From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2989FC021B8 for ; Tue, 4 Mar 2025 11:20:09 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9A8FF6B0082; Tue, 4 Mar 2025 06:20:08 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 958076B0083; Tue, 4 Mar 2025 06:20:08 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7F81D6B0085; Tue, 4 Mar 2025 06:20:08 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 60C1B6B0082 for ; Tue, 4 Mar 2025 06:20:08 -0500 (EST) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 083E9121B4E for ; Tue, 4 Mar 2025 11:20:08 +0000 (UTC) X-FDA: 83183624496.06.06C9401 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf18.hostedemail.com (Postfix) with ESMTP id 851B91C000A for ; Tue, 4 Mar 2025 11:20:05 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ePyBKDuD; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=dT1HZ27N; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ePyBKDuD; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=dT1HZ27N; spf=pass (imf18.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1741087206; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ivhJYdBo0HAR7qJrvW315rcu7n8JHoo3GknKgjzSVow=; b=5hDbS5dHxE48YNjijXtoh1yFr6zTVi/ybz7tiAtImN81x5VIJmnkzmZ9fZR/EtTtrsFCcr PK8SM/bMA9hZV/7uWsZ+Eo8n07YAVcp3NQm1/TnH6+9Rnvm5JRM0ue3EVd9nQotZzAn9HV OhckwVkm7DcIxoNqVytZWmmeJebMR4w= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ePyBKDuD; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=dT1HZ27N; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ePyBKDuD; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=dT1HZ27N; spf=pass (imf18.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741087206; a=rsa-sha256; cv=none; b=dteW2cC0hmezXhbP+u4ks0k5CDogMx11oL0kcOHkB2BFbgaZ5P1BA4tX4Tnxf81lH+7Gyr TYlSnx9ReBsBrsBZuzNW4EEon05ZLlV4EnwPjlJsi44kTcnGx1tYAjd0zo/yY/Q62TmmKL feQ0FTUCkvlWLaNva76DXUJLTnQNtrA= Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 034FD21197; Tue, 4 Mar 2025 11:20:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1741087204; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=ivhJYdBo0HAR7qJrvW315rcu7n8JHoo3GknKgjzSVow=; b=ePyBKDuDwsFlXS0rXss0KavfJtdjLBEdW0i1gQAs0pgatVY8SWsprHA2c1cmpQe37WAm/u wAggzq9+Qc423vr8bZoe6jKvcMIaEIXTwmlc4L3fqq8PIuPNKPI7J5YFv6WfK+97SmUPyd rMRVSKECS4Y5O0pfQwb5AhkyPmFuOeQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1741087204; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=ivhJYdBo0HAR7qJrvW315rcu7n8JHoo3GknKgjzSVow=; b=dT1HZ27NW1mKh7V6yXLPTTdklCigdtFJ6CROHhY6hocOIG//MHMlO+xqmf+9iJw3qIuJhF oenhHeM1gAhzbOAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1741087204; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=ivhJYdBo0HAR7qJrvW315rcu7n8JHoo3GknKgjzSVow=; b=ePyBKDuDwsFlXS0rXss0KavfJtdjLBEdW0i1gQAs0pgatVY8SWsprHA2c1cmpQe37WAm/u wAggzq9+Qc423vr8bZoe6jKvcMIaEIXTwmlc4L3fqq8PIuPNKPI7J5YFv6WfK+97SmUPyd rMRVSKECS4Y5O0pfQwb5AhkyPmFuOeQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1741087204; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=ivhJYdBo0HAR7qJrvW315rcu7n8JHoo3GknKgjzSVow=; b=dT1HZ27NW1mKh7V6yXLPTTdklCigdtFJ6CROHhY6hocOIG//MHMlO+xqmf+9iJw3qIuJhF oenhHeM1gAhzbOAg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id DB46E13967; Tue, 4 Mar 2025 11:20:03 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id YroyNePhxmfucgAAD6G6ig (envelope-from ); Tue, 04 Mar 2025 11:20:03 +0000 Message-ID: Date: Tue, 4 Mar 2025 12:20:03 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] slub: Fix Off-By-One in the While condition in on_freelist() Content-Language: en-US To: Lilith Gkini Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, harry.yoo@oracle.com References: <8cabcf70-d887-471d-9277-ef29aca1216b@suse.cz> <714d353a-49c8-4cbd-88d6-e24ae8f78aaa@suse.cz> From: Vlastimil Babka Autocrypt: addr=vbabka@suse.cz; keydata= xsFNBFZdmxYBEADsw/SiUSjB0dM+vSh95UkgcHjzEVBlby/Fg+g42O7LAEkCYXi/vvq31JTB KxRWDHX0R2tgpFDXHnzZcQywawu8eSq0LxzxFNYMvtB7sV1pxYwej2qx9B75qW2plBs+7+YB 87tMFA+u+L4Z5xAzIimfLD5EKC56kJ1CsXlM8S/LHcmdD9Ctkn3trYDNnat0eoAcfPIP2OZ+ 9oe9IF/R28zmh0ifLXyJQQz5ofdj4bPf8ecEW0rhcqHfTD8k4yK0xxt3xW+6Exqp9n9bydiy tcSAw/TahjW6yrA+6JhSBv1v2tIm+itQc073zjSX8OFL51qQVzRFr7H2UQG33lw2QrvHRXqD Ot7ViKam7v0Ho9wEWiQOOZlHItOOXFphWb2yq3nzrKe45oWoSgkxKb97MVsQ+q2SYjJRBBH4 8qKhphADYxkIP6yut/eaj9ImvRUZZRi0DTc8xfnvHGTjKbJzC2xpFcY0DQbZzuwsIZ8OPJCc LM4S7mT25NE5kUTG/TKQCk922vRdGVMoLA7dIQrgXnRXtyT61sg8PG4wcfOnuWf8577aXP1x 6mzw3/jh3F+oSBHb/GcLC7mvWreJifUL2gEdssGfXhGWBo6zLS3qhgtwjay0Jl+kza1lo+Cv BB2T79D4WGdDuVa4eOrQ02TxqGN7G0Biz5ZLRSFzQSQwLn8fbwARAQABzSBWbGFzdGltaWwg QmFia2EgPHZiYWJrYUBzdXNlLmN6PsLBlAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIe AQIXgBYhBKlA1DSZLC6OmRA9UCJPp+fMgqZkBQJkBREIBQkRadznAAoJECJPp+fMgqZkNxIQ ALZRqwdUGzqL2aeSavbum/VF/+td+nZfuH0xeWiO2w8mG0+nPd5j9ujYeHcUP1edE7uQrjOC Gs9sm8+W1xYnbClMJTsXiAV88D2btFUdU1mCXURAL9wWZ8Jsmz5ZH2V6AUszvNezsS/VIT87 AmTtj31TLDGwdxaZTSYLwAOOOtyqafOEq+gJB30RxTRE3h3G1zpO7OM9K6ysLdAlwAGYWgJJ V4JqGsQ/lyEtxxFpUCjb5Pztp7cQxhlkil0oBYHkudiG8j1U3DG8iC6rnB4yJaLphKx57NuQ PIY0Bccg+r9gIQ4XeSK2PQhdXdy3UWBr913ZQ9AI2usid3s5vabo4iBvpJNFLgUmxFnr73SJ KsRh/2OBsg1XXF/wRQGBO9vRuJUAbnaIVcmGOUogdBVS9Sun/Sy4GNA++KtFZK95U7J417/J Hub2xV6Ehc7UGW6fIvIQmzJ3zaTEfuriU1P8ayfddrAgZb25JnOW7L1zdYL8rXiezOyYZ8Fm ZyXjzWdO0RpxcUEp6GsJr11Bc4F3aae9OZtwtLL/jxc7y6pUugB00PodgnQ6CMcfR/HjXlae h2VS3zl9+tQWHu6s1R58t5BuMS2FNA58wU/IazImc/ZQA+slDBfhRDGYlExjg19UXWe/gMcl De3P1kxYPgZdGE2eZpRLIbt+rYnqQKy8UxlszsBNBFsZNTUBCACfQfpSsWJZyi+SHoRdVyX5 J6rI7okc4+b571a7RXD5UhS9dlVRVVAtrU9ANSLqPTQKGVxHrqD39XSw8hxK61pw8p90pg4G /N3iuWEvyt+t0SxDDkClnGsDyRhlUyEWYFEoBrrCizbmahOUwqkJbNMfzj5Y7n7OIJOxNRkB IBOjPdF26dMP69BwePQao1M8Acrrex9sAHYjQGyVmReRjVEtv9iG4DoTsnIR3amKVk6si4Ea X/mrapJqSCcBUVYUFH8M7bsm4CSxier5ofy8jTEa/CfvkqpKThTMCQPNZKY7hke5qEq1CBk2 wxhX48ZrJEFf1v3NuV3OimgsF2odzieNABEBAAHCwXwEGAEKACYCGwwWIQSpQNQ0mSwujpkQ PVAiT6fnzIKmZAUCZAUSmwUJDK5EZgAKCRAiT6fnzIKmZOJGEACOKABgo9wJXsbWhGWYO7mD 8R8mUyJHqbvaz+yTLnvRwfe/VwafFfDMx5GYVYzMY9TWpA8psFTKTUIIQmx2scYsRBUwm5VI EurRWKqENcDRjyo+ol59j0FViYysjQQeobXBDDE31t5SBg++veI6tXfpco/UiKEsDswL1WAr tEAZaruo7254TyH+gydURl2wJuzo/aZ7Y7PpqaODbYv727Dvm5eX64HCyyAH0s6sOCyGF5/p eIhrOn24oBf67KtdAN3H9JoFNUVTYJc1VJU3R1JtVdgwEdr+NEciEfYl0O19VpLE/PZxP4wX PWnhf5WjdoNI1Xec+RcJ5p/pSel0jnvBX8L2cmniYnmI883NhtGZsEWj++wyKiS4NranDFlA HdDM3b4lUth1pTtABKQ1YuTvehj7EfoWD3bv9kuGZGPrAeFNiHPdOT7DaXKeHpW9homgtBxj 8aX/UkSvEGJKUEbFL9cVa5tzyialGkSiZJNkWgeHe+jEcfRT6pJZOJidSCdzvJpbdJmm+eED w9XOLH1IIWh7RURU7G1iOfEfmImFeC3cbbS73LQEFGe1urxvIH5K/7vX+FkNcr9ujwWuPE9b 1C2o4i/yZPLXIVy387EjA6GZMqvQUFuSTs/GeBcv0NjIQi8867H3uLjz+mQy63fAitsDwLmR EP+ylKVEKb0Q2A== In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspam-User: X-Stat-Signature: yre49ck1tyzgty5cd7dy115p34mz1y7u X-Rspamd-Queue-Id: 851B91C000A X-Rspamd-Server: rspam07 X-HE-Tag: 1741087205-375762 X-HE-Meta: U2FsdGVkX18c7gwaCU0/H25dbKNwKV4my62cWiCbEQGjUIMq+JL2E5M585ZaTsFVWzSL/aef6lzMPEYhUfnryV6g41nzjvO9wFb0NTX9ZR+24WMEvUFGi65twXvvr/JoRsbpafRH2yy4++h47whN5xvOmHEr1plfBwDeXbau2uQ6wWeqfqc6XrCux+Ev5XiAI5CpR+224FyqUd/Sht0mzjiqZFaysRC8FOfKLROY14Oj9KZ4zNgJFSqUAzldRVaJFrdF2OjjEZqh3p5M0SkxACOnAaaSd3ipTzA6dNBZAPZxdJYoBodToEEfgB0AaZF57SFoFaGIQZhXJ0MLiO8C4r5/msy/dop/tP2nmrBLozbMPy5cUpj22r9T7cl3tItB+8dyJeC52CqGY5EUqJg7Bz0Aj2ja7kQLm94ehYvSnKL8RwdqYcTRyKdpC2Bb3PU+2yIScElag4UzQIwulhACISU0PTWNBFDFy62EtQXJL/XaF8w05Al31Po0CFBhQd6xo5EiYYrmo50avLfl+W/LYyIYnQkxrO871q9j9ZONmoWfzGk7kD7+5G8Xl2Yg7tZWTm/rO2tkLPSfkcUwLkbCSQGc+d3jvrl34UnVRZdqsTpHL4mh3k6G/+4Fo9MkLxt6OZCsKd+WNo+fZUwWhCGNtKolNXHROIJRPY4ivoh/JluR5cQyOr/whpovlMQRn9HqH4q7YVfS9SifffrkofbAyEjIolLIBH/qayyK9zxiyHH05FdPOzAoU9nQZOWMDECnFHcsrslJnFZ3lRuVZZb0JkfithI+fLOPsMDSfqmpV1xZy03/CI9TabIfpDA4muBl6q1QSZY5/8PZ4iYn0K2hAHTUPp3LP4OHmoIUwuRq4A6HHr06q8wg47ZbRjb381HLZxdNXmbcNbINsutuiJOXSngVa9L1CTsLsrP/Yt4hvrtmNPbX3xnxj8MMB4ovWVWMKjULcd27NahaEDtmY7n QxR6OHVe ylsoFTOXvvHHwiv2Oiq/+Hzj/NkOSFak8v/VuwTu6WAlz/hvbyJuwhWvjOEWq30kVddCnxL5DyKznmWujf346j0/YKiRpe7YNyGd+lFLJlUc/Eb/0V85vK4wS9fxDQf9oLT3gKR3s0c6mfey8oCav+AbZPYHdVaBFYw5nhC2oNVUTN8vc2wqRwUNthtfhvzgxaCRDtnKhVV1GlX+3Fr3eO9IdQbiftqFltvYJ+xbrANskEQiyEgQVrKZFe9etVKORPlxNt7p0odOYO8RVubgHkCYyJqS35A2dB/pOYHQdbhiQSR1FvLMYness3jvpmcjbSyu15NQ4zcyCBVti9E1YfZNsSCAqlsJn3eezPA5BXzt4Q459Wm21MAJlFGPvovMcgKt9CchKmO6iV/VJxg0GUhGobQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 3/4/25 12:06, Lilith Gkini wrote: > On Tue, Mar 04, 2025 at 09:41:23AM +0100, Vlastimil Babka wrote: >> It sets the tail to NULL but then also breaks out of the loop (btw that >> break; could be moved to the if (object) branch to make it more obvious) to >> the code below, which should also set slab->inuse properly. So the result >> should be consistent? In that case we're able to salvage at least the >> uncorrupted part of the freelist. It's likely corrupted by a use-after-free >> of a single object overwriting the freepointer. > > Yes! You are right! > > I also just tested this. The "Freelist cycle detected" will get > triggered even if there is an invalid address at the tail in the case > of a full freelist, which is a bit... inacurate, right? It's technically Yes. But see my comments on the code below. I wonder why you got it triggered. > not a cycle in that case since the freepointer is invalid and it doesn't > point back to the slab. > > - We could avoid this by nulling the fp in that case (as I suggested in v1 > in previous emails) inside the "Freechain corrupt" branch, but also > reverting the while condition back to it's equal sign like it was and > then changing the new if check to: > if (fp != NULL && nr > slab->objects) { > but it feels a bit messy. I think it's not so bad. > - Or we could just change the "Freelist cycle detected" message to > something else. > > - Or we could leave it as "Freelist cycle detected". I'd prefer that. > This is only a problem if the freelist is full and the tail is junk. If the tail is junk it would be better to just fix it to NULL and not report wrongly a cycle. > If the freelist is not full the code will act as you suggested. > > > If this is becoming too hard to follow I'll include the two diffs. > > For the case were we are fine with the "Freelist cycle detected" > message, even in the case of a junk tail: > > -- > > and in the case where we want the code to not display "Freelist cycle > detected" we could do something like this: > > --- > mm/slub.c | 19 ++++++++++++++----- > 1 file changed, 14 insertions(+), 5 deletions(-) > > diff --git a/mm/slub.c b/mm/slub.c > index 1f50129dcfb3..eef879d4feb1 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -1427,7 +1427,7 @@ static int check_slab(struct kmem_cache *s, struct slab *slab) > * Determine if a certain object in a slab is on the freelist. Must hold the > * slab lock to guarantee that the chains are in a consistent state. > */ > -static int on_freelist(struct kmem_cache *s, struct slab *slab, void *search) > +static bool on_freelist(struct kmem_cache *s, struct slab *slab, void *search) > { > int nr = 0; > void *fp; > @@ -1437,27 +1437,36 @@ static int on_freelist(struct kmem_cache *s, struct slab *slab, void *search) > fp = slab->freelist; > while (fp && nr <= slab->objects) { > if (fp == search) > - return 1; > + return true; > if (!check_valid_pointer(s, slab, fp)) { > if (object) { > object_err(s, slab, object, > "Freechain corrupt"); > set_freepointer(s, object, NULL); > + fp = NULL; > + break; Since we break, nr is not incremented to slab->objects + 1. > } else { > slab_err(s, slab, "Freepointer corrupt"); > slab->freelist = NULL; > slab->inuse = slab->objects; > slab_fix(s, "Freelist cleared"); > - return 0; > + return false; > } > - break; > } > object = fp; > fp = get_freepointer(s, object); > nr++; > } > > - max_objects = order_objects(slab_order(slab), s->size); > + if (fp != NULL && nr > slab->objects) { And thus we should not need to set fp to NULL and test it here? Am I missing something? > + slab_err(s, slab, "Freelist cycle detected"); > + slab->freelist = NULL; > + slab->inuse = slab->objects; > + slab_fix(s, "Freelist cleared"); > + return false; > + } > + > + max_objects = order_objects(slab_or0der(slab), s->size); > if (max_objects > MAX_OBJS_PER_PAGE) > max_objects = MAX_OBJS_PER_PAGE; > > -- > > Let me know what you think! The latter would be better, thanks!