From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 41520C4345F
	for <linux-mm@archiver.kernel.org>; Fri, 26 Apr 2024 13:15:28 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id BC0856B0087; Fri, 26 Apr 2024 09:15:27 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B709E6B0088; Fri, 26 Apr 2024 09:15:27 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A38516B0089; Fri, 26 Apr 2024 09:15:27 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 83E8D6B0087
	for <linux-mm@kvack.org>; Fri, 26 Apr 2024 09:15:27 -0400 (EDT)
Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 2227CA0400
	for <linux-mm@kvack.org>; Fri, 26 Apr 2024 13:15:27 +0000 (UTC)
X-FDA: 82051729494.14.228115A
Received: from mail-oa1-f48.google.com (mail-oa1-f48.google.com [209.85.160.48])
	by imf30.hostedemail.com (Postfix) with ESMTP id 8103080012
	for <linux-mm@kvack.org>; Fri, 26 Apr 2024 13:15:24 +0000 (UTC)
Authentication-Results: imf30.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=ZT84+tHn;
	spf=pass (imf30.hostedemail.com: domain of sxwjean@gmail.com designates 209.85.160.48 as permitted sender) smtp.mailfrom=sxwjean@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1714137324;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=PuoOtUcpUko+/VSS5TWCLYfoHqgBMfRY2mIEeEzceVM=;
	b=182LNbOIHuBbXt6/4bDqvfOXQK++0f6LLs8Y1aTRf1sR+MwpRhwiRTuaMOS+Vn9GWezHly
	A8E5vIMWb+4Ft8J4oLIOscnTmt5t4wtX6crERbhwbWNntQPKSI6rDw5ZVnog7ILzDmPT2D
	l+V+sqZCGzElpo1lYf/ZFPMyyf9o/G8=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1714137324; a=rsa-sha256;
	cv=none;
	b=1Js5f5HyMdfSJjbnJueblz3hsrUeDrLJomWXqZtzmMp189ajWzNyr3gnot7IIENG/o04gm
	/Z2pzlNlj+vVLkH8liCAvawc409Q+AYRDar45ygLIYfxamnAK228MbZfI5YqrAeyLYBrbW
	TxwP4nEKuGZWuw7u6kq0HTB70GoR2/Y=
ARC-Authentication-Results: i=1;
	imf30.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=ZT84+tHn;
	spf=pass (imf30.hostedemail.com: domain of sxwjean@gmail.com designates 209.85.160.48 as permitted sender) smtp.mailfrom=sxwjean@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
Received: by mail-oa1-f48.google.com with SMTP id 586e51a60fabf-22fa7e4b0beso935735fac.1
        for <linux-mm@kvack.org>; Fri, 26 Apr 2024 06:15:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1714137323; x=1714742123; darn=kvack.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PuoOtUcpUko+/VSS5TWCLYfoHqgBMfRY2mIEeEzceVM=;
        b=ZT84+tHn9k2x67uqVwW0ueSWbTGwH9gFuBVExgeDbJI23VWo4StyzGl7l7+HySpwg8
         C3HkOtcvfUnYTLfnqo6hC91ujZsZcLD/L6RG0gKh0kw3DMU2TLDI/xjrqPA/uk/oIEPz
         FvfgcpxrDIiRTmNpt8M/craL8XNZSeegQgKEbf7TX3pmERnnGdJQi02nWdr81bPqYuEi
         Tuc3FWCs7gyj9jPPcpFskxQnl+6F3QfhpwMuB2O3TarBrssJ8LV2OZNY8wS3AqDCyrDn
         cyPi7FpvzuqtFh2e627KBynSM0TTn1eZJdtDFxL3ga/ALIvE31o+BnrAY/qmJAuHIDtr
         KdFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1714137323; x=1714742123;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PuoOtUcpUko+/VSS5TWCLYfoHqgBMfRY2mIEeEzceVM=;
        b=KG+5uzeoGI6s9jZMdImHhr9DX5rBMbx43f5+iafpm6r3X0vFWo06X5pxJIY+0k2OTf
         Swia5jdt2eYnc3qld+5E76HtXPiRClnPQbV9jgDSkeREsU1D1ePL5EWDE+K+Vk0UzjjM
         3L5BVLD2OmO0rlmh1GHEGDVHscQbJMGsfpY1nbl40Mq5RqcEpLvT2zSFX4JD9UC0IMCI
         G+K2UKJKelAmxY4zAh+K7hgBvh1buQUi2BGLO7QX36xlCt/bRei8dqQ88kWAf15ma1oB
         x9diK8ytrlAOJXuPA6OsJkBRqb4klaeXSyRTIpfDQp9qJ/aoNtQLsBrzcGf1jzCYExoS
         /0VA==
X-Gm-Message-State: AOJu0Ywsh7/H1F4djYJItnNuYxa3lvO+TImM5EF0CPHYSbxW1stjFp3w
	GnbgfaimjgUPh4m4mkAZtwVw13bXVtXatMTjZ1WS/HRpXm2W8ZipIECurjlRgwxHWvNb06KPjE4
	KInza5+cGXbEnuJzRkQVS65TU7Mg=
X-Google-Smtp-Source: AGHT+IHv9Q70wToFUPGB8Vu/MmSM2vf5h9HCjiCvHhlbFotgiGjTKOa1hQ77HNvi/4fC9LGVnz4+KPA3qAVj9amlytM=
X-Received: by 2002:a05:6870:f10c:b0:22a:a40a:a09f with SMTP id
 k12-20020a056870f10c00b0022aa40aa09fmr2581360oac.54.1714137323717; Fri, 26
 Apr 2024 06:15:23 -0700 (PDT)
MIME-Version: 1.0
References: <Zij_fGjRS_rK-65r@archlinux> <CAEVVKH8Oagbih8E8YNPpNhyh75fWnBLdod+eEGQm9i8ciNv7sQ@mail.gmail.com>
 <47011bf2-4000-4fd8-9dd3-4c6b6a1c4a80@clip-os.org>
In-Reply-To: <47011bf2-4000-4fd8-9dd3-4c6b6a1c4a80@clip-os.org>
From: Xiongwei Song <sxwjean@gmail.com>
Date: Fri, 26 Apr 2024 21:14:57 +0800
Message-ID: <CAEVVKH9rwS6vR5_AjHyjS0vknyZvHabooE+c+k_5XNn2Rdac6w@mail.gmail.com>
Subject: Re: [PATCH] slub: Fixes freepointer encoding for single free
To: Nicolas Bouchinet <nicolas.bouchinet@clip-os.org>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, cl@linux.com, 
	penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, 
	akpm@linux-foundation.org, vbabka@suse.cz, roman.gushchin@linux.dev, 
	42.hyeyoo@gmail.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspam-User: 
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: 8103080012
X-Stat-Signature: 9zq8umfkqib84rac3gu5utfk841dc8fs
X-HE-Tag: 1714137324-884158
X-HE-Meta: U2FsdGVkX1+WPOdrVRgNvy5EaSKUXpd9D8HXMcgUro9pgDHYtp5uz7ljkrWHkO87uhP5g3TMjJUOPPxKlv3vwQzpmDl+oF4i6czfjRZMV70tID+ejrb4z4xjerNQy9cUY9YRjaMCOqoc7sH4eDhKLo8SaZliivWauOKBxysvTJaWun6VueX5j9GwjQ8PehJKI//gQIzNNMxBXOmnrqw4MwWEteB5lK3qFu/i3EfN31meog0Ml4EtjW4L/kKgVmrBQLgiNBuf3czdswvegyiQTUuCE2ZAIWR7FnosKMCuWccLxBUezpjR+e+o3Z4Glilz1mbPGbaQIVFZq29AViNprJ8SPiAhB3UI3e1mNwEOdhnSgTADl91Rhhe8qOc8qMY4vaySJaWSj96I9MNDaPXfeeJVYUUdW7KjKJePp2fYABV45cGDsTgKTSin3qgW575ikJG1G021k34nz3j1Lku8hekVF2xweECGTeV2OwUjAa+laUNi7gzUtDERFvKx8zlpkCwjkTryJklCpy39mS4Sq02JVp11SxVWXJfpzBKdDEMsSp7lwCl5SQcj40puogFuVyQ2gLSxlXv1y2EAlwVM/vQguRENxlEpigQMzaV6wTa5GelBcPj4SLfK8JPq/3JLw0iVkxdGvEjwDQSPjWGrtJFaMRInSx5eMtpj8cX4/m9lSHbHpgTKYKofWKDlOJYw49jp0oRKgOVS7NkOFNmvea8M0WjaEKZMz9pJS3b+8C9R8PADuVxi02it5UVdoqdQZDtbrqXc9RQPMQ6nyO2RQzVMtcXAWh+NdI1u40HlFBb2ayqOU/UVLs0MoPVSnlnIAG2U1MFHIaDEBJh93zE7hCw+oGsLRUZWyGhcMXfI8cIo8RHZcNk1fthWRPpWVydjuvK08Lx8KbKe8jpXRNTYv0XPAQL1EtxUCsFZV+sR7VC5aOQVQBXNGkO5Wp56Et0jEOrT4+rswwkps20vIn4
 rW00XYSv
 xeyq6oJ7AG+URA86S9h8U3bqQ8NrDLrstkJ7iqxlBuZNCJz/2YUBFADPqWPoOxxYutyA6UXGwk9Jlyw2p1jW0vetW1L5X4E00nW81yGS7MEc/zDo=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Fri, Apr 26, 2024 at 8:18=E2=80=AFPM Nicolas Bouchinet
<nicolas.bouchinet@clip-os.org> wrote:
>
> On 4/26/24 11:20, Xiongwei Song wrote:
> > On Wed, Apr 24, 2024 at 8:48=E2=80=AFPM Nicolas Bouchinet
> > <nicolas.bouchinet@clip-os.org> wrote:
> >> From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
> >>
> >> Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing
> >> separately") splits single and bulk object freeing in two functions
> >> slab_free() and slab_free_bulk() which leads slab_free() to call
> >> slab_free_hook() directly instead of slab_free_freelist_hook().
> >>
> >> If `init_on_free` is set, slab_free_hook() zeroes the object.
> >> Afterward, if `slub_debug=3DF` and `CONFIG_SLAB_FREELIST_HARDENED` are
> >> set, the do_slab_free() slowpath executes freelist consistency
> >> checks and try to decode a zeroed freepointer which leads to a
> >> "Freepointer corrupt" detection in check_object().
> >>
> >> Object's freepointer thus needs to be properly set using
> >> set_freepointer() after init_on_free.
> >>
> >> To reproduce, set `slub_debug=3DFU init_on_free=3D1 log_level=3D7` on =
the
> >> command line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=3Dy=
`.
> >>
> >> dmesg sample log:
> >> [   10.708715] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >> [   10.710323] BUG kmalloc-rnd-05-32 (Tainted: G    B           T ): F=
reepointer corrupt
> >> [   10.712695] -------------------------------------------------------=
----------------------
> >> [   10.712695]
> >> [   10.712695] Slab 0xffffd8bdc400d580 objects=3D32 used=3D4 fp=3D0xff=
ff9d9a80356f80 flags=3D0x200000000000a00(workingset|slab|node=3D0|zone=3D2)
> >> [   10.716698] Object 0xffff9d9a80356600 @offset=3D1536 fp=3D0x7ee4f48=
0ce0ecd7c
> > If init_on_free is set,  slab_free_hook() zeros the object first, then
> > do_slab_free() calls
> > set_freepointer() to set the fp value, so there are 8 bytes non-zero
> > at the moment?
> > Hence, the issue is not related to init_on_free?
> >
> > The fp=3D0x7ee4f480ce0ecd7c here is beyond kernel memory space, is the =
issue from
> > CONFIG_SLAB_FREELIST_HARDENED enabled?
>
> My understanding of the bug is that slab_free_hook() indeed zeroes the
> object and its metadata first, then calls do_slab_free() and directly
> calls __slab_free(), head an tail parameters being set to the object.
>
> If `slub_debug=3DF` (SLAB_CONSISTENCY_CHECKS) is set, the following call
> path can be executed :
>
> free_to_partial_list() ->
>
> free_debug_processing() ->
>
> free_consistency_checks() ->
>
> check_object() ->
>
> check_valid_pointer(get_freepointer())

I understand the call path. I meant here the freepointer is not ZERO
but an illegal
value( fp=3D0x7ee4f480ce0ecd7c), then check_valid_pointer return 1 with
it's last line
and then check_object() printed out the error message. I'm not sure if I
misunderstood you.

Thank,
Xiongwei