From: Vlastimil Babka <vbabka@suse.cz>
To: Suren Baghdasaryan <surenb@google.com>, akpm@linux-foundation.org
Cc: kent.overstreet@linux.dev, roman.gushchin@linux.dev,
cl@linux.com, rientjes@google.com, harry.yoo@oracle.com,
souravpanda@google.com, pasha.tatashin@soleen.com,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH 1/1] slab: ensure slab->obj_exts is clear in a newly allocated slab page
Date: Fri, 11 Apr 2025 18:26:58 +0200 [thread overview]
Message-ID: <c88ec69c-87ee-4865-8b2a-87f32f46b0bc@suse.cz> (raw)
In-Reply-To: <20250411155737.1360746-1-surenb@google.com>
On 4/11/25 17:57, Suren Baghdasaryan wrote:
> ktest recently reported crashes while running several buffered io tests
> with __alloc_tagging_slab_alloc_hook() at the top of the crash call stack.
> The signature indicates an invalid address dereference with low bits of
> slab->obj_exts being set. The bits were outside of the range used by
> page_memcg_data_flags and objext_flags and hence were not masked out
> by slab_obj_exts() when obtaining the pointer stored in slab->obj_exts.
> The typical crash log looks like this:
>
> 00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
> 00510 Mem abort info:
> 00510 ESR = 0x0000000096000045
> 00510 EC = 0x25: DABT (current EL), IL = 32 bits
> 00510 SET = 0, FnV = 0
> 00510 EA = 0, S1PTW = 0
> 00510 FSC = 0x05: level 1 translation fault
> 00510 Data abort info:
> 00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000
> 00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0
> 00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> 00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000
> 00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
> 00510 Internal error: Oops: 0000000096000045 [#1] SMP
> 00510 Modules linked in:
> 00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE
> 00510 Hardware name: linux,dummy-virt (DT)
> 00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)
> 00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190
> 00510 lr : __kmalloc_noprof+0x150/0x310
> 00510 sp : ffffff80c87df6c0
> 00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200
> 00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001
> 00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180
> 00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000
> 00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700
> 00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006
> 00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58
> 00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556
> 00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060
> 00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000
> 00510 Call trace:
> 00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P)
> 00510 __kmalloc_noprof+0x150/0x310
> 00510 __bch2_folio_create+0x5c/0xf8
> 00510 bch2_folio_create+0x2c/0x40
> 00510 bch2_readahead+0xc0/0x460
> 00510 read_pages+0x7c/0x230
> 00510 page_cache_ra_order+0x244/0x3a8
> 00510 page_cache_async_ra+0x124/0x170
> 00510 filemap_readahead.isra.0+0x58/0xa0
> 00510 filemap_get_pages+0x454/0x7b0
> 00510 filemap_read+0xdc/0x418
> 00510 bch2_read_iter+0x100/0x1b0
> 00510 vfs_read+0x214/0x300
> 00510 ksys_read+0x6c/0x108
> 00510 __arm64_sys_read+0x20/0x30
> 00510 invoke_syscall.constprop.0+0x54/0xe8
> 00510 do_el0_svc+0x44/0xc8
> 00510 el0_svc+0x18/0x58
> 00510 el0t_64_sync_handler+0x104/0x130
> 00510 el0t_64_sync+0x154/0x158
> 00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881)
> 00510 ---[ end trace 0000000000000000 ]---
> 00510 Kernel panic - not syncing: Oops: Fatal exception
> 00510 SMP: stopping secondary CPUs
> 00510 Kernel Offset: disabled
> 00510 CPU features: 0x0000,000000e0,00000410,8240500b
> 00510 Memory Limit: none
>
> Investigation indicates that these bits are already set when we allocate
> slab page and are not zeroed out after allocation. We are not yet sure
> why these crashes start happening only recently but regardless of the
> reason, not initializing a field that gets used later is wrong. Fix it
> by initializing slab->obj_exts during slab page allocation.
slab->obj_exts overlays page->memcg_data and the checks on page alloc and
page free should catch any non-zero values, i.e. page_expected_state()
page_bad_reason() so if anyone is e.g. UAF-writing there or leaving garbage
there while freeing the page it's a bug.
Perhaps CONFIG_MEMCG is disabled in the ktests and thus the checks are not
happening? We could extend them for CONFIG_SLAB_OBJ_EXT checking
_unused_slab_obj_exts perhaps. But it would be a short lived change, see below.
> Fixes: 21c690a349ba ("mm: introduce slabobj_ext to support slab object extensions")
> Reported-by: Kent Overstreet <kent.overstreet@linux.dev>
> Tested-by: Kent Overstreet <kent.overstreet@linux.dev>
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> Acked-by: Kent Overstreet <kent.overstreet@linux.dev>
> Cc: <stable@vger.kernel.org>
We'll need this anyway for the not so far future when struct slab is
separated from struct page so it's fine but it would still be great to find
the underlying buggy code which this is going to hide.
> ---
> mm/slub.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index b46f87662e71..dc9e729e1d26 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1973,6 +1973,11 @@ static inline void handle_failed_objexts_alloc(unsigned long obj_exts,
> #define OBJCGS_CLEAR_MASK (__GFP_DMA | __GFP_RECLAIMABLE | \
> __GFP_ACCOUNT | __GFP_NOFAIL)
>
> +static inline void init_slab_obj_exts(struct slab *slab)
> +{
> + slab->obj_exts = 0;
> +}
> +
> int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s,
> gfp_t gfp, bool new_slab)
> {
> @@ -2058,6 +2063,10 @@ static inline bool need_slab_obj_ext(void)
>
> #else /* CONFIG_SLAB_OBJ_EXT */
>
> +static inline void init_slab_obj_exts(struct slab *slab)
> +{
> +}
> +
> static int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s,
> gfp_t gfp, bool new_slab)
> {
> @@ -2637,6 +2646,7 @@ static struct slab *allocate_slab(struct kmem_cache *s, gfp_t flags, int node)
> slab->objects = oo_objects(oo);
> slab->inuse = 0;
> slab->frozen = 0;
> + init_slab_obj_exts(slab);
>
> account_slab(slab, oo_order(oo), s, flags);
>
>
> base-commit: c496b37f9061db039b413c03ccd33506175fe6ec
next prev parent reply other threads:[~2025-04-11 16:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-11 15:57 Suren Baghdasaryan
2025-04-11 16:26 ` Vlastimil Babka [this message]
2025-04-11 16:59 ` Suren Baghdasaryan
2025-04-11 17:45 ` Suren Baghdasaryan
2025-04-14 10:24 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c88ec69c-87ee-4865-8b2a-87f32f46b0bc@suse.cz \
--to=vbabka@suse.cz \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=harry.yoo@oracle.com \
--cc=kent.overstreet@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pasha.tatashin@soleen.com \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=souravpanda@google.com \
--cc=stable@vger.kernel.org \
--cc=surenb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox