Revision - 1a62b18 - slab: store tagged freelist for off-slab slabmgmt - origin: https://github.com/torvalds/linux

visit type:

https://github.com/torvalds/linux

13 June 2022, 11:31:42 UTC

Revision 1a62b18d51e5c5ecc0345c85bb9fef870ab721ed authored by Qian Cai on 19 April 2019, 00:49:55 UTC, committed by Linus Torvalds on 19 April 2019, 16:46:04 UTC

slab: store tagged freelist for off-slab slabmgmt

Commit 51dedad06b5f ("kasan, slab: make freelist stored without tags")
calls kasan_reset_tag() for off-slab slab management object leading to
freelist being stored non-tagged.

However, cache_grow_begin() calls alloc_slabmgmt() which calls
kmem_cache_alloc_node() assigns a tag for the address and stores it in
the shadow address.  As the result, it causes endless errors below
during boot due to drain_freelist() -> slab_destroy() ->
kasan_slab_free() which compares already untagged freelist against the
stored tag in the shadow address.

Since off-slab slab management object freelist is such a special case,
just store it tagged.  Non-off-slab management object freelist is still
stored untagged which has not been assigned a tag and should not cause
any other troubles with this inconsistency.

  BUG: KASAN: double-free or invalid-free in slab_destroy+0x84/0x88
  Pointer tag: [ff], memory tag: [99]

  CPU: 0 PID: 1376 Comm: kworker/0:4 Tainted: G        W 5.1.0-rc3+ #8
  Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.0.6 07/10/2018
  Workqueue: cgroup_destroy css_killed_work_fn
  Call trace:
   print_address_description+0x74/0x2a4
   kasan_report_invalid_free+0x80/0xc0
   __kasan_slab_free+0x204/0x208
   kasan_slab_free+0xc/0x18
   kmem_cache_free+0xe4/0x254
   slab_destroy+0x84/0x88
   drain_freelist+0xd0/0x104
   __kmem_cache_shrink+0x1ac/0x224
   __kmemcg_cache_deactivate+0x1c/0x28
   memcg_deactivate_kmem_caches+0xa0/0xe8
   memcg_offline_kmem+0x8c/0x3d4
   mem_cgroup_css_offline+0x24c/0x290
   css_killed_work_fn+0x154/0x618
   process_one_work+0x9cc/0x183c
   worker_thread+0x9b0/0xe38
   kthread+0x374/0x390
   ret_from_fork+0x10/0x18

  Allocated by task 1625:
   __kasan_kmalloc+0x168/0x240
   kasan_slab_alloc+0x18/0x20
   kmem_cache_alloc_node+0x1f8/0x3a0
   cache_grow_begin+0x4fc/0xa24
   cache_alloc_refill+0x2f8/0x3e8
   kmem_cache_alloc+0x1bc/0x3bc
   sock_alloc_inode+0x58/0x334
   alloc_inode+0xb8/0x164
   new_inode_pseudo+0x20/0xec
   sock_alloc+0x74/0x284
   __sock_create+0xb0/0x58c
   sock_create+0x98/0xb8
   __sys_socket+0x60/0x138
   __arm64_sys_socket+0xa4/0x110
   el0_svc_handler+0x2c0/0x47c
   el0_svc+0x8/0xc

  Freed by task 1625:
   __kasan_slab_free+0x114/0x208
   kasan_slab_free+0xc/0x18
   kfree+0x1a8/0x1e0
   single_release+0x7c/0x9c
   close_pdeo+0x13c/0x43c
   proc_reg_release+0xec/0x108
   __fput+0x2f8/0x784
   ____fput+0x1c/0x28
   task_work_run+0xc0/0x1b0
   do_notify_resume+0xb44/0x1278
   work_pending+0x8/0x10

  The buggy address belongs to the object at ffff809681b89e00
   which belongs to the cache kmalloc-128 of size 128
  The buggy address is located 0 bytes inside of
   128-byte region [ffff809681b89e00, ffff809681b89e80)
  The buggy address belongs to the page:
  page:ffff7fe025a06e00 count:1 mapcount:0 mapping:01ff80082000fb00
  index:0xffff809681b8fe04
  flags: 0x17ffffffc000200(slab)
  raw: 017ffffffc000200 ffff7fe025a06d08 ffff7fe022ef7b88 01ff80082000fb00
  raw: ffff809681b8fe04 ffff809681b80000 00000001000000e0 0000000000000000
  page dumped because: kasan: bad access detected
  page allocated via order 0, migratetype Unmovable, gfp_mask
  0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE)
   prep_new_page+0x4e0/0x5e0
   get_page_from_freelist+0x4ce8/0x50d4
   __alloc_pages_nodemask+0x738/0x38b8
   cache_grow_begin+0xd8/0xa24
   ____cache_alloc_node+0x14c/0x268
   __kmalloc+0x1c8/0x3fc
   ftrace_free_mem+0x408/0x1284
   ftrace_free_init_mem+0x20/0x28
   kernel_init+0x24/0x548
   ret_from_fork+0x10/0x18

  Memory state around the buggy address:
   ffff809681b89c00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
   ffff809681b89d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  >ffff809681b89e00: 99 99 99 99 99 99 99 99 fe fe fe fe fe fe fe fe
                     ^
   ffff809681b89f00: 43 43 43 43 43 fe fe fe fe fe fe fe fe fe fe fe
   ffff809681b8a000: 6d fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe

Link: http://lkml.kernel.org/r/20190403022858.97584-1-cai@lca.pw
Fixes: 51dedad06b5f ("kasan, slab: make freelist stored without tags")
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 parent 6d906f9

Files
Changes

Permalinks

Tip revision: 1a62b18d51e5c5ecc0345c85bb9fef870ab721ed authored by Qian Cai on 19 April 2019, 00:49:55 UTC
slab: store tagged freelist for off-slab slabmgmt

Tip revision: 1a62b18

File	Mode	Size
kasan
Kconfig	-rw-r--r--	24.6 KB
Kconfig.debug	-rw-r--r--	4.3 KB
Makefile	-rw-r--r--	3.5 KB
backing-dev.c	-rw-r--r--	27.0 KB
balloon_compaction.c	-rw-r--r--	5.5 KB
cleancache.c	-rw-r--r--	9.9 KB
cma.c	-rw-r--r--	14.1 KB
cma.h	-rw-r--r--	573 bytes
cma_debug.c	-rw-r--r--	4.5 KB
compaction.c	-rw-r--r--	75.0 KB
debug.c	-rw-r--r--	5.9 KB
debug_page_ref.c	-rw-r--r--	1.4 KB
dmapool.c	-rw-r--r--	13.9 KB
early_ioremap.c	-rw-r--r--	6.8 KB
fadvise.c	-rw-r--r--	5.3 KB
failslab.c	-rw-r--r--	1.4 KB
filemap.c	-rw-r--r--	95.4 KB
frame_vector.c	-rw-r--r--	6.4 KB
frontswap.c	-rw-r--r--	14.2 KB
gup.c	-rw-r--r--	55.4 KB
gup_benchmark.c	-rw-r--r--	2.7 KB
highmem.c	-rw-r--r--	11.7 KB
hmm.c	-rw-r--r--	33.2 KB
huge_memory.c	-rw-r--r--	82.5 KB
hugetlb.c	-rw-r--r--	133.2 KB
hugetlb_cgroup.c	-rw-r--r--	10.9 KB
hwpoison-inject.c	-rw-r--r--	3.2 KB
init-mm.c	-rw-r--r--	1.2 KB
internal.h	-rw-r--r--	17.3 KB
interval_tree.c	-rw-r--r--	3.1 KB
khugepaged.c	-rw-r--r--	48.1 KB
kmemleak-test.c	-rw-r--r--	3.2 KB
kmemleak.c	-rw-r--r--	60.5 KB
ksm.c	-rw-r--r--	89.4 KB
list_lru.c	-rw-r--r--	14.6 KB
maccess.c	-rw-r--r--	3.1 KB
madvise.c	-rw-r--r--	22.9 KB
memblock.c	-rw-r--r--	54.9 KB
memcontrol.c	-rw-r--r--	170.3 KB
memfd.c	-rw-r--r--	7.8 KB
memory-failure.c	-rw-r--r--	52.1 KB
memory.c	-rw-r--r--	124.5 KB
memory_hotplug.c	-rw-r--r--	48.7 KB
mempolicy.c	-rw-r--r--	72.4 KB
mempool.c	-rw-r--r--	15.8 KB
memtest.c	-rw-r--r--	2.8 KB
migrate.c	-rw-r--r--	76.8 KB
mincore.c	-rw-r--r--	6.7 KB
mlock.c	-rw-r--r--	22.6 KB
mm_init.c	-rw-r--r--	4.8 KB
mmap.c	-rw-r--r--	99.9 KB
mmu_context.c	-rw-r--r--	1.3 KB
mmu_gather.c	-rw-r--r--	6.3 KB
mmu_notifier.c	-rw-r--r--	11.5 KB
mmzone.c	-rw-r--r--	2.4 KB
mprotect.c	-rw-r--r--	15.6 KB
mremap.c	-rw-r--r--	19.3 KB
msync.c	-rw-r--r--	2.6 KB
nommu.c	-rw-r--r--	47.6 KB
oom_kill.c	-rw-r--r--	30.3 KB
page-writeback.c	-rw-r--r--	84.4 KB
page_alloc.c	-rw-r--r--	232.7 KB
page_counter.c	-rw-r--r--	6.6 KB
page_ext.c	-rw-r--r--	11.0 KB
page_idle.c	-rw-r--r--	5.5 KB
page_io.c	-rw-r--r--	10.5 KB
page_isolation.c	-rw-r--r--	9.3 KB
page_owner.c	-rw-r--r--	15.1 KB
page_poison.c	-rw-r--r--	3.0 KB
page_vma_mapped.c	-rw-r--r--	7.6 KB
pagewalk.c	-rw-r--r--	8.7 KB
percpu-internal.h	-rw-r--r--	5.9 KB
percpu-km.c	-rw-r--r--	3.0 KB
percpu-stats.c	-rw-r--r--	5.7 KB
percpu-vm.c	-rw-r--r--	10.3 KB
percpu.c	-rw-r--r--	85.7 KB
pgtable-generic.c	-rw-r--r--	5.3 KB
process_vm_access.c	-rw-r--r--	10.0 KB
quicklist.c	-rw-r--r--	2.4 KB
readahead.c	-rw-r--r--	16.5 KB
rmap.c	-rw-r--r--	53.7 KB
rodata_test.c	-rw-r--r--	1.4 KB
shmem.c	-rw-r--r--	104.8 KB
slab.c	-rw-r--r--	111.2 KB
slab.h	-rw-r--r--	14.6 KB
slab_common.c	-rw-r--r--	39.1 KB
slob.c	-rw-r--r--	16.2 KB
slub.c	-rw-r--r--	143.1 KB
sparse-vmemmap.c	-rw-r--r--	6.6 KB
sparse.c	-rw-r--r--	21.4 KB
swap.c	-rw-r--r--	28.6 KB
swap_cgroup.c	-rw-r--r--	5.2 KB
swap_slots.c	-rw-r--r--	9.4 KB
swap_state.c	-rw-r--r--	22.4 KB
swapfile.c	-rw-r--r--	91.6 KB
truncate.c	-rw-r--r--	26.4 KB
usercopy.c	-rw-r--r--	9.5 KB
userfaultfd.c	-rw-r--r--	16.0 KB
util.c	-rw-r--r--	20.0 KB
vmacache.c	-rw-r--r--	2.7 KB
vmalloc.c	-rw-r--r--	70.9 KB
vmpressure.c	-rw-r--r--	13.9 KB
vmscan.c	-rw-r--r--	122.8 KB
vmstat.c	-rw-r--r--	51.6 KB
workingset.c	-rw-r--r--	19.1 KB
z3fold.c	-rw-r--r--	30.6 KB
zbud.c	-rw-r--r--	18.2 KB
zpool.c	-rw-r--r--	10.7 KB
zsmalloc.c	-rw-r--r--	60.4 KB
zswap.c	-rw-r--r--	34.7 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...