[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAB=+i9RQiDWE6ignfKn2p+UiDF9W=jAuqsmYhHrO9h06+X-pKA@mail.gmail.com>
Date: Sat, 30 Sep 2023 20:04:00 +0900
From: Hyeonggon Yoo <42.hyeyoo@...il.com>
To: Matteo Rizzo <matteorizzo@...gle.com>
Cc: cl@...ux.com, penberg@...nel.org, rientjes@...gle.com,
iamjoonsoo.kim@....com, akpm@...ux-foundation.org, vbabka@...e.cz,
roman.gushchin@...ux.dev, keescook@...omium.org, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-mm@...ck.org,
linux-hardening@...r.kernel.org, tglx@...utronix.de, mingo@...hat.com,
bp@...en8.de, dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
corbet@....net, luto@...nel.org, peterz@...radead.org, jannh@...gle.com,
evn@...gle.com, poprdi@...gle.com, jordyzomer@...gle.com
Subject: Re: [RFC PATCH 01/14] mm/slub: don't try to dereference invalid freepointers
On Fri, Sep 15, 2023 at 7:59 PM Matteo Rizzo <matteorizzo@...gle.com> wrote:
>
> slab_free_freelist_hook tries to read a freelist pointer from the
> current object even when freeing a single object. This is invalid
> because single objects don't actually contain a freelist pointer when
> they're freed and the memory contains other data. This causes problems
> for checking the integrity of freelist in get_freepointer.
>
> Signed-off-by: Matteo Rizzo <matteorizzo@...gle.com>
> ---
> mm/slub.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index f7940048138c..a7dae207c2d2 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1820,7 +1820,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s,
>
> do {
> object = next;
> - next = get_freepointer(s, object);
> + /* Single objects don't actually contain a freepointer */
> + if (object != old_tail)
> + next = get_freepointer(s, object);
>
> /* If object's reuse doesn't have to be delayed */
> if (!slab_free_hook(s, object, slab_want_init_on_free(s))) {
> --
> 2.42.0.459.ge4e396fd5e-goog
>
Looks good to me,
Reviewed-by: Hyeonggon Yoo <42.hyeyoo@...il.com>
Powered by blists - more mailing lists