From: Feng Tang <feng.tang@intel.com>
To: "Peng Fan (OSS)" <peng.fan@oss.nxp.com>
Cc: <nicolas.bouchinet@clip-os.org>, <chengming.zhou@linux.dev>,
<vbabka@suse.cz>, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
"Roman Gushchin" <roman.gushchin@linux.dev>,
Hyeonggon Yoo <42.hyeyoo@gmail.com>,
"open list:SLAB ALLOCATOR" <linux-mm@kvack.org>,
open list <linux-kernel@vger.kernel.org>,
Peng Fan <peng.fan@nxp.com>
Subject: Re: [PATCH V1] mm, slub: avoid zeroing kmalloc redzone
Date: Sun, 25 Aug 2024 21:05:25 +0800 [thread overview]
Message-ID: <ZsssFS68lfFR2yJU@feng-clx.sh.intel.com> (raw)
In-Reply-To: <20240823062415.3632189-1-peng.fan@oss.nxp.com>
On Fri, Aug 23, 2024 at 02:24:15PM +0800, Peng Fan (OSS) wrote:
> From: Peng Fan <peng.fan@nxp.com>
>
> With commit 946fa0dbf2d8
> ("mm/slub: extend redzone check to extra allocated kmalloc space than requested"),
> setting orig_size treats the wasted space (object_size - orig_size) as
> redzones. But (in check_object()) when orig_size is set to zero, the entire
> object is perceived as a redzone. To a valid allocated kmalloc space,
> when init_on_free=1, the wasted space and the orig_size should
> not be cleared to 0, otherwise there will be kernel dump:
>
> [ 0.000000] =============================================================================
> [ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten
> [ 0.000000] -----------------------------------------------------------------------------
> [ 0.000000]
> [ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc
> [ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc
> [ 0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff)
> [ 0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8
> [ 0.000000]
> [ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc ........
> [ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc ........
> [ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc ........
> [ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00 ............
> [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144
> [ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT)
> [ 0.000000] Call trace:
> [ 0.000000] dump_backtrace+0x90/0xe8
> [ 0.000000] show_stack+0x18/0x24
> [ 0.000000] dump_stack_lvl+0x74/0x8c
> [ 0.000000] dump_stack+0x18/0x24
> [ 0.000000] print_trailer+0x150/0x218
> [ 0.000000] check_object+0xe4/0x454
> [ 0.000000] free_to_partial_list+0x2f8/0x5ec
>
> To address the issue, use orig_size to clear the used area. And restore
> the value of orig_size after clear the remaining area.
>
> When CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns
> s->object_size. So when using memset to init the area, the size can simply
> be orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not
> enabled. And orig_size can never be bigger than object_size.
>
> Fixes: 946fa0dbf2d8 ("mm/slub: extend redzone check to extra allocated kmalloc space than requested")
Thanks for the fix! I missed to test the 'init_on_free' case back then.
Reviewed-by: Feng Tang <feng.tang@intel.com>
with one small nit below
> Signed-off-by: Peng Fan <peng.fan@nxp.com>
> ---
>
> RFC->V1:
> Update commit log (Per Hyeonggon)
> Use orig_size to do memset(Per Hyeonggon)
> Add get_orig_size and set_orig_size when CONFIG_SLUB_DEBUG not enabled(kernel test robot)
> https://lore.kernel.org/all/20240819064115.385086-1-peng.fan@oss.nxp.com/
>
> mm/slub.c | 20 ++++++++++++++++++--
> 1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index 94f5a4143825..a5fbeb2835b1 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1895,6 +1895,15 @@ static inline void inc_slabs_node(struct kmem_cache *s, int node,
> static inline void dec_slabs_node(struct kmem_cache *s, int node,
> int objects) {}
>
> +static inline unsigned int get_orig_size(struct kmem_cache *s, void *object)
> +{
> + return s->object_size;
> +}
> +
> +static inline void set_orig_size(struct kmem_cache *s, void *object,
> + unsigned int orig_size)
> +{}
Current get_orig_size() and set_orig_size() are protected by
CONFIG_SLUB_DEUG=y macro, and with this patch, they will be called
in both ON and OFF case. Maybe we can just lift those existing
functions out of the "#ifdef CONFIG_SLUB_DEBUG" protection?
Thanks,
Feng
next prev parent reply other threads:[~2024-08-25 13:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-23 6:24 [PATCH V1] mm, slub: avoid zeroing kmalloc redzone Peng Fan (OSS)
2024-08-25 13:05 ` Feng Tang [this message]
2024-08-28 2:43 ` Peng Fan
2024-08-28 16:53 ` Vlastimil Babka
2024-08-29 5:16 ` Feng Tang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZsssFS68lfFR2yJU@feng-clx.sh.intel.com \
--to=feng.tang@intel.com \
--cc=42.hyeyoo@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=chengming.zhou@linux.dev \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=nicolas.bouchinet@clip-os.org \
--cc=penberg@kernel.org \
--cc=peng.fan@nxp.com \
--cc=peng.fan@oss.nxp.com \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.