lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1510023934-17517-1-git-send-email-miles.chen@mediatek.com>
Date:   Tue, 7 Nov 2017 11:05:34 +0800
From:   <miles.chen@...iatek.com>
To:     Christoph Lameter <cl@...ux.com>,
        Pekka Enberg <penberg@...nel.org>,
        David Rientjes <rientjes@...gle.com>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Andrew Morton <akpm@...ux-foundation.org>
CC:     <linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>,
        <wsd_upstream@...iatek.com>, <linux-mediatek@...ts.infradead.org>,
        Miles Chen <miles.chen@...iatek.com>
Subject: [PATCH] slub: Fix sysfs duplicate filename creation when slub_debug=O

From: Miles Chen <miles.chen@...iatek.com>

When slub_debug=O is set. It is possible to clear debug flags
for an "unmergeable" slab cache in kmem_cache_open().
It makes the "unmergeable" cache became "mergeable" in sysfs_slab_add().

These caches will generate their "unique IDs" by create_unique_id(),
but it is possible to create identical unique IDs. In my experiment,
sgpool-128, names_cache, biovec-256 generate the same ID ":Ft-0004096"
and the kernel reports "sysfs: cannot create duplicate filename
'/kernel/slab/:Ft-0004096'".

To repeat my experiment, set disable_higher_order_debug=1,
CONFIG_SLUB_DEBUG_ON=y in kernel-4.14.

Fix this issue by setting unmergeable=1 if slub_debug=O and the
the default slub_debug contains any no-merge flags.

call path:
kmem_cache_create()
  __kmem_cache_alias()	-> we set SLAB_NEVER_MERGE flags here
  create_cache()
    __kmem_cache_create()
      kmem_cache_open()	-> clear DEBUG_METADATA_FLAGS
      sysfs_slab_add()	-> the slab cache is mergeable now

[    0.674272] sysfs: cannot create duplicate filename '/kernel/slab/:Ft-0004096'
[    0.674473] ------------[ cut here ]------------
[    0.674653] WARNING: CPU: 0 PID: 1 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x60/0x7c
[    0.674847] Modules linked in:
[    0.674969] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W       4.14.0-rc7ajb-00131-gd4c2e9f-dirty #123
[    0.675211] Hardware name: linux,dummy-virt (DT)
[    0.675342] task: ffffffc07d4e0080 task.stack: ffffff8008008000
[    0.675505] PC is at sysfs_warn_dup+0x60/0x7c
[    0.675633] LR is at sysfs_warn_dup+0x60/0x7c
[    0.675759] pc : [<ffffff8008235808>] lr : [<ffffff8008235808>] pstate: 60000145
[    0.675948] sp : ffffff800800bb40
[    0.676048] x29: ffffff800800bb40 x28: 0000000000000040
[    0.676209] x27: ffffffc07c52a380 x26: 0000000000000000
[    0.676369] x25: ffffff8008af4ad0 x24: ffffff8008af4000
[    0.676528] x23: ffffffc07c532580 x22: ffffffc07cf04598
[    0.676695] x21: ffffffc07cf26578 x20: ffffffc07c533700
[    0.676857] x19: ffffffc07ce67000 x18: 0000000000000002
[    0.677017] x17: 0000000000007ffe x16: 0000000000000007
[    0.677176] x15: 0000000000000001 x14: 0000000000007fff
[    0.677335] x13: 0000000000000394 x12: 0000000000000000
[    0.677492] x11: 00000000000001ab x10: 0000000000000007
[    0.677651] x9 : 00000000000001ac x8 : ffffff800835d114
[    0.677809] x7 : 656b2f2720656d61 x6 : 0000000000000017
[    0.677967] x5 : ffffffc07ffdb9a8 x4 : 0000000000000000
[    0.678124] x3 : 0000000000000000 x2 : ffffffffffffffff
[    0.678282] x1 : ffffff8008a4e878 x0 : 0000000000000042
[    0.678442] Call trace:
[    0.678528] Exception stack(0xffffff800800ba00 to 0xffffff800800bb40)
[    0.678706] ba00: 0000000000000042 ffffff8008a4e878 ffffffffffffffff 0000000000000000
[    0.678914] ba20: 0000000000000000 ffffffc07ffdb9a8 0000000000000017 656b2f2720656d61
[    0.679121] ba40: ffffff800835d114 00000000000001ac 0000000000000007 00000000000001ab
[    0.679326] ba60: 0000000000000000 0000000000000394 0000000000007fff 0000000000000001
[    0.679532] ba80: 0000000000000007 0000000000007ffe 0000000000000002 ffffffc07ce67000
[    0.679739] baa0: ffffffc07c533700 ffffffc07cf26578 ffffffc07cf04598 ffffffc07c532580
[    0.679944] bac0: ffffff8008af4000 ffffff8008af4ad0 0000000000000000 ffffffc07c52a380
[    0.680149] bae0: 0000000000000040 ffffff800800bb40 ffffff8008235808 ffffff800800bb40
[    0.680354] bb00: ffffff8008235808 0000000060000145 ffffffc07c533700 0000000062616c73
[    0.680560] bb20: ffffffffffffffff 0000000000000000 ffffff800800bb40 ffffff8008235808
[    0.680774] [<ffffff8008235808>] sysfs_warn_dup+0x60/0x7c
[    0.680928] [<ffffff8008235920>] sysfs_create_dir_ns+0x98/0xa0
[    0.681095] [<ffffff8008539274>] kobject_add_internal+0xa0/0x294
[    0.681267] [<ffffff80085394f8>] kobject_init_and_add+0x90/0xb4
[    0.681435] [<ffffff80081b524c>] sysfs_slab_add+0x90/0x200
[    0.681592] [<ffffff80081b62a0>] __kmem_cache_create+0x26c/0x438
[    0.681769] [<ffffff80081858a4>] kmem_cache_create+0x164/0x1f4
[    0.681940] [<ffffff80086caa98>] sg_pool_init+0x60/0x100
[    0.682094] [<ffffff8008084144>] do_one_initcall+0x38/0x12c
[    0.682254] [<ffffff80086a0d10>] kernel_init_freeable+0x138/0x1d4
[    0.682423] [<ffffff8008547388>] kernel_init+0x10/0xfc
[    0.682571] [<ffffff80080851e0>] ret_from_fork+0x10/0x18

Signed-off-by: Miles Chen <miles.chen@...iatek.com>
---
 mm/slub.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/mm/slub.c b/mm/slub.c
index 1efbb812..8cbf9f7 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5704,6 +5704,10 @@ static int sysfs_slab_add(struct kmem_cache *s)
 		return 0;
 	}
 
+	if (!unmergeable && disable_higher_order_debug &&
+			(slub_debug & SLAB_NEVER_MERGE))
+		unmergeable = 1;
+
 	if (unmergeable) {
 		/*
 		 * Slabcache can never be merged so we can use the name proper.
-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ