Revision - 1a62b18 - slab: store tagged freelist for off-slab slabmgmt - origin: https://github.com/torvalds/linux

visit type:

https://github.com/torvalds/linux

13 June 2022, 11:31:42 UTC

Revision 1a62b18d51e5c5ecc0345c85bb9fef870ab721ed authored by Qian Cai on 19 April 2019, 00:49:55 UTC, committed by Linus Torvalds on 19 April 2019, 16:46:04 UTC

slab: store tagged freelist for off-slab slabmgmt

Commit 51dedad06b5f ("kasan, slab: make freelist stored without tags")
calls kasan_reset_tag() for off-slab slab management object leading to
freelist being stored non-tagged.

However, cache_grow_begin() calls alloc_slabmgmt() which calls
kmem_cache_alloc_node() assigns a tag for the address and stores it in
the shadow address.  As the result, it causes endless errors below
during boot due to drain_freelist() -> slab_destroy() ->
kasan_slab_free() which compares already untagged freelist against the
stored tag in the shadow address.

Since off-slab slab management object freelist is such a special case,
just store it tagged.  Non-off-slab management object freelist is still
stored untagged which has not been assigned a tag and should not cause
any other troubles with this inconsistency.

  BUG: KASAN: double-free or invalid-free in slab_destroy+0x84/0x88
  Pointer tag: [ff], memory tag: [99]

  CPU: 0 PID: 1376 Comm: kworker/0:4 Tainted: G        W 5.1.0-rc3+ #8
  Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.0.6 07/10/2018
  Workqueue: cgroup_destroy css_killed_work_fn
  Call trace:
   print_address_description+0x74/0x2a4
   kasan_report_invalid_free+0x80/0xc0
   __kasan_slab_free+0x204/0x208
   kasan_slab_free+0xc/0x18
   kmem_cache_free+0xe4/0x254
   slab_destroy+0x84/0x88
   drain_freelist+0xd0/0x104
   __kmem_cache_shrink+0x1ac/0x224
   __kmemcg_cache_deactivate+0x1c/0x28
   memcg_deactivate_kmem_caches+0xa0/0xe8
   memcg_offline_kmem+0x8c/0x3d4
   mem_cgroup_css_offline+0x24c/0x290
   css_killed_work_fn+0x154/0x618
   process_one_work+0x9cc/0x183c
   worker_thread+0x9b0/0xe38
   kthread+0x374/0x390
   ret_from_fork+0x10/0x18

  Allocated by task 1625:
   __kasan_kmalloc+0x168/0x240
   kasan_slab_alloc+0x18/0x20
   kmem_cache_alloc_node+0x1f8/0x3a0
   cache_grow_begin+0x4fc/0xa24
   cache_alloc_refill+0x2f8/0x3e8
   kmem_cache_alloc+0x1bc/0x3bc
   sock_alloc_inode+0x58/0x334
   alloc_inode+0xb8/0x164
   new_inode_pseudo+0x20/0xec
   sock_alloc+0x74/0x284
   __sock_create+0xb0/0x58c
   sock_create+0x98/0xb8
   __sys_socket+0x60/0x138
   __arm64_sys_socket+0xa4/0x110
   el0_svc_handler+0x2c0/0x47c
   el0_svc+0x8/0xc

  Freed by task 1625:
   __kasan_slab_free+0x114/0x208
   kasan_slab_free+0xc/0x18
   kfree+0x1a8/0x1e0
   single_release+0x7c/0x9c
   close_pdeo+0x13c/0x43c
   proc_reg_release+0xec/0x108
   __fput+0x2f8/0x784
   ____fput+0x1c/0x28
   task_work_run+0xc0/0x1b0
   do_notify_resume+0xb44/0x1278
   work_pending+0x8/0x10

  The buggy address belongs to the object at ffff809681b89e00
   which belongs to the cache kmalloc-128 of size 128
  The buggy address is located 0 bytes inside of
   128-byte region [ffff809681b89e00, ffff809681b89e80)
  The buggy address belongs to the page:
  page:ffff7fe025a06e00 count:1 mapcount:0 mapping:01ff80082000fb00
  index:0xffff809681b8fe04
  flags: 0x17ffffffc000200(slab)
  raw: 017ffffffc000200 ffff7fe025a06d08 ffff7fe022ef7b88 01ff80082000fb00
  raw: ffff809681b8fe04 ffff809681b80000 00000001000000e0 0000000000000000
  page dumped because: kasan: bad access detected
  page allocated via order 0, migratetype Unmovable, gfp_mask
  0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE)
   prep_new_page+0x4e0/0x5e0
   get_page_from_freelist+0x4ce8/0x50d4
   __alloc_pages_nodemask+0x738/0x38b8
   cache_grow_begin+0xd8/0xa24
   ____cache_alloc_node+0x14c/0x268
   __kmalloc+0x1c8/0x3fc
   ftrace_free_mem+0x408/0x1284
   ftrace_free_init_mem+0x20/0x28
   kernel_init+0x24/0x548
   ret_from_fork+0x10/0x18

  Memory state around the buggy address:
   ffff809681b89c00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
   ffff809681b89d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  >ffff809681b89e00: 99 99 99 99 99 99 99 99 fe fe fe fe fe fe fe fe
                     ^
   ffff809681b89f00: 43 43 43 43 43 fe fe fe fe fe fe fe fe fe fe fe
   ffff809681b8a000: 6d fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe

Link: http://lkml.kernel.org/r/20190403022858.97584-1-cai@lca.pw
Fixes: 51dedad06b5f ("kasan, slab: make freelist stored without tags")
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 parent 6d906f9

Files
Changes

Permalinks

Tip revision: 1a62b18d51e5c5ecc0345c85bb9fef870ab721ed authored by Qian Cai on 19 April 2019, 00:49:55 UTC
slab: store tagged freelist for off-slab slabmgmt

Tip revision: 1a62b18

File	Mode	Size
9p
adfs
affs
afs
autofs
befs
bfs
btrfs
cachefiles
ceph
cifs
coda
configfs
cramfs
crypto
debugfs
devpts
dlm
ecryptfs
efivarfs
efs
exportfs
ext2
ext4
f2fs
fat
freevxfs
fscache
fuse
gfs2
hfs
hfsplus
hostfs
hpfs
hugetlbfs
isofs
jbd2
jffs2
jfs
kernfs
lockd
minix
nfs
nfs_common
nfsd
nilfs2
nls
notify
ntfs
ocfs2
omfs
openpromfs
orangefs
overlayfs
proc
pstore
qnx4
qnx6
quota
ramfs
reiserfs
romfs
squashfs
sysfs
sysv
tracefs
ubifs
udf
ufs
xfs
Kconfig	-rw-r--r--	7.5 KB
Kconfig.binfmt	-rw-r--r--	7.2 KB
Makefile	-rw-r--r--	4.3 KB
aio.c	-rw-r--r--	56.1 KB
anon_inodes.c	-rw-r--r--	4.5 KB
attr.c	-rw-r--r--	9.7 KB
bad_inode.c	-rw-r--r--	5.3 KB
binfmt_aout.c	-rw-r--r--	8.3 KB
binfmt_elf.c	-rw-r--r--	63.5 KB
binfmt_elf_fdpic.c	-rw-r--r--	47.3 KB
binfmt_em86.c	-rw-r--r--	2.8 KB
binfmt_flat.c	-rw-r--r--	27.7 KB
binfmt_misc.c	-rw-r--r--	18.3 KB
binfmt_script.c	-rw-r--r--	4.3 KB
block_dev.c	-rw-r--r--	54.9 KB
buffer.c	-rw-r--r--	90.2 KB
char_dev.c	-rw-r--r--	16.6 KB
compat.c	-rw-r--r--	3.4 KB
compat_binfmt_elf.c	-rw-r--r--	3.4 KB
compat_ioctl.c	-rw-r--r--	31.0 KB
coredump.c	-rw-r--r--	21.2 KB
d_path.c	-rw-r--r--	11.2 KB
dax.c	-rw-r--r--	46.0 KB
dcache.c	-rw-r--r--	82.1 KB
dcookies.c	-rw-r--r--	7.0 KB
direct-io.c	-rw-r--r--	41.0 KB
drop_caches.c	-rw-r--r--	1.8 KB
eventfd.c	-rw-r--r--	10.8 KB
eventpoll.c	-rw-r--r--	64.8 KB
exec.c	-rw-r--r--	46.9 KB
fcntl.c	-rw-r--r--	23.3 KB
fhandle.c	-rw-r--r--	6.8 KB
file.c	-rw-r--r--	24.2 KB
file_table.c	-rw-r--r--	10.1 KB
filesystems.c	-rw-r--r--	6.4 KB
fs-writeback.c	-rw-r--r--	71.5 KB
fs_context.c	-rw-r--r--	15.5 KB
fs_parser.c	-rw-r--r--	10.9 KB
fs_pin.c	-rw-r--r--	2.0 KB
fs_struct.c	-rw-r--r--	3.3 KB
fs_types.c	-rw-r--r--	2.5 KB
inode.c	-rw-r--r--	56.4 KB
internal.h	-rw-r--r--	5.2 KB
io_uring.c	-rw-r--r--	69.2 KB
ioctl.c	-rw-r--r--	17.7 KB
iomap.c	-rw-r--r--	54.9 KB
libfs.c	-rw-r--r--	31.8 KB
locks.c	-rw-r--r--	77.2 KB
mbcache.c	-rw-r--r--	12.0 KB
mount.h	-rw-r--r--	3.9 KB
mpage.c	-rw-r--r--	21.1 KB
namei.c	-rw-r--r--	122.9 KB
namespace.c	-rw-r--r--	87.6 KB
no-block.c	-rw-r--r--	688 bytes
nsfs.c	-rw-r--r--	6.2 KB
open.c	-rw-r--r--	29.2 KB
pipe.c	-rw-r--r--	27.6 KB
pnode.c	-rw-r--r--	15.1 KB
pnode.h	-rw-r--r--	1.9 KB
posix_acl.c	-rw-r--r--	21.4 KB
proc_namespace.c	-rw-r--r--	7.8 KB
read_write.c	-rw-r--r--	49.6 KB
readdir.c	-rw-r--r--	11.3 KB
select.c	-rw-r--r--	35.3 KB
seq_file.c	-rw-r--r--	24.4 KB
signalfd.c	-rw-r--r--	9.0 KB
splice.c	-rw-r--r--	40.1 KB
stack.c	-rw-r--r--	2.5 KB
stat.c	-rw-r--r--	19.4 KB
statfs.c	-rw-r--r--	9.9 KB
super.c	-rw-r--r--	46.4 KB
sync.c	-rw-r--r--	9.9 KB
timerfd.c	-rw-r--r--	13.4 KB
userfaultfd.c	-rw-r--r--	50.5 KB
utimes.c	-rw-r--r--	7.4 KB
xattr.c	-rw-r--r--	23.4 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...