All of lore.kernel.org
 help / color / mirror / Atom feed
From: Marco Elver <elver@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: Alexander Potapenko <glider@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Pekka Enberg <penberg@kernel.org>,
	Christoph Lameter <cl@linux.com>,
	kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org
Subject: Re: Odd-sized kmem_cache_alloc and slub_debug=Z
Date: Fri, 7 Aug 2020 19:20:48 +0200	[thread overview]
Message-ID: <20200807172048.GB1467156@elver.google.com> (raw)
In-Reply-To: <202008071010.69B612E@keescook>

On Fri, Aug 07, 2020 at 10:16AM -0700, Kees Cook wrote:
> On Fri, Aug 07, 2020 at 06:06:27PM +0200, Marco Elver wrote:
> > I found that the below debug-code using kmem_cache_alloc(), when using
> > slub_debug=Z, results in the following crash:
> > 
> > 	general protection fault, probably for non-canonical address 0xcccccca41caea170: 0000 [#1] PREEMPT SMP PTI
> > 	CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.8.0+ #1
> > 	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
> > 	RIP: 0010:freelist_dereference mm/slub.c:272 [inline]
> > 	RIP: 0010:get_freepointer mm/slub.c:278 [inline]
> 
> That really looks like more fun from my moving the freelist pointer... 
> 
> > 	R13: cccccca41caea160 R14: ffffe7c6a072ba80 R15: ffffa3a41c96d540
> 
> Except that it's all cccc at the start, which doesn't look like "data"
> nor the hardened freelist obfuscation.
> 
> > 	FS:  0000000000000000(0000) GS:ffffa3a41fc00000(0000) knlGS:0000000000000000
> > 	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > 	CR2: ffffa3a051c01000 CR3: 000000045140a001 CR4: 0000000000770ef0
> > 	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > 	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > 	PKRU: 00000000
> > 	Call Trace:
> > 	 ___slab_alloc+0x336/0x340 mm/slub.c:2690
> > 	 __slab_alloc mm/slub.c:2714 [inline]
> > 	 slab_alloc_node mm/slub.c:2788 [inline]
> > 	 slab_alloc mm/slub.c:2832 [inline]
> > 	 kmem_cache_alloc+0x135/0x200 mm/slub.c:2837
> > 	 start_kernel+0x3d6/0x44e init/main.c:1049
> > 	 secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:243
> > 
> > Any ideas what might be wrong?
> > 
> > This does not crash when redzones are not enabled.
> > 
> > Thanks,
> > -- Marco
> > 
> > ------ >8 ------
> > 
> > diff --git a/init/main.c b/init/main.c
> > index 15bd0efff3df..f4aa5bb3f2ec 100644
> > --- a/init/main.c
> > +++ b/init/main.c
> > @@ -1041,6 +1041,16 @@ asmlinkage __visible void __init start_kernel(void)
> >  	sfi_init_late();
> >  	kcsan_init();
> >  
> > +	/* DEBUG CODE */
> > +	{
> > +		struct kmem_cache *c = kmem_cache_create("test", 21, 1, 0, NULL);
> > +		char *buf;
> > +		BUG_ON(!c);
> > +		buf = kmem_cache_alloc(c, GFP_KERNEL);
> > +		kmem_cache_free(c, buf);
> > +		kmem_cache_destroy(c);
> > +	}
> > +
> >  	/* Do the rest non-__init'ed, we're now alive */
> >  	arch_call_rest_init();
> >  
> 
> Which kernel version? Can you send your CONFIG too?

Sorry, didn't see this before I replied to the other -- it's here:
https://lkml.kernel.org/r/20200807171849.GA1467156@elver.google.com

Thanks,
-- Marco


      reply	other threads:[~2020-08-07 17:20 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-07 16:06 Odd-sized kmem_cache_alloc and slub_debug=Z Marco Elver
2020-08-07 17:06 ` Pekka Enberg
2020-08-07 17:18   ` Marco Elver
2020-08-07 19:06     ` Pekka Enberg
2020-08-17 18:31       ` Marco Elver
2020-10-08 23:10         ` Kees Cook
2020-08-07 17:16 ` Kees Cook
2020-08-07 17:20   ` Marco Elver [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200807172048.GB1467156@elver.google.com \
    --to=elver@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=cl@linux.com \
    --cc=glider@google.com \
    --cc=iamjoonsoo.kim@lge.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=penberg@kernel.org \
    --cc=rientjes@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.