From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79D31C3567B for ; Thu, 27 Feb 2020 16:54:04 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 4F94E246A1 for ; Thu, 27 Feb 2020 16:54:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4F94E246A1 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id C51C96B0006; Thu, 27 Feb 2020 11:54:03 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C03736B0007; Thu, 27 Feb 2020 11:54:03 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B3FC86B0008; Thu, 27 Feb 2020 11:54:03 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0204.hostedemail.com [216.40.44.204]) by kanga.kvack.org (Postfix) with ESMTP id 9D7BF6B0006 for ; Thu, 27 Feb 2020 11:54:03 -0500 (EST) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 6AFCC181AEF1A for ; Thu, 27 Feb 2020 16:54:03 +0000 (UTC) X-FDA: 76536504366.29.suit60_40780ea9aa20b X-HE-Tag: suit60_40780ea9aa20b X-Filterd-Recvd-Size: 2458 Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by imf16.hostedemail.com (Postfix) with ESMTP for ; Thu, 27 Feb 2020 16:54:02 +0000 (UTC) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 79C7FAE06; Thu, 27 Feb 2020 16:53:58 +0000 (UTC) Subject: Re: [PATCH] mm: slub: reinitialize random sequence cache on slab object update To: vjitta@codeaurora.org, cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, vinmenon@codeaurora.org, kernel-team@android.com References: <1580379523-32272-1-git-send-email-vjitta@codeaurora.org> <1580383064-16536-1-git-send-email-vjitta@codeaurora.org> From: Vlastimil Babka Message-ID: Date: Thu, 27 Feb 2020 17:53:56 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <1580383064-16536-1-git-send-email-vjitta@codeaurora.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 1/30/20 12:17 PM, vjitta@codeaurora.org wrote: > From: Vijayanand Jitta > > Random sequence cache is precomputed during slab object creation > based up on the object size and no of objects per slab. These could > be changed when flags like SLAB_STORE_USER, SLAB_POISON are updated > from sysfs. So when shuffle_freelist is called during slab_alloc it > uses updated object count to access the precomputed random sequence > cache. This could result in incorrect access of the random sequence > cache which could further result in slab corruption. Fix this by > reinitializing the random sequence cache up on slab object update. > > A sample panic trace when write to slab_store_user was attempted. A more complete oops report would have been better, e.g. if anyone was googling it, to find this patch. Also I was checking where else calculate_sizes() is called and found order_store(). So if somebody changes (especially increases) the order, shouldn't the reinitialization also be done? This is even more nasty as it doesn't seem to require that no objects exist. Also there is no synchronization against concurrent allocations/frees? Gasp.