[7/9] mm: kmemleak: erase page->s_mem in slab_destroy

Message ID	20230123170419.7292-8-george@enfabrica.net (mailing list archive)
State	New
Headers	show Return-Path: <owner-linux-mm@kvack.org> From: George Prekas <george@enfabrica.net> To: linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: Catalin Marinas <catalin.marinas@arm.com>, Andrew Morton <akpm@linux-foundation.org>, Christoph Lameter <cl@linux.com>, Pekka Enberg <penberg@kernel.org>, David Rientjes <rientjes@google.com>, Joonsoo Kim <iamjoonsoo.kim@lge.com>, Vlastimil Babka <vbabka@suse.cz>, Roman Gushchin <roman.gushchin@linux.dev>, Hyeonggon Yoo <42.hyeyoo@gmail.com>, Thomas Gleixner <tglx@linutronix.de>, "Eric W. Biederman" <ebiederm@xmission.com>, Sebastian Andrzej Siewior <bigeasy@linutronix.de>, Andy Lutomirski <luto@kernel.org>, Peter Zijlstra <peterz@infradead.org>, "Liam R. Howlett" <Liam.Howlett@Oracle.com>, Fenghua Yu <fenghua.yu@intel.com>, Andrei Vagin <avagin@gmail.com>, George Prekas <george@enfabrica.net> Subject: [PATCH 7/9] mm: kmemleak: erase page->s_mem in slab_destroy Date: Mon, 23 Jan 2023 11:04:17 -0600 Message-Id: <20230123170419.7292-8-george@enfabrica.net> In-Reply-To: <20230123170419.7292-1-george@enfabrica.net> References: <20230123170419.7292-1-george@enfabrica.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	mm: kmemleak: fix unreported memory leaks \| expand [0/9] mm: kmemleak: fix unreported memory leaks [1/9] mm: kmemleak: properly disable task stack scanning [2/9] Revert "mm/kmemleak: make create_object return void" [3/9] mm: kmemleak: propagate NO_SCAN flag in delete_object_part [4/9] mm: kmemleak: add kmemleak_noscan_phys function [5/9] mm: kmemleak: do not scan sparsemap_buf [6/9] mm: kmemleak: do not scan cpu_cache of struct kmem_cache [7/9] mm: kmemleak: erase page->s_mem in slab_destroy [8/9] mm: kmemleak: erase page->freelist in slab_destroy [9/9] mm: kmemleak: fix undetected leaks for page aligned objects

Message ID

20230123170419.7292-8-george@enfabrica.net (mailing list archive)

State

New

Headers

From: George Prekas <george@enfabrica.net>
To: linux-kernel@vger.kernel.org,
	linux-mm@kvack.org
Cc: Catalin Marinas <catalin.marinas@arm.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Hyeonggon Yoo <42.hyeyoo@gmail.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	Andy Lutomirski <luto@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	"Liam R. Howlett" <Liam.Howlett@Oracle.com>,
	Fenghua Yu <fenghua.yu@intel.com>,
	Andrei Vagin <avagin@gmail.com>,
	George Prekas <george@enfabrica.net>
Subject: [PATCH 7/9] mm: kmemleak: erase page->s_mem in slab_destroy
Date: Mon, 23 Jan 2023 11:04:17 -0600
Message-Id: <20230123170419.7292-8-george@enfabrica.net>
In-Reply-To: <20230123170419.7292-1-george@enfabrica.net>
References: <20230123170419.7292-1-george@enfabrica.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

mm: kmemleak: fix unreported memory leaks | expand

Commit Message

George Prekas Jan. 23, 2023, 5:04 p.m. UTC

The field s_mem of struct page is initialized with the virtual address
of the page in function alloc_slabmgmt. If kmalloc allocates an object
that starts on this page, then kmemleak knows that this object has 2
references. On slab_destroy, s_mem should not continue referring to any
allocated object in the future.

Specifically, assume that initially the 4KB cache uses page[5] and its
s_mem = 0x5000. Then assume that this cache releases page[5] and the 8KB
cache allocates page[4] and page[5]. Subsequently, kmalloc returns an
8KB object at address 0x4000 which will have 3 references: the returned
pointer from kmalloc, page[4].s_mem = 0x4000, and page[5].s_mem. This
object can leak without detection.

Signed-off-by: George Prekas <george@enfabrica.net>
---
 mm/slab.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Christoph Lameter Jan. 26, 2023, 11:28 a.m. UTC | #1

On Mon, 23 Jan 2023, George Prekas wrote:

> The field s_mem of struct page is initialized with the virtual address
> of the page in function alloc_slabmgmt. If kmalloc allocates an object
> that starts on this page, then kmemleak knows that this object has 2
> references. On slab_destroy, s_mem should not continue referring to any
> allocated object in the future.

Nope.

s_mem is a pointer to an array of objects. It is not a pointer to a page.

If a slab-caches is used for slabmanagement then these objects
contain slab metadata which may be a bit confusing.

diff --git a/mm/slab.c b/mm/slab.c
index a927e1a285d1..aa5eb725ee9c 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -1611,6 +1611,9 @@  static void slab_destroy(struct kmem_cache *cachep, struct slab *slab)
 {
 	void *freelist;
 
+	/* Erase the page's virtual address from s_mem */
+	kmemleak_erase(&slab->s_mem);
+
 	freelist = slab->freelist;
 	slab_destroy_debugcheck(cachep, slab);
 	if (unlikely(cachep->flags & SLAB_TYPESAFE_BY_RCU))

[7/9] mm: kmemleak: erase page->s_mem in slab_destroy

Commit Message

Comments

Patch