From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE307C33CA1 for ; Tue, 7 Jan 2020 18:00:19 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 5E9D12187F for ; Tue, 7 Jan 2020 18:00:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5E9D12187F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id CBF658E003A; Tue, 7 Jan 2020 13:00:18 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C705B8E001E; Tue, 7 Jan 2020 13:00:18 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B85BF8E003A; Tue, 7 Jan 2020 13:00:18 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0153.hostedemail.com [216.40.44.153]) by kanga.kvack.org (Postfix) with ESMTP id 9F67C8E001E for ; Tue, 7 Jan 2020 13:00:18 -0500 (EST) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with SMTP id 423F4181AEF09 for ; Tue, 7 Jan 2020 18:00:18 +0000 (UTC) X-FDA: 76351602516.29.coast83_28c75afbf049 X-HE-Tag: coast83_28c75afbf049 X-Filterd-Recvd-Size: 4899 Received: from gentwo.org (gentwo.org [3.19.106.255]) by imf23.hostedemail.com (Postfix) with ESMTP for ; Tue, 7 Jan 2020 18:00:17 +0000 (UTC) Received: by gentwo.org (Postfix, from userid 1002) id DB3FB403FD; Tue, 7 Jan 2020 18:00:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by gentwo.org (Postfix) with ESMTP id D7C4D3E886; Tue, 7 Jan 2020 18:00:16 +0000 (UTC) Date: Tue, 7 Jan 2020 18:00:16 +0000 (UTC) From: Christopher Lameter X-X-Sender: cl@www.lameter.com To: lijiazi cc: Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , lijiazi , linux-mm@kvack.org Subject: Re: [PATCH v2] slub: call BUG if next_object is not valid In-Reply-To: <1578397918-22017-1-git-send-email-lijiazi@xiaomi.com> Message-ID: References: <1578397918-22017-1-git-send-email-lijiazi@xiaomi.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The freepointer chain is already checked with slub_debug on the command line before this code is encountered. On Tue, 7 Jan 2020, lijiazi wrote: > If current object's memory is corrupted, there is a high > probability that next_objext stored in it will be rewritten as an > illegal value. It's better to check next_object this time than to > encounter a illegal pointer in next slub alloc like the following: > > [80138.529667] Unable to handle kernel paging request at virtual > address 0069145a08d9a20d > [80138.529674] Mem abort info: > [80138.529677] ESR = 0x96000004 > [80138.529683] Exception class = DABT (current EL), IL = 32 bits > [80138.529688] SET = 0, FnV = 0 > [80138.529692] EA = 0, S1PTW = 0 > [80138.529695] Data abort info: > [80138.529699] ISV = 0, ISS = 0x00000004 > [80138.529703] CM = 0, WnR = 0 > [80138.529708] [0069145a08d9a20d] address between user and kernel > address ranges > [80138.529716] Internal error: Oops: 96000004 1 PREEMPT SMP > [80138.529722] Modules linked in: wlan(O) rmnet_perf(O) rmnet_shs(O) > [80138.529812] CPU: 1 PID: 1074 Comm: cnss_diag Tainted: G S W O > 4.19.72-perf-gdee6978 #1 > [80138.529824] pstate: 60400005 (nZCv daif +PAN -UAO) > [80138.529840] pc : __kmalloc_track_caller+0x1d0/0x318 > [80138.529845] lr : __kmalloc_track_caller+0x60/0x318 > [80138.529849] sp : ffffff8011f6b980 > [80138.529852] x29: ffffff8011f6b9e0 x28: ffffffa187f15248 > [80138.529858] x27: ffffffede4856580 x26: ffffff8011f6bab8 > [80138.529864] x25: ffffffa18a238000 x24: ffffffec8681f980 > [80138.529870] x23: 2369145a08d9a20d x22: ffffffec8681f980 > [80138.529877] x21: ffffffa188e8c964 x20: 00000000000001c0 > [80138.529884] x19: 00000000007102c0 x18: 0000000000000000 > [80138.529890] x17: 0000000000000000 x16: 0000000000000000 > [80138.529897] x15: 0000007fffffffff x14: 0000000002a46f01 > [80138.529903] x13: 0000000000000000 x12: ffffffee38964760 > [80138.529909] x11: dc96ebb941026589 x10: 2369145a08d9a20d > [80138.529916] x9 : 0000000002a46ef9 x8 : ffffffede4856580 > [80138.529922] x7 : 0000000000000000 x6 : 0000000000000004 > [80138.529929] x5 : 0000000000000003 x4 : 00000000007000c0 > [80138.529935] x3 : ffffff8011f6bba4 x2 : ffffffa188e8c964 > [80138.529942] x1 : 00000000007102c0 x0 : 0000000000000000 > > [80138.530481] Call trace: > [80138.530488] __kmalloc_track_caller+0x1d0/0x318 > [80138.530498] __alloc_skb+0x94/0x198 > [80138.530504] alloc_skb_with_frags+0x5c/0x198 > [80138.530511] sock_alloc_send_pskb+0x1d0/0x2c8 > [80138.530520] unix_dgram_sendmsg+0x234/0xa80 > [80138.530525] sock_write_iter+0xb8/0x110 > [80138.530532] do_iter_readv_writev+0x118/0x158 > [80138.530540] do_iter_write+0x7c/0x190 > [80138.530544] vfs_writev+0x84/0xe8 > [80138.530549] do_writev+0x78/0x118 > [80138.530554] __arm64_sys_writev+0x1c/0x28 > [80138.530564] el0_svc_common+0xa0/0x158 > [80138.530569] el0_svc_handler+0x6c/0x88 > [80138.530578] el0_svc+0x8/0xc > > Signed-off-by: lijiazi > --- > Changes in v2: > - bug only if CONFIG_DEBUG_VM is enabled. > - only check when next_object is not NULL. > Reported-by: kernel test robot > --- > mm/slub.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mm/slub.c b/mm/slub.c > index a0b335d..cfdfd49 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -2744,6 +2744,7 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, > } else { > void *next_object = get_freepointer_safe(s, object); > > + VM_BUG_ON(next_object && !virt_addr_valid(next_object)); > /* > * The cmpxchg will only match if there was no additional > * operation and if we are on the right processor. >