From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.9 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AA9AC5DF61 for ; Thu, 7 Nov 2019 20:44:58 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 5008C206A3 for ; Thu, 7 Nov 2019 20:44:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lVG/ns7c" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5008C206A3 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id CF6A26B0003; Thu, 7 Nov 2019 15:44:57 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id CA72D6B0006; Thu, 7 Nov 2019 15:44:57 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B95786B0007; Thu, 7 Nov 2019 15:44:57 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0130.hostedemail.com [216.40.44.130]) by kanga.kvack.org (Postfix) with ESMTP id A54C16B0003 for ; Thu, 7 Nov 2019 15:44:57 -0500 (EST) Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with SMTP id 3DB1C180AD81F for ; Thu, 7 Nov 2019 20:44:57 +0000 (UTC) X-FDA: 76130660634.30.owner94_484ba3b65592a X-HE-Tag: owner94_484ba3b65592a X-Filterd-Recvd-Size: 6042 Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com [209.85.215.196]) by imf25.hostedemail.com (Postfix) with ESMTP for ; Thu, 7 Nov 2019 20:44:56 +0000 (UTC) Received: by mail-pg1-f196.google.com with SMTP id r18so2709502pgu.13 for ; Thu, 07 Nov 2019 12:44:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:mime-version; bh=YknM6fFCF8e0j4TWGuwlJuiUFneXRP0vedkCIJ4TRls=; b=lVG/ns7colpNwDtCgyq6NTV079wL7G7CIkieWIHyJW22recTdWYIEFnWL7b7WJvjA0 4lPlQHWwe4YsG9nE3CVYMQ1/zLnVJdd4Te1gbryi9tvHbGKKOwJZcReA04ZCSLxB6lWU JfLnwPW9RUUtJT7t56R72mMHXzhSbzjkEBXGlb4CR0l3PXC241KvMbrkm4S4bVqoDbn0 k8K64K7EtmIqAbscLatQ8USn42gCTFYbbcGXhLAj5JfbNdRMnT2Eit4p/YPV6oNNtooZ lHpBt2g5hOgzFJIPXP6aSRXExT7b3Gp9tBYRWjQG+EceXoCH1KE+n8aS0N5weHliRK6h YMrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:user-agent:mime-version; bh=YknM6fFCF8e0j4TWGuwlJuiUFneXRP0vedkCIJ4TRls=; b=grcnrY2tp7qZ4R/68GUCevkcBturkCzWiEw7Au5aNhIv+dD2qienhkBP1YrsLBH2An iSYuINpHkHFcNgfdhYc/lC1BHI3m7N3gR8sG42YjY0ykZya7QViIxUuuHK4MSV29/rH1 ciF57pQgbnkhOTowBQ27PFTqqE/K4sy7nRIQj7muGd6S7rvaaR+CaAgJfBSurHX7+7tP 0BXjiNbJ9FObctvicqI8bovIztlWlAMuEXIrq3hbCld6auRu7VHh7ZxcC3wGpl/0zZ8f bBSjaJuDZsxdv/tNOu/btOpTL5PCkdPm2htLkStVcKhZkFiL1f9wAFQrjJMZbhYDVjzR 31IA== X-Gm-Message-State: APjAAAVgRZuTPdL2tYWNzxYXjbz8rem3Jl267D4Gvn/49XMVGYiHeD4e EHBTxN2JNVPpuibY6UrERJbQbA== X-Google-Smtp-Source: APXvYqwKGjVvXz6FodHFSQ9WZOZlEAZi7/qsWmZr31ZLesRW8FCSMaKRyheeQSq2yHTQ30yaLbBIFg== X-Received: by 2002:aa7:83c2:: with SMTP id j2mr6845841pfn.225.1573159495441; Thu, 07 Nov 2019 12:44:55 -0800 (PST) Received: from [2620:15c:17:3:3a5:23a7:5e32:4598] ([2620:15c:17:3:3a5:23a7:5e32:4598]) by smtp.gmail.com with ESMTPSA id c13sm4679779pfi.0.2019.11.07.12.44.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2019 12:44:54 -0800 (PST) Date: Thu, 7 Nov 2019 12:44:54 -0800 (PST) From: David Rientjes X-X-Sender: rientjes@chino.kir.corp.google.com To: Laura Abbott cc: Alexander Potapenko , Andrew Morton , netdev@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, "David S. Miller" , Kees Cook , clipos@ssi.gouv.fr, Vlastimil Babka , Thibaut Sautereau Subject: Re: [PATCH] mm: slub: Really fix slab walking for init_on_free In-Reply-To: <20191106222208.26815-1-labbott@redhat.com> Message-ID: References: <20191106222208.26815-1-labbott@redhat.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 6 Nov 2019, Laura Abbott wrote: > Commit 1b7e816fc80e ("mm: slub: Fix slab walking for init_on_free") > fixed one problem with the slab walking but missed a key detail: > When walking the list, the head and tail pointers need to be updated > since we end up reversing the list as a result. Without doing this, > bulk free is broken. One way this is exposed is a NULL pointer with > slub_debug=F: > > ============================================================================= > BUG skbuff_head_cache (Tainted: G T): Object already free > ----------------------------------------------------------------------------- > > INFO: Slab 0x000000000d2d2f8f objects=16 used=3 fp=0x0000000064309071 flags=0x3fff00000000201 > BUG: kernel NULL pointer dereference, address: 0000000000000000 > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP PTI > CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B T 5.3.8 #1 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:print_trailer+0x70/0x1d5 > Code: 28 4d 8b 4d 00 4d 8b 45 20 81 e2 ff 7f 00 00 e8 86 ce ef ff 8b 4b 20 48 89 ea 48 89 ee 4c 29 e2 48 c7 c7 90 6f d4 89 48 01 e9 <48> 33 09 48 33 8b 70 01 00 00 e8 61 ce ef ff f6 43 09 04 74 35 8b > RSP: 0018:ffffbf7680003d58 EFLAGS: 00010046 > RAX: 000000000000005d RBX: ffffa3d2bb08e540 RCX: 0000000000000000 > RDX: 00005c2d8fdc2000 RSI: 0000000000000000 RDI: ffffffff89d46f90 > RBP: 0000000000000000 R08: 0000000000000242 R09: 000000000000006c > R10: 0000000000000000 R11: 0000000000000030 R12: ffffa3d27023e000 > R13: fffff11080c08f80 R14: ffffa3d2bb047a80 R15: 0000000000000002 > FS: 0000000000000000(0000) GS:ffffa3d2be400000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 000000007a6c4000 CR4: 00000000000006f0 > Call Trace: > > free_debug_processing.cold.37+0xc9/0x149 > ? __kfree_skb_flush+0x30/0x40 > ? __kfree_skb_flush+0x30/0x40 > __slab_free+0x22a/0x3d0 > ? tcp_wfree+0x2a/0x140 > ? __sock_wfree+0x1b/0x30 > kmem_cache_free_bulk+0x415/0x420 > ? __kfree_skb_flush+0x30/0x40 > __kfree_skb_flush+0x30/0x40 > net_rx_action+0x2dd/0x480 > __do_softirq+0xf0/0x246 > irq_exit+0x93/0xb0 > do_IRQ+0xa0/0x110 > common_interrupt+0xf/0xf > > > Given we're now almost identical to the existing debugging > code which correctly walks the list, combine with that. > > Link: https://lkml.kernel.org/r/20191104170303.GA50361@gandi.net > Reported-by: Thibaut Sautereau > Fixes: 1b7e816fc80e ("mm: slub: Fix slab walking for init_on_free") > Signed-off-by: Laura Abbott Acked-by: David Rientjes