From patchwork Wed Sep 29 21:23:47 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rustam Kovhaev <rkovhaev@gmail.com>
X-Patchwork-Id: 12526637
Return-Path: <SRS0=IAB3=OT=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B038DC433FE
	for <linux-mm@archiver.kernel.org>; Wed, 29 Sep 2021 21:24:23 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 3890E615E0
	for <linux-mm@archiver.kernel.org>; Wed, 29 Sep 2021 21:24:23 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 3890E615E0
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id BB3EB940058; Wed, 29 Sep 2021 17:24:22 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B645D94003A; Wed, 29 Sep 2021 17:24:22 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A0499940058; Wed, 29 Sep 2021 17:24:22 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0169.hostedemail.com
 [216.40.44.169])
	by kanga.kvack.org (Postfix) with ESMTP id 9011594003A
	for <linux-mm@kvack.org>; Wed, 29 Sep 2021 17:24:22 -0400 (EDT)
Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 3A8058249980
	for <linux-mm@kvack.org>; Wed, 29 Sep 2021 21:24:22 +0000 (UTC)
X-FDA: 78641889564.01.A3CF517
Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com
 [209.85.215.176])
	by imf03.hostedemail.com (Postfix) with ESMTP id E59C330000BC
	for <linux-mm@kvack.org>; Wed, 29 Sep 2021 21:24:21 +0000 (UTC)
Received: by mail-pg1-f176.google.com with SMTP id h3so4039223pgb.7
        for <linux-mm@kvack.org>; Wed, 29 Sep 2021 14:24:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=Fpo01N+lyyScDWgq92D1/O48N99YsmZj4WQK3k5r6Mo=;
        b=HM4oHczu6gs2h9KK3RI3VcgQwjbssZtyx7Vv2BcE3kGpF4b1QJ0oRybxE9aBl2GH1x
         /w43iWh5gjuSTpKtS8sxxcG9Nx1wNNO85Qtxd5GGBEa/2A2cjwEOni8csuVK8ApBzBN7
         kcxxhWAMjMt2ooGQ/7ZnOuMcCK7C46xyz4lCqBfF52Ejh88yWXA+xBfTqPqT0/dW+PG3
         bQFC3uszdafIr55L58NftLtzImjQfyIUEWtjQDdW8NYZYz4etC4EQ67Ze1hEImGxVg2A
         bkf6prnLYNE30FAdNKNU1zCSJ9zwkwQ9qh2FgxfoaemFCoKNbtsNS/X8reqnf8LZObtt
         p8qA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=Fpo01N+lyyScDWgq92D1/O48N99YsmZj4WQK3k5r6Mo=;
        b=nwmesmWpqGFkuWSpNVnArltdQxu0RsxOEaQp/E+MWoY1eCLHaELixT78P/RkAJ+fzf
         9h8vvnDrOhtCcLeNjDOQiYsvoCTyBc+48CBl6nlZ1piGYnhgxOXGejRgNQ2Hzy06UcDX
         vm6BcKGjDcqgT3zIO5z5mVm0dm+Z+fjSEs0LqVA9xBWwuyr+7IJYU0YoedC/YjYC7EbP
         n75Qes9Fmyy+MED7rHBNqWw27180/X+meZly4ZszhycGsqOpf52zH9Jbz3MXeCfRKFQj
         yraqwASOOQOgsc4zQvCps7kGWMbOnUZfYMnde2xQ2n4k9xi3PhYdMWJpnSV8974bTE1B
         5FwQ==
X-Gm-Message-State: AOAM531cnVv67jpD7L6MmW1MhMG6MoZXaKNBNOn/dsU64yrOsc8BX+P1
	4DHGljrEKxg8Y0ytK4BXypk=
X-Google-Smtp-Source: 
 ABdhPJz+Twh3I6xWm488muRPTJARlQ/8j0JckJWLWy34bu13dAChLYGq4WwFW2WNKGjs5i0N0T5qew==
X-Received: by 2002:a63:fb58:: with SMTP id w24mr1718437pgj.327.1632950660735;
        Wed, 29 Sep 2021 14:24:20 -0700 (PDT)
Received: from nuc10.aws.cis.local (d50-92-229-34.bchsia.telus.net.
 [50.92.229.34])
        by smtp.gmail.com with ESMTPSA id
 i5sm2689322pjk.47.2021.09.29.14.24.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 29 Sep 2021 14:24:20 -0700 (PDT)
From: Rustam Kovhaev <rkovhaev@gmail.com>
To: djwong@kernel.org,
	linux-xfs@vger.kernel.org,
	cl@linux.com,
	penberg@kernel.org,
	rientjes@google.com,
	iamjoonsoo.kim@lge.com,
	akpm@linux-foundation.org,
	vbabka@suse.cz
Cc: linux-kernel@vger.kernel.org,
	linux-mm@kvack.org,
	gregkh@linuxfoundation.org,
	Rustam Kovhaev <rkovhaev@gmail.com>
Subject: [PATCH] xfs: use kmem_cache_free() for kmem_cache objects
Date: Wed, 29 Sep 2021 14:23:47 -0700
Message-Id: <20210929212347.1139666-1-rkovhaev@gmail.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: E59C330000BC
X-Stat-Signature: eabnkoz43nfyrrc76nbywxpjnmm9c6sx
Authentication-Results: imf03.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=HM4oHczu;
	spf=pass (imf03.hostedemail.com: domain of rkovhaev@gmail.com designates
 209.85.215.176 as permitted sender) smtp.mailfrom=rkovhaev@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
X-HE-Tag: 1632950661-687773
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

For kmalloc() allocations SLOB prepends the blocks with a 4-byte header,
and it puts the size of the allocated blocks in that header.
Blocks allocated with kmem_cache_alloc() allocations do not have that
header.

SLOB explodes when you allocate memory with kmem_cache_alloc() and then
try to free it with kfree() instead of kmem_cache_free().
SLOB will assume that there is a header when there is none, read some
garbage to size variable and corrupt the adjacent objects, which
eventually leads to hang or panic.

Let's make XFS work with SLOB by using proper free function.

Fixes: 9749fee83f38 ("xfs: enable the xfs_defer mechanism to process extents to free")
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
---
 fs/xfs/xfs_extfree_item.c | 6 +++---
 mm/slob.c                 | 6 ++++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/fs/xfs/xfs_extfree_item.c b/fs/xfs/xfs_extfree_item.c
index 3f8a0713573a..a4b8caa2c601 100644
--- a/fs/xfs/xfs_extfree_item.c
+++ b/fs/xfs/xfs_extfree_item.c
@@ -482,7 +482,7 @@ xfs_extent_free_finish_item(
 			free->xefi_startblock,
 			free->xefi_blockcount,
 			&free->xefi_oinfo, free->xefi_skip_discard);
-	kmem_free(free);
+	kmem_cache_free(xfs_bmap_free_item_zone, free);
 	return error;
 }
 
@@ -502,7 +502,7 @@ xfs_extent_free_cancel_item(
 	struct xfs_extent_free_item	*free;
 
 	free = container_of(item, struct xfs_extent_free_item, xefi_list);
-	kmem_free(free);
+	kmem_cache_free(xfs_bmap_free_item_zone, free);
 }
 
 const struct xfs_defer_op_type xfs_extent_free_defer_type = {
@@ -564,7 +564,7 @@ xfs_agfl_free_finish_item(
 	extp->ext_len = free->xefi_blockcount;
 	efdp->efd_next_extent++;
 
-	kmem_free(free);
+	kmem_cache_free(xfs_bmap_free_item_zone, free);
 	return error;
 }
 
diff --git a/mm/slob.c b/mm/slob.c
index 74d3f6e60666..d2d859ded5f8 100644
--- a/mm/slob.c
+++ b/mm/slob.c
@@ -389,7 +389,6 @@ static void slob_free(void *block, int size)
 
 	if (unlikely(ZERO_OR_NULL_PTR(block)))
 		return;
-	BUG_ON(!size);
 
 	sp = virt_to_page(block);
 	units = SLOB_UNITS(size);
@@ -556,6 +555,7 @@ void kfree(const void *block)
 	if (PageSlab(sp)) {
 		int align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
 		unsigned int *m = (unsigned int *)(block - align);
+		BUG_ON(!*m || *m > (PAGE_SIZE - align));
 		slob_free(m, *m + align);
 	} else {
 		unsigned int order = compound_order(sp);
@@ -649,8 +649,10 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
 
 static void __kmem_cache_free(void *b, int size)
 {
-	if (size < PAGE_SIZE)
+	if (size < PAGE_SIZE) {
+		BUG_ON(!size);
 		slob_free(b, size);
+	}
 	else
 		slob_free_pages(b, get_order(size));
 }