lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y2DngwUc7cLB0dG7@hyeyoo>
Date:   Tue, 1 Nov 2022 18:31:47 +0900
From:   Hyeonggon Yoo <42.hyeyoo@...il.com>
To:     John Thomson <lists@...nthomson.fastmail.com.au>
Cc:     Feng Tang <feng.tang@...el.com>, Vlastimil Babka <vbabka@...e.cz>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Christoph Lameter <cl@...ux.com>,
        Pekka Enberg <penberg@...nel.org>,
        David Rientjes <rientjes@...gle.com>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Roman Gushchin <roman.gushchin@...ux.dev>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Jonathan Corbet <corbet@....net>,
        Andrey Konovalov <andreyknvl@...il.com>,
        "Hansen, Dave" <dave.hansen@...el.com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "kasan-dev@...glegroups.com" <kasan-dev@...glegroups.com>,
        Robin Murphy <robin.murphy@....com>,
        John Garry <john.garry@...wei.com>,
        Kefeng Wang <wangkefeng.wang@...wei.com>,
        Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
        linux-mips@...r.kernel.org
Subject: Re: [PATCH v6 1/4] mm/slub: enable debugging memory wasting of
 kmalloc

On Tue, Nov 01, 2022 at 09:20:21AM +0000, John Thomson wrote:
> On Tue, 1 Nov 2022, at 07:57, Feng Tang wrote:
> > Hi Thomson,
> >
> > Thanks for testing!
> >
> > + mips maintainer and mail list. The original report is here
> >
> > https://lore.kernel.org/lkml/becf2ac3-2a90-4f3a-96d9-a70f67c66e4a@app.fastmail.com/
>
> I am guessing my issue comes from __kmem_cache_alloc_lru accessing s->object_size when (kmem_cache) s is NULL?
> If that is the case, this change is not to blame, it only exposes the issue?
> 
> I get the following dmesg (note very early NULL kmem_cache) with the below change atop v6.1-rc3:
> 
> transfer started ......................................... transfer ok, time=2.02s
> setting up elf image... OK
> jumping to kernel code
> zimage at:     80B842A0 810B4EFC
> 
> Uncompressing Linux at load address 80001000
> 
> Copy device tree to address  80B80EE0
> 
> Now, booting the kernel...
> 
> [    0.000000] Linux version 6.1.0-rc3+ (john@...n) (mipsel-buildroot-linux-gnu-gcc.br_real (Buildroot 2021.11-4428-g6b6741b) 12.2.0, GNU ld (GNU Binutils) 2.39) #61 SMP Tue Nov  1 18:04:13 AEST 2022
> [    0.000000] slub: kmem_cache_alloc called with kmem_cache: 0x0
> [    0.000000] slub: __kmem_cache_alloc_lru called with kmem_cache: 0x0
> [    0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
> [    0.000000] printk: bootconsole [early0] enabled
> [    0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
> [    0.000000] MIPS: machine is MikroTik RouterBOARD 760iGS
> 
> normal boot
> 
> 
> diff --git a/mm/slub.c b/mm/slub.c
> index 157527d7101b..10fcdf2520d2 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -3410,7 +3410,13 @@ static __always_inline
>  void *__kmem_cache_alloc_lru(struct kmem_cache *s, struct list_lru *lru,
>  			     gfp_t gfpflags)
>  {
> -	void *ret = slab_alloc(s, lru, gfpflags, _RET_IP_, s->object_size);
> +	void *ret;
> +	if (IS_ERR_OR_NULL(s)) {
> +		pr_warn("slub: __kmem_cache_alloc_lru called with kmem_cache: %pSR\n", s);
> +		ret = slab_alloc(s, lru, gfpflags, _RET_IP_, 0);
> +	} else {
> +		ret = slab_alloc(s, lru, gfpflags, _RET_IP_, s->object_size);
> +	}
>  
>  	trace_kmem_cache_alloc(_RET_IP_, ret, s, gfpflags, NUMA_NO_NODE);
>  
> @@ -3419,6 +3425,8 @@ void *__kmem_cache_alloc_lru(struct kmem_cache *s, struct list_lru *lru,
>  
>  void *kmem_cache_alloc(struct kmem_cache *s, gfp_t gfpflags)
>  {
> +	if (IS_ERR_OR_NULL(s))
> +		pr_warn("slub: kmem_cache_alloc called with kmem_cache: %pSR\n", s);
>  	return __kmem_cache_alloc_lru(s, NULL, gfpflags);
>  }
>  EXPORT_SYMBOL(kmem_cache_alloc);
> @@ -3426,6 +3434,8 @@ EXPORT_SYMBOL(kmem_cache_alloc);
>  void *kmem_cache_alloc_lru(struct kmem_cache *s, struct list_lru *lru,
>  			   gfp_t gfpflags)
>  {
> +	if (IS_ERR_OR_NULL(s))
> +		pr_warn("slub: __kmem_cache_alloc_lru called with kmem_cache: %pSR\n", s);
>  	return __kmem_cache_alloc_lru(s, lru, gfpflags);
>  }
>  EXPORT_SYMBOL(kmem_cache_alloc_lru);
> 
> 
> Any hints on where kmem_cache_alloc would be being called from this early?
> I will start looking from /init/main.c around pr_notice("%s", linux_banner);

Great. Would you try calling dump_stack(); when we observed s == NULL?
That would give more information about who passed s == NULL to these
functions.

-- 
Thanks,
Hyeonggon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ