lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <044edc48-f597-46dd-8dc8-524697e50848@meta.com>
Date: Mon, 29 Jul 2024 14:46:08 -0400
From: Chris Mason <clm@...a.com>
To: Rik van Riel <riel@...riel.com>
Cc: Pekka Enberg <penberg@...nel.org>, Christoph Lameter <cl@...ux.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Vlastimil Babka <vbabka@...e.cz>, kernel-team@...a.com,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        David Rientjes <rientjes@...gle.com>
Subject: Re: [PATCH] mm,slub: do not call do_slab_free for kfence object



On 7/29/24 2:19 PM, Rik van Riel wrote:
> In 782f8906f805 the freeing of kfence objects was moved from deep
> inside do_free_slab to the wrapper functions outside. This is a nice
> change, but unfortunately it missed one spot in __kmem_cache_free_bulk.
> 
> This results in a crash like this:
> 
> BUG skbuff_head_cache (Tainted: G S  B       E     ): Padding overwritten. 0xffff88907fea0f00-0xffff88907fea0fff @offset=3840
> 
> slab_err (mm/slub.c:1129)
> free_to_partial_list (mm/slub.c:? mm/slub.c:4036)
> slab_pad_check (mm/slub.c:864 mm/slub.c:1290)
> check_slab (mm/slub.c:?)
> free_to_partial_list (mm/slub.c:3171 mm/slub.c:4036)
> kmem_cache_alloc_bulk (mm/slub.c:? mm/slub.c:4495 mm/slub.c:4586 mm/slub.c:4635)
> napi_build_skb (net/core/skbuff.c:348 net/core/skbuff.c:527 net/core/skbuff.c:549)
> 
> All the other callers to do_free_slab appear to be ok.
> 
> Add a kfence_free check in __kmem_cache_free_bulk to avoid the crash.
> 
> Reported-by: Chris Mason <clm@...a.com>
> Fixes: 782f8906f805 ("mm/slub: free KFENCE objects in slab_free_hook()")
> Cc: stable@...nel.org
> Signed-off-by: Rik van Riel <riel@...riel.com>

We found this after bisecting a slab corruption down to the kfence
patch, and with this patch applied we're no longer falling over.  So
thanks Rik!

-chris

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ