Odd-sized kmem_cache_alloc and slub_debug=Z

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marco Elver <elver@google.com>
To: elver@google.com
Cc: Alexander Potapenko <glider@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Pekka Enberg <penberg@kernel.org>,
	Christoph Lameter <cl@linux.com>,
	Kees Cook <keescook@chromium.org>,
	kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org
Subject: Odd-sized kmem_cache_alloc and slub_debug=Z
Date: Fri, 7 Aug 2020 18:06:27 +0200	[thread overview]
Message-ID: <20200807160627.GA1420741@elver.google.com> (raw)

Hi,

I found that the below debug-code using kmem_cache_alloc(), when using
slub_debug=Z, results in the following crash:

	general protection fault, probably for non-canonical address 0xcccccca41caea170: 0000 [#1] PREEMPT SMP PTI
	CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.8.0+ #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
	RIP: 0010:freelist_dereference mm/slub.c:272 [inline]
	RIP: 0010:get_freepointer mm/slub.c:278 [inline]
	RIP: 0010:deactivate_slab+0x54/0x460 mm/slub.c:2111
	Code: 8b bc c7 e0 00 00 00 48 85 d2 0f 84 00 01 00 00 49 89 d5 31 c0 48 89 44 24 08 66 66 2e 0f 1f 84 00 00 00 00 00 90 44 8b 43 20 <4b> 8b 44 05 00 48 85 c0 0f 84 1e 01 00 00 4c 89 ed 49 89 c5 8b 43
	RSP: 0000:ffffffffa7e03e18 EFLAGS: 00010046
	RAX: 0000000000000000 RBX: ffffa3a41c972340 RCX: 0000000000000000
	RDX: cccccca41caea160 RSI: ffffe7c6a072ba80 RDI: ffffa3a41c972340
	RBP: ffffa3a41caea008 R08: 0000000000000010 R09: ffffa3a41caea01d
	R10: ffffffffa7f8dc50 R11: ffffffffa68f44c0 R12: ffffa3a41c972340
	R13: cccccca41caea160 R14: ffffe7c6a072ba80 R15: ffffa3a41c96d540
	FS:  0000000000000000(0000) GS:ffffa3a41fc00000(0000) knlGS:0000000000000000
	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: ffffa3a051c01000 CR3: 000000045140a001 CR4: 0000000000770ef0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	PKRU: 00000000
	Call Trace:
	 ___slab_alloc+0x336/0x340 mm/slub.c:2690
	 __slab_alloc mm/slub.c:2714 [inline]
	 slab_alloc_node mm/slub.c:2788 [inline]
	 slab_alloc mm/slub.c:2832 [inline]
	 kmem_cache_alloc+0x135/0x200 mm/slub.c:2837
	 start_kernel+0x3d6/0x44e init/main.c:1049
	 secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:243

Any ideas what might be wrong?

This does not crash when redzones are not enabled.

Thanks,
-- Marco

------ >8 ------

diff --git a/init/main.c b/init/main.c
index 15bd0efff3df..f4aa5bb3f2ec 100644
--- a/init/main.c
+++ b/init/main.c
@@ -1041,6 +1041,16 @@ asmlinkage __visible void __init start_kernel(void)
 	sfi_init_late();
 	kcsan_init();
 
+	/* DEBUG CODE */
+	{
+		struct kmem_cache *c = kmem_cache_create("test", 21, 1, 0, NULL);
+		char *buf;
+		BUG_ON(!c);
+		buf = kmem_cache_alloc(c, GFP_KERNEL);
+		kmem_cache_free(c, buf);
+		kmem_cache_destroy(c);
+	}
+
 	/* Do the rest non-__init'ed, we're now alive */
 	arch_call_rest_init();

next             reply	other threads:[~2020-08-07 16:07 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-07 16:06 Marco Elver [this message]
2020-08-07 17:06 ` Odd-sized kmem_cache_alloc and slub_debug=Z Pekka Enberg
2020-08-07 17:18   ` Marco Elver
2020-08-07 19:06     ` Pekka Enberg
2020-08-17 18:31       ` Marco Elver
2020-10-08 23:10         ` Kees Cook
2020-08-07 17:16 ` Kees Cook
2020-08-07 17:20   ` Marco Elver

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:15bd0efff3d dfblob:f4aa5bb3f2e )
 OR (
bs:"Odd-sized kmem_cache_alloc and slub_debug=Z" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200807160627.GA1420741@elver.google.com \
    --to=elver@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=cl@linux.com \
    --cc=glider@google.com \
    --cc=iamjoonsoo.kim@lge.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=penberg@kernel.org \
    --cc=rientjes@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.