lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aV9yrnpk1sEDIJEY@hyeyoo>
Date: Thu, 8 Jan 2026 18:02:38 +0900
From: Harry Yoo <harry.yoo@...cle.com>
To: Vlastimil Babka <vbabka@...e.cz>
Cc: akpm@...ux-foundation.org, andreyknvl@...il.com, cl@...two.org,
        dvyukov@...gle.com, glider@...gle.com, hannes@...xchg.org,
        linux-mm@...ck.org, mhocko@...nel.org, muchun.song@...ux.dev,
        rientjes@...gle.com, roman.gushchin@...ux.dev, ryabinin.a.a@...il.com,
        shakeel.butt@...ux.dev, surenb@...gle.com, vincenzo.frascino@....com,
        yeoreum.yun@....com, tytso@....edu, adilger.kernel@...ger.ca,
        linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
        cgroups@...r.kernel.org, hao.li@...ux.dev
Subject: Re: [PATCH V5 8/8] mm/slab: place slabobj_ext metadata in unused
 space within s->size

On Wed, Jan 07, 2026 at 06:33:52PM +0100, Vlastimil Babka wrote:
> On 1/5/26 09:02, Harry Yoo wrote:
> > diff --git a/mm/slub.c b/mm/slub.c
> > index 50b74324e550..43fdbff9d09b 100644
> > --- a/mm/slub.c
> > +++ b/mm/slub.c
> > @@ -977,6 +977,39 @@ static inline bool obj_exts_in_slab(struct kmem_cache *s, struct slab *slab)
> >  {
> >  	return false;
> >  }
> > +
> > +#endif
> > +
> > +#if defined(CONFIG_SLAB_OBJ_EXT) && defined(CONFIG_64BIT)
> > +static bool obj_exts_in_object(struct kmem_cache *s)
> > +{
> > +	return s->flags & SLAB_OBJ_EXT_IN_OBJ;
> 
> So this is a property of the cache.

Right.

> > @@ -2280,7 +2322,8 @@ static inline void free_slab_obj_exts(struct slab *slab)
> >  		return;
> >  	}
> >  
> > -	if (obj_exts_in_slab(slab->slab_cache, slab)) {
> > +	if (obj_exts_in_slab(slab->slab_cache, slab) ||
> > +			obj_exts_in_object(slab->slab_cache)) {
> 
> Here we check that property to determine if we can return early and not do
> kfree().

Right.

> > @@ -2326,6 +2369,23 @@ static void alloc_slab_obj_exts_early(struct kmem_cache *s, struct slab *slab)
> >  			obj_exts |= MEMCG_DATA_OBJEXTS;
> >  		slab->obj_exts = obj_exts;
> >  		slab_set_stride(slab, sizeof(struct slabobj_ext));
> > +	} else if (obj_exts_in_object(s)) {
> > +		unsigned int offset = obj_exts_offset_in_object(s);
> 
> But we reach this only when need_slab_obj_exts() is true above. So there
> might be slabs from caches where obj_exts_in_object() is true, but still
> have obj_exts allocated by kmalloc, and we leak them in
> free_slab_obj_exts().

Oh god, right!

> (and we perform some incorrect action wherever else
> obj_exts_in_object() is checked) AFAIU?

Yes.

It must check if slabs actually have allocated obj_exts from wasted space...

> So I think we need to check obj_exts_in_slab() (in the simplified way I
> suggested for patch 7/8) first, and only look at obj_exts_in_object()
> afterwards to distinguish the exact layout where needed?
> (i.e. free_slab_obj_exts() is fine to just check obj_exts_in_slab()).

That'll work, will do.

-- 
Cheers,
Harry / Hyeonggon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ