| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3ddcf2a2-2835-4652-8961-1dd2cac1119f@suse.cz>
Date: Thu, 27 Feb 2025 16:18:40 +0100
From: Vlastimil Babka <vbabka@...e.cz>
To: Harry Yoo <harry.yoo@...cle.com>, Hyesoo Yu <hyesoo.yu@...sung.com>
Cc: janghyuck.kim@...sung.com, Christoph Lameter <cl@...ux.com>,
Pekka Enberg <penberg@...nel.org>, David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
Roman Gushchin <roman.gushchin@...ux.dev>,
Hyeonggon Yoo <42.hyeyoo@...il.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 2/2] mm: slub: call WARN() when the slab detect an
error
On 2/27/25 13:55, Harry Yoo wrote:
> On Wed, Feb 26, 2025 at 05:12:01PM +0900, Hyesoo Yu wrote:
>> If a slab object is corrupted or an error occurs in its internal
>> value, continuing after restoration may cause other side effects.
>> At this point, it is difficult to debug because the problem occurred
>> in the past. It is useful to use WARN() to catch errors at the point
>> of issue because WARN() could trigger panic for system debugging when
>> panic_on_warn is enabled. WARN() is added where to detect the error
>> on slab_err and object_err.
>>
>> It makes sense to only do the WARN() after printing the logs. slab_err
>> is splited to __slab_err that calls the WARN() and it is called after
>> printing logs.
>>
>> Changes in v4:
>> - Remove WARN() in kmem_cache_destroy to remove redundant warning.
>>
>> Changes in v3:
>> - move the WARN from slab_fix to slab_err, object_err and check_obj to
>> use WARN on all error reporting paths.
>>
>> Changes in v2:
>> - Replace direct calling with BUG_ON with the use of WARN in slab_fix.
>
> Same here, please rephrase the changelog without "Changes in vN" in the
> changelog, and move the patch version changes below "---" line.
>
>> Signed-off-by: Hyesoo Yu <hyesoo.yu@...sung.com>
>> ---
>
> Otherwise this change in general looks good to me (with a suggestion below).
> Please feel free to add:
> Reviewed-by: Harry Yoo <harry.yoo@...cle.com>
>
> # Suggestion
>
> There's a case where SLUB just calls pr_err() and dump_stack() instead of
> slab_err() or object_err() in free_consistency_checks().
>
> I would like to add something like this:
>
> diff --git a/mm/slub.c b/mm/slub.c
> index b7660ee85db0..d5609fa63da4 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1022,12 +1022,16 @@ static void slab_bug(struct kmem_cache *s, char *fmt, ...)
> {
> struct va_format vaf;
> va_list args;
> + const char *name = "<unknown>";
> +
> + if (s)
> + name = s->name;
>
> va_start(args, fmt);
> vaf.fmt = fmt;
> vaf.va = &args;
> pr_err("=============================================================================\n");
> - pr_err("BUG %s (%s): %pV\n", s->name, print_tainted(), &vaf);
> + pr_err("BUG %s (%s): %pV\n", name, print_tainted(), &vaf);
s ? s->name : "<unknown>"
more concise
> pr_err("-----------------------------------------------------------------------------\n\n");
> va_end(args);
> }
> @@ -1628,9 +1632,8 @@ static inline int free_consistency_checks(struct kmem_cache *s,
> slab_err(s, slab, "Attempt to free object(0x%p) outside of slab",
> object);
> } else if (!slab->slab_cache) {
> - pr_err("SLUB <none>: no slab for object 0x%p.\n",
> - object);
> - dump_stack();
> + slab_err(NULL, slab, "No slab for object 0x%p",
> + object);
Good suggestion, added that locally. Probably not likely to trigger as a
use-after-free would mean we're rather hit !folio_test_slab() above than a
folio that has a slab flag but has a NULL pointer (or the pointer might be
garbage and not NULL). But at least the error handling will be consistent.
Changed the error message to "No slab cache" as that's more accurate.
Thanks.
> } else
> object_err(s, slab, object,
> "page slab pointer corrupt.");
>
Powered by blists - more mailing lists