Peng Fan (OSS)" Cc: nicolas.bouchinet@clip-os.org, chengming.zhou@linux.dev, vbabka@suse.cz, Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Marco Elver , Andrey Konovalov , "open list:SLAB ALLOCATOR" , open list , Peng Fan Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 9774A14000B X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: m5j5kna4rjbaiu17wsqx33bctarri8hd X-HE-Tag: 1724059360-827878 X-HE-Meta: U2FsdGVkX1+5tDvn8rsuY8+jWPX+wRjrIg5LUlUynldeSoS0WXj7P93m85oTxVSlOIlqgeyAU14Cggr96BbhfwIcge3Tdc7+ngwsalw/HYrLqsalc4vPFHJsPQsMZ6z20cLhyb6VszS5FJM+FeP7qJchL4mvs4g7Vy/1w5DYZ4nrxNGw7iym8eLSuocRFlVw66IEuhNWc7cSj8mz7c8qozgaGUchrjDIqS2INMku3dGO8uSAsZUMj/1bDUoRsjel2vL2htAaFpEb2K30Qj4MsQ14dIDUTzx2/dZiiReeeWLutSJZghhBXVw330oiJZ969qojCufjvjqALLe7YmvP1VTGquOfA9JxtWiV78jsnqLHXD6ZOe4x1LIYve9Ts13UYJ1zrtyXSFmi3RghbH5p9O53m53Ug4/KPI3l487FKuZrkBR1NzqE9lRnrCTSmWIaqlORG8ZroUGQytZPWW/KybtJgJB4TnweIehFgyURCfkx4AzJPQd+hcFEEYs7zi70kyKOhxj0ra/NIEeoXn4WtoRbS1Pm9kcLtvUOPSSAQvcwyKdB3AZi4lucVRzwYEYKJZc5F2a76KRMORLQC/No4ujTAQ1E0vfXE8AEm1BatZmRlhaJGsUHqrl+GZL+2f1+vm0OzK6BaKwYRt4r4u8/lE+g14A2nOCPyx90ycosphVt42JU+gerHNkWRhG6OXj9Lfvy5ZSb8loh58s3rdWc8rYaAbJPY6+JFRuRhEJ/L9BLgYmHCWHpR2tXJojX+iR3NU7Hsvh4QrJsYh60fphvswwqjQbPG0DUYFZbG6VG9Fssl3VRopTXaqeJIRu4g6NhoMNfscMOpe/qMGzmpeQsEhminvzOGV0aBKfUtOAgqeFZl80uFgFEsNh9TYbSiYCHkhKTvB5L70ijggFJ3fZkgEm4ryKrWloyyCgdYWzddpwquev43nJqAayw90o7gHrhw+L7248v4P3ayyucZkb jSdgFmAs RGxDlMKXpqW/2S8qh6WLo8D+vIKGEXq+rbOAcQYEVSSqcLIXWOy63F0CCFFrphIWimoI6SLaTrcYnAwx6Z2UxjJnoOqXRUWt4/7FpKvVDs+x6jrgpSFJmDSeyAcbtnQ3Qf48kAYg4Hezi+cllyPBrNfjmt+We5BIScUVn8n6skjswDicgpqp4FEL2uhpDSOhCmWByq+DSnGKekyjQAXxrzci9uUHljI1JTqvn4XPD7hYMsKmYrGcCW7cWBK9CGjI3L0ph0HlffQ3JfTVoYtNOkZsFk2pa0e+gSX1WBBL2EjAjTGxuvk7fpzBzrIOjHKSIob4XLExLmkKeALrVaLtpAcpUKZpMJGK8vI3VDQOp+fLIV2/4O3/97TjlQOjVSjBBB3O9aM7N8p6Lxco= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Aug 19, 2024 at 3:32=E2=80=AFPM Peng Fan (OSS) wrote: > > From: Peng Fan > > With "slub_debug=3DFUZ init_on_free=3D1 loglevel=3D7" set in bootargs and > CONFIG_SLAB_FREELIST_HARDENED is set. There is kernel dump: > [ 0.000000] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D > [ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten > [ 0.000000] ----------------------------------------------------------= ------------------- > [ 0.000000] > [ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=3D2136. Firs= t byte 0x0 instead of 0xcc > [ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff00001003285= 8-0xffff00001003285f=3D0xcc > [ 0.000000] Slab 0xfffffdffc0400c80 objects=3D36 used=3D23 fp=3D0xffff= 000010032a18 flags=3D0x3fffe0000000200(workingset|node=3D0|zone=3D0|lastcpu= pid=3D0x1ffff) > [ 0.000000] Object 0xffff000010032858 @offset=3D2136 fp=3D0xffff000010= 0328c8 > [ 0.000000] > [ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc = ........ > [ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc = ........ > [ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc = ........ > [ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 0= 0 00 ............ > [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc= 3-next-20240814-00004-g61844c55c3f4 #144 > [ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT) > [ 0.000000] Call trace: > [ 0.000000] dump_backtrace+0x90/0xe8 > [ 0.000000] show_stack+0x18/0x24 > [ 0.000000] dump_stack_lvl+0x74/0x8c > [ 0.000000] dump_stack+0x18/0x24 > [ 0.000000] print_trailer+0x150/0x218 > [ 0.000000] check_object+0xe4/0x454 > [ 0.000000] free_to_partial_list+0x2f8/0x5ec > > It is because the kmalloc redzone area is cleared or orig_size is > cleared. Setting orig_size treats the wasted space (object_size - orig_size) as redzones. (in check_object()) When orig_size is set to zero, the entire object is perceived as a redzone. Could you elaborate the explanation in the description? > When s->object_size is larger than orig_size, just clear the > orig_size area. And restore the value of orig_size. > > Fixes: d57a964e09c2 ("kasan, mm: integrate slab init_on_free with HW_TAGS= ") I think the proper 'Fixes' commit should be 946fa0dbf2d8 ("mm/slub: extend redzone check to extra allocated kmalloc space than requested") because it is the commit that extends redzone check, but did not address init_on_free=3D1 case. > Signed-off-by: Peng Fan > --- > mm/slub.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/mm/slub.c b/mm/slub.c > index 94f5a4143825..d03957d15bbf 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -2282,14 +2282,22 @@ bool slab_free_hook(struct kmem_cache *s, void *x= , bool init, > */ > if (unlikely(init)) { > int rsize; > - unsigned int inuse; > + unsigned int inuse, orig_size; > > inuse =3D get_info_end(s); > + orig_size =3D get_orig_size(s, x); > if (!kasan_has_integrated_init()) > - memset(kasan_reset_tag(x), 0, s->object_size); > + memset(kasan_reset_tag(x), 0, > + s->object_size > orig_size ? orig_size : s= ->object_size); the size can simply be orig_size, as orig_size returns object_size when it is not enabled and orig_size can never be bigger than object_size. > rsize =3D (s->flags & SLAB_RED_ZONE) ? s->red_left_pad : = 0; > memset((char *)kasan_reset_tag(x) + inuse, 0, > s->size - inuse - rsize); > + /* > + * Restore orig_size, otherwize kmalloc redzone overwritt= en > + * would be reported > + */ > + set_orig_size(s, x, orig_size);