• Dongli Zhang's avatar
    mm/slub.c: fix corrupted freechain in deactivate_slab() · 6c09755c
    Dongli Zhang authored
    [ Upstream commit 52f23478 ]
    
    The slub_debug is able to fix the corrupted slab freelist/page.
    However, alloc_debug_processing() only checks the validity of current
    and next freepointer during allocation path.  As a result, once some
    objects have their freepointers corrupted, deactivate_slab() may lead to
    page fault.
    
    Below is from a test kernel module when 'slub_debug=PUF,kmalloc-128
    slub_nomerge'.  The test kernel corrupts the freepointer of one free
    object on purpose.  Unfortunately, deactivate_slab() does not detect it
    when iterating the freechain.
    
      BUG: unable to handle page fault for address: 00000000123456f8
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      PGD 0 P4D 0
      Oops: 0000 [#1] SMP PTI
      ... ...
      RIP: 0010:deactivate_slab.isra.92+0xed/0x490
      ... ...
      Call Trace:
       ___slab_alloc+0x536/0x570
       __slab_alloc+0x17/0x30
       __kmalloc+0x1d9/0x200
       ext4_htree_store_dirent+0x30/0xf0
       htree_dirblock_to_tree+0xcb/0x1c0
       ext4_htree_fill_tree+0x1bc/0x2d0
       ext4_readdir+0x54f/0x920
       iterate_dir+0x88/0x190
       __x64_sys_getdents+0xa6/0x140
       do_syscall_64+0x49/0x170
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Therefore, this patch adds extra consistency check in deactivate_slab().
    Once an object's freepointer is corrupted, all following objects
    starting at this object are isolated.
    
    [akpm@linux-foundation.org: fix build with CONFIG_SLAB_DEBUG=n]
    Signed-off-by: default avatarDongli Zhang <dongli.zhang@oracle.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Cc: Joe Jin <joe.jin@oracle.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Link: http://lkml.kernel.org/r/20200331031450.12182-1-dongli.zhang@oracle.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    6c09755c
slub.c 143 KB