From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.7 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57920C2D0C2 for ; Fri, 3 Jan 2020 11:17:19 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 000F72085B for ; Fri, 3 Jan 2020 11:17:18 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BX1BR9yz" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 000F72085B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 68E638E0015; Fri, 3 Jan 2020 06:17:18 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6177C8E0003; Fri, 3 Jan 2020 06:17:18 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 504D28E0015; Fri, 3 Jan 2020 06:17:18 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0251.hostedemail.com [216.40.44.251]) by kanga.kvack.org (Postfix) with ESMTP id 377478E0003 for ; Fri, 3 Jan 2020 06:17:18 -0500 (EST) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with SMTP id CA2E0824999B for ; Fri, 3 Jan 2020 11:17:17 +0000 (UTC) X-FDA: 76336071714.29.sound36_2289763d5b85c X-HE-Tag: sound36_2289763d5b85c X-Filterd-Recvd-Size: 6051 Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com [209.85.215.196]) by imf25.hostedemail.com (Postfix) with ESMTP for ; Fri, 3 Jan 2020 11:17:17 +0000 (UTC) Received: by mail-pg1-f196.google.com with SMTP id b9so23294371pgk.12 for ; Fri, 03 Jan 2020 03:17:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=lZ03c+Rv1NafTQcF2gikHzsckolosluaK+SYEhvqEgU=; b=BX1BR9yzRca6L1EVinKpUNkgPBugRMmTQnR2EWDw9xaH3HFsTimTtqj7p3fkdfnMyt VZC7mrjDzBDk7vvlkNexaosFS1Tbpz+eCJwubzUKZLvLrNwHcDLWCLmlNXFCjq+iRck/ Crc+TZ7YsGbF84mGsR/AgS3M3HNTCNB6m02pEH6CJuZCTtiQDqJliWpNtXhdMI3VgfJB p+IpmL+d1Mxvj4LhFrHze57PGoI0uwYXMZBb9CROU/hVD2oFbF9gh+veNe7Okl3xsrpM g/g8nBUlGGQbg/AhOsaBKB6/XkWURvyguvpkjMhrxqWf1x2qK86FzD9QoAg4FfkOIUif VbsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=lZ03c+Rv1NafTQcF2gikHzsckolosluaK+SYEhvqEgU=; b=bGrFtfswXd7e0qgBsELJcqM/peLe8lWb4AjAr0cI+BmRhDlIw7ZcFP/D0PSx5n5LeF 4kUFCRyOYQeteyb1yjlwiE8v44v0hcaVN0wQ0i0lTPlMUcH4jlzVdsGkDDcLdc6BKWd8 /8JfE3ELVWlCs9ntAAa2Ca50a8xQ8lYpeUNcCq3e6edpSuvdpFHnu+mYSUI90nnov6t7 jcTA7wtk6k6FX8lawfAi8nbcYSdF6J5IdJG9Ls+E2DeDVT/qDDFGbpd0IUo9PVM7Z6+S 8GlXlzsvAxS+fcRruNAa1wozAcHYTcKEL5m28wZYdAhWeW3DUMGUG504UlY13XmtW6uT 5JLw== X-Gm-Message-State: APjAAAWVmmMOXY1sy1JXq/9Ks7mGK1rVnuovnJKA6Wd36z+xWblVLQ9V NaPkEFSiQULV5glALm+lQX4= X-Google-Smtp-Source: APXvYqyrnnAr35S4Y7WpOpK75h/PGE9BnO5EVtoyLNrtchjqYZ2czc6gT43kHE2ZHFW0YAr9vdIBXA== X-Received: by 2002:a63:d041:: with SMTP id s1mr96729178pgi.363.1578050236230; Fri, 03 Jan 2020 03:17:16 -0800 (PST) Received: from localhost ([43.224.245.181]) by smtp.gmail.com with ESMTPSA id y197sm68749357pfc.79.2020.01.03.03.17.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Jan 2020 03:17:15 -0800 (PST) From: lijiazi X-Google-Original-From: lijiazi To: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton Cc: lijiazi , linux-mm@kvack.org Subject: [PATCH] slub: call BUG if next_object is not valid Date: Fri, 3 Jan 2020 19:16:58 +0800 Message-Id: X-Mailer: git-send-email 2.7.4 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: If current object's memory is corrupted, there is a high probability that next_objext stored in it will be rewritten as an illegal value. It's better to check next_object this time than to encounter a illegal pointer in next slub alloc like the following: [80138.529667] Unable to handle kernel paging request at virtual address 0069145a08d9a20d [80138.529674] Mem abort info: [80138.529677] ESR = 0x96000004 [80138.529683] Exception class = DABT (current EL), IL = 32 bits [80138.529688] SET = 0, FnV = 0 [80138.529692] EA = 0, S1PTW = 0 [80138.529695] Data abort info: [80138.529699] ISV = 0, ISS = 0x00000004 [80138.529703] CM = 0, WnR = 0 [80138.529708] [0069145a08d9a20d] address between user and kernel address ranges [80138.529716] Internal error: Oops: 96000004 1 PREEMPT SMP [80138.529722] Modules linked in: wlan(O) rmnet_perf(O) rmnet_shs(O) [80138.529812] CPU: 1 PID: 1074 Comm: cnss_diag Tainted: G S W O 4.19.72-perf-gdee6978 #1 [80138.529824] pstate: 60400005 (nZCv daif +PAN -UAO) [80138.529840] pc : __kmalloc_track_caller+0x1d0/0x318 [80138.529845] lr : __kmalloc_track_caller+0x60/0x318 [80138.529849] sp : ffffff8011f6b980 [80138.529852] x29: ffffff8011f6b9e0 x28: ffffffa187f15248 [80138.529858] x27: ffffffede4856580 x26: ffffff8011f6bab8 [80138.529864] x25: ffffffa18a238000 x24: ffffffec8681f980 [80138.529870] x23: 2369145a08d9a20d x22: ffffffec8681f980 [80138.529877] x21: ffffffa188e8c964 x20: 00000000000001c0 [80138.529884] x19: 00000000007102c0 x18: 0000000000000000 [80138.529890] x17: 0000000000000000 x16: 0000000000000000 [80138.529897] x15: 0000007fffffffff x14: 0000000002a46f01 [80138.529903] x13: 0000000000000000 x12: ffffffee38964760 [80138.529909] x11: dc96ebb941026589 x10: 2369145a08d9a20d [80138.529916] x9 : 0000000002a46ef9 x8 : ffffffede4856580 [80138.529922] x7 : 0000000000000000 x6 : 0000000000000004 [80138.529929] x5 : 0000000000000003 x4 : 00000000007000c0 [80138.529935] x3 : ffffff8011f6bba4 x2 : ffffffa188e8c964 [80138.529942] x1 : 00000000007102c0 x0 : 0000000000000000 [80138.530481] Call trace: [80138.530488] __kmalloc_track_caller+0x1d0/0x318 [80138.530498] __alloc_skb+0x94/0x198 [80138.530504] alloc_skb_with_frags+0x5c/0x198 [80138.530511] sock_alloc_send_pskb+0x1d0/0x2c8 [80138.530520] unix_dgram_sendmsg+0x234/0xa80 [80138.530525] sock_write_iter+0xb8/0x110 [80138.530532] do_iter_readv_writev+0x118/0x158 [80138.530540] do_iter_write+0x7c/0x190 [80138.530544] vfs_writev+0x84/0xe8 [80138.530549] do_writev+0x78/0x118 [80138.530554] __arm64_sys_writev+0x1c/0x28 [80138.530564] el0_svc_common+0xa0/0x158 [80138.530569] el0_svc_handler+0x6c/0x88 [80138.530578] el0_svc+0x8/0xc Signed-off-by: lijiazi --- mm/slub.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/slub.c b/mm/slub.c index a0b335d..758e4e6 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2744,6 +2744,9 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, } else { void *next_object = get_freepointer_safe(s, object); + if (unlikely(!virt_addr_valid(next_object))) + BUG(); + /* * The cmpxchg will only match if there was no additional * operation and if we are on the right processor. -- 2.7.4