From patchwork Wed Mar 5 15:48:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lilith Gkini X-Patchwork-Id: 14003270 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D57CC282DE for ; Wed, 5 Mar 2025 19:24:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1FDEB28001A; Wed, 5 Mar 2025 14:24:12 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 1AEC3280004; Wed, 5 Mar 2025 14:24:12 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 029A628001A; Wed, 5 Mar 2025 14:24:11 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id D0A36280004 for ; Wed, 5 Mar 2025 14:24:11 -0500 (EST) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 5652EC0722 for ; Wed, 5 Mar 2025 15:48:44 +0000 (UTC) X-FDA: 83187930168.14.BC25F7B Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) by imf19.hostedemail.com (Postfix) with ESMTP id 5D4121A0014 for ; Wed, 5 Mar 2025 15:48:42 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=Hw6imbFM; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf19.hostedemail.com: domain of lilithpgkini@gmail.com designates 209.85.208.41 as permitted sender) smtp.mailfrom=lilithpgkini@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741189722; a=rsa-sha256; cv=none; b=tKSbBwPwRUi/NVeOFOjw9IVX0EbawcsTGse/mcyHHLMO+ToTscN/453dAuzunRy/5A5/mZ e+Q1GcWrbX6ng2mqfPHkzj7twADFntHwH/YgQ2p3pq4tdtLxpnG3M2qdrVST3EWW1F+1Q7 /ypFTuqdg878+jfLkC5UbiIWk7h9Nio= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=Hw6imbFM; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf19.hostedemail.com: domain of lilithpgkini@gmail.com designates 209.85.208.41 as permitted sender) smtp.mailfrom=lilithpgkini@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1741189722; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=MxiIjUA9OimPTk2Pkq/BKPlzHOLC6slmzK7kgIiusZE=; b=yNLU706G7+DQ+58p6jJoYmz9QDwvFMP5AM5YFnDMymRgHFDrNBMNJA1OaoYA8LfHqOrcZW +GSbCoeYC1Vk4eE/CLGXBCM7dselHIAzHvDblGQzYaZGvdvcqtWSmKX3l6mqL7iwK2jbqp o/jVvSLeSJ4uZomlKGGewb3AkUGRMXA= Received: by mail-ed1-f41.google.com with SMTP id 4fb4d7f45d1cf-5e549af4927so5973074a12.2 for ; Wed, 05 Mar 2025 07:48:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741189721; x=1741794521; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=MxiIjUA9OimPTk2Pkq/BKPlzHOLC6slmzK7kgIiusZE=; b=Hw6imbFMInCPAjR8aubxL2QAcXChA0UI7Hlznhqsv6v7y/sZ6hdHMS4hq+y9ruRXio WaKz31nNtpPeTNIwhPi/l0j+Pjgo+HRVzeCYeFmyFoVJKLCEY4045+QH1Ky47DI09wrm 83JRzkHDUce9/5A63kLG7t6Zbioz6PKAnSjbqcogqjHTGr5SWZyr3ThUXUFBcG0m+wEs T4YTZsgd9T6kC8oeVjOXderpxC9FoNDk4gXm6LdYCw3gvna6arNyC5sOIMSBighsmrh3 EJo6Owf1jXABxteZZMFTff8cS5Y90TXmQk9CyhRn1ER7P0Rejc4wJptmhGuHGIq8cpYj 7DSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741189721; x=1741794521; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MxiIjUA9OimPTk2Pkq/BKPlzHOLC6slmzK7kgIiusZE=; b=w/94QmVYEpiTkNAHbn53Dpmwvi3aM49oY+xYdwBDnqgwkYC8EMzf9P/KcZ0wBf7Mpb 2LTSDuvZX/TITi+tJ6VKCM0Tgp6WELjcOsoywb3k1I5UH1RsKE5DSfmSUud9l4269M6a I6CrW0FxaYbmv8HhKIdvmRUfnvo9BJvN+UtQP3fbahxt6n480q6oqFxcbPbzZ7kUA9FV nI37M4rSVX9VzuAVX71uNTsTxSa+8VczkVeP3/xuTzZlULtln0qPVTrWy/+cM+4+PyCB CItJ20PBqB/zToUM2thAGpMdD8eVCHrEAMkEPJTkJc/yoczs5oA8uPfKJITPHsk/3I4e nxlQ== X-Forwarded-Encrypted: i=1; AJvYcCU+e2ni6a0a63yAu55fI9zJ1WsBqccn1svUTGo/rpiz5xHDa/zaR15cUtLeibm5u9/W/FFC+fjwuQ==@kvack.org X-Gm-Message-State: AOJu0YzecXKMdfHYzw2gSjoyQxpSSeUNTbjTDuTs3gQpzUM3BViMWqpA 6a3hdwFaIxv78LXEWIKoTfpKdgluK+xy+SAgPEMgCLuCaJbVPoUk X-Gm-Gg: ASbGncvNWt6mJhZw7IxxaipB2c/i1qMkp1IBo4kdrrH8NP3Fu37Qp8GYgdlZCh/qugR kgc3j2NDWwmh9/MBoMQnbH08V0Q35CPKIn7ssMeAertNkAB/l7HPSh08F57iicMK+lgPlV8Ud4C n15y8W6MK1U2Rrb7NU9NzVyS8uBtnRzA95bLdXLYSVYUrPZl46wROWlQgXbYNiddbb20/RDANl9 VwS2bT5hiRxMgjqKmD41VPo4q/y2aWv4tfc6e0zHkzSVv53K1tiK6J0yUrQp5D9gDNiKPe2eqbI QEn64Cxqdvii/APs4UhXp6UiPAs3BjsuWKnaM6+1/3ctH3xr X-Google-Smtp-Source: AGHT+IFTpN42W5iVtwDVv9aQ5SZTvzIdHD7UXJOGvGkpahPYVyoEEkyG4ojm5UJN8gosd1EHejJvPQ== X-Received: by 2002:a17:906:7315:b0:ac1:dfab:d38e with SMTP id a640c23a62f3a-ac20d8bc960mr378119766b.15.1741189720516; Wed, 05 Mar 2025 07:48:40 -0800 (PST) Received: from localhost ([2a02:587:860f:c4f3:54ce:f1b0:3c3b:52dd]) by smtp.gmail.com with UTF8SMTPSA id a640c23a62f3a-abf64165f73sm684611466b.152.2025.03.05.07.48.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 07:48:40 -0800 (PST) Date: Wed, 5 Mar 2025 17:48:39 +0200 From: Lilith Gkini To: Vlastimil Babka Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, harry.yoo@oracle.com Subject: [PATCH] slub: Adds a way to handle freelist cycle in on_freelist() Message-ID: References: <8cabcf70-d887-471d-9277-ef29aca1216b@suse.cz> <714d353a-49c8-4cbd-88d6-e24ae8f78aaa@suse.cz> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 5D4121A0014 X-Stat-Signature: h739rayrt94b8cbzgewbqdznjn89w6iu X-HE-Tag: 1741189722-123174 X-HE-Meta: U2FsdGVkX1+VvjsA29wB1c/VGe1wdD94TUc/iy+boD83b1/hKRr2EfrIF8t7UNn32GEr4dYb1G8DZo2Pb2cMmB1uMjDKAY78ynB8ohRosRZRgupg57pLLPob14XovfTyWNt+t22sGfZ2E8BulMLYpDL6xw3NGPDTVOESwWbGJ+DxeoLJCUehQAdGklbun6OM35o46XxxSr7psyI8AvxlvYq/EcC96wtUYBcmT+CqohVzZL0gwemXc/jjfYD7ciO8eujpYm+KcoElcmBR7fpgIUCSzLn35nJSOmY6mjvjdNdRPzSnBi6bbfJSnWg/EaEEEYuUQa41s3XRIFWjF9fB0spGeZmY54bN0Lc4tZfK4Q0u0FmOLWeV6BrbCnOqWjnQEKMrq5tE0IaYFj/RMdzvs3ERZGN9jedEEq4LzrOfHlCiMSdxIRPUzOmUViAfcHSzjjYzIvTSOFn5Yb3g11euV/j8VUvJxrUg3+BncZSrQugARu6MTaz85swnbgKWjmejp1sCzeyUM/ZDF7oIpOjdIlgtVoxVfjiappwesMHWLPhd2USRk5KQSmysmCrazUkhnTVN25Z10TYnigcA9b24tXFZMrII4RjRCinZJjVo2db1WBvhhCzh6w6TQ0Kte61RuvWXyc9zPBgCjZlP4X4iDFuTPTLNptMtJiSqWLeclhPMlEOD1TvMAJK+ATeKLe2pWCQEhi4AfaN/g9jgkizSPvORCBaSafR93HTM8z58Jfwx1Sxl44LjcIZMza3duRNcbU53h/tDd8kS6FgtemjrRaJwqbFvLFBdKfCbXc8dSqKfzqoQqlfe1SxqZKvp1l/Q4/A4gLhYTKxEky/cCGwWQ4x13hC8hIF5dzFsCXRANWM3bxmgBauwCZOMXr5BPfKfgcAAQgkuDOpnyV6VjuyPlEnRyVcQWwlNfTwWXNxtafwrxFoyDtJ7iDhiYQz0guTCzlwxnhAfm/2uEv3KsQG WIT5bChX zfDtNcWp9ZxjQs+q9t+gcpPgKUbGXenim/QaRiPYPt1JOW5Nh6LQJbHTyL62EroZKRrAuMkd+M7SgwPlAFqr/G49oBB7UMyUvYMRf4Mq3vwLqzfxQHiCUh1xaAEuDsgIeuHBuS+XXpwK1hV+uFqjDp6NJjsqGu21DvPDl+KRg7Hj62U+N9aUH5tFYC98OpiWzImt8olRU6zzpzMj1EBq4qyXyaN/tKpWcDyDlpxT0ZkS/SRLxYHZ7+xRi1WgBo466//hZEt756kJCBjSyR7mb1cR85IWWSYVmsJwAArTC7vd9T1Oomyf6T4DpK1pAmKXH4XWeU4aIdF0Re/tdAfKCxsttpGQOaB6Vg4CR+fnieL91Uoww9/wRTe0g1pKUh4juIVdjEp1m9lfAioBoSXSIHEtN2Paa7zL5yKRrprMxuOjATYdMJwSNZL/hStTkyHmNsu+Wo7UKkk9W10A4fiYwM1X1/SCuxFXvWW8Al/dNmtW10iPr8wV4Cfg0ne0o5FvVa2hmArXMgKdaRwZ2G9T/300Idkhhm/fUKf7fiel3EA+LrlODic6x3pp/3mLqzH6SCox58AQNpeO+QORtyWqemk9DjTgc7ilwSvPhkbGcRKMXm5refZRMANxuuw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The on_freelist() doesn't have a way to handle the edgecase of having a full freelist that doesn't end in NULL and instead has another valid pointer in the slab as a result of a Use-After-Free or anything similar. This case won't get caught by check_valid_pointer() and it will result in nr incrementing to `slab->objects + 1`, corrupting the slab->inuse entry later in the code by setting it to -1. The Patch adds an if check to detect that case, notifies us and handles the freelist and slab appropriately, as is the standard process in these situations. Furthermore the Patch changes the return type of the function from int to bool as per codying style guidelines. It also moves the `break;` line inside the `if (object) {` to make it more obvious that the code breaks the while loop in that branch. Signed-off-by: Lilith Persefoni Gkini Reviewed-by: Harry Yoo --- mm/slub.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/mm/slub.c b/mm/slub.c index 1f50129dcfb3..95e54ffd5330 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1427,7 +1427,7 @@ static int check_slab(struct kmem_cache *s, struct slab *slab) * Determine if a certain object in a slab is on the freelist. Must hold the * slab lock to guarantee that the chains are in a consistent state. */ -static int on_freelist(struct kmem_cache *s, struct slab *slab, void *search) +static bool on_freelist(struct kmem_cache *s, struct slab *slab, void *search) { int nr = 0; void *fp; @@ -1437,26 +1437,34 @@ static int on_freelist(struct kmem_cache *s, struct slab *slab, void *search) fp = slab->freelist; while (fp && nr <= slab->objects) { if (fp == search) - return 1; + return true; if (!check_valid_pointer(s, slab, fp)) { if (object) { object_err(s, slab, object, "Freechain corrupt"); set_freepointer(s, object, NULL); + break; } else { slab_err(s, slab, "Freepointer corrupt"); slab->freelist = NULL; slab->inuse = slab->objects; slab_fix(s, "Freelist cleared"); - return 0; + return false; } - break; } object = fp; fp = get_freepointer(s, object); nr++; } + if (nr > slab->objects) { + slab_err(s, slab, "Freelist cycle detected"); + slab->freelist = NULL; + slab->inuse = slab->objects; + slab_fix(s, "Freelist cleared"); + return false; + } + max_objects = order_objects(slab_order(slab), s->size); if (max_objects > MAX_OBJS_PER_PAGE) max_objects = MAX_OBJS_PER_PAGE;