The freepointer chain is already checked with slub_debug on the command
line before this code is encountered.
On Tue, 7 Jan 2020, lijiazi wrote:
> If current object's memory is corrupted, there is a high
> probability that next_objext stored in it will be rewritten as an
> illegal value. It's better to check next_object this time than to
> encounter a illegal pointer in next slub alloc like the following:
>
> [80138.529667] Unable to handle kernel paging request at virtual
> address 0069145a08d9a20d
> [80138.529674] Mem abort info:
> [80138.529677] ESR = 0x96000004
> [80138.529683] Exception class = DABT (current EL), IL = 32 bits
> [80138.529688] SET = 0, FnV = 0
> [80138.529692] EA = 0, S1PTW = 0
> [80138.529695] Data abort info:
> [80138.529699] ISV = 0, ISS = 0x00000004
> [80138.529703] CM = 0, WnR = 0
> [80138.529708] [0069145a08d9a20d] address between user and kernel
> address ranges
> [80138.529716] Internal error: Oops: 96000004 1 PREEMPT SMP
> [80138.529722] Modules linked in: wlan(O) rmnet_perf(O) rmnet_shs(O)
> [80138.529812] CPU: 1 PID: 1074 Comm: cnss_diag Tainted: G S W O
> 4.19.72-perf-gdee6978 #1
> [80138.529824] pstate: 60400005 (nZCv daif +PAN -UAO)
> [80138.529840] pc : __kmalloc_track_caller+0x1d0/0x318
> [80138.529845] lr : __kmalloc_track_caller+0x60/0x318
> [80138.529849] sp : ffffff8011f6b980
> [80138.529852] x29: ffffff8011f6b9e0 x28: ffffffa187f15248
> [80138.529858] x27: ffffffede4856580 x26: ffffff8011f6bab8
> [80138.529864] x25: ffffffa18a238000 x24: ffffffec8681f980
> [80138.529870] x23: 2369145a08d9a20d x22: ffffffec8681f980
> [80138.529877] x21: ffffffa188e8c964 x20: 00000000000001c0
> [80138.529884] x19: 00000000007102c0 x18: 0000000000000000
> [80138.529890] x17: 0000000000000000 x16: 0000000000000000
> [80138.529897] x15: 0000007fffffffff x14: 0000000002a46f01
> [80138.529903] x13: 0000000000000000 x12: ffffffee38964760
> [80138.529909] x11: dc96ebb941026589 x10: 2369145a08d9a20d
> [80138.529916] x9 : 0000000002a46ef9 x8 : ffffffede4856580
> [80138.529922] x7 : 0000000000000000 x6 : 0000000000000004
> [80138.529929] x5 : 0000000000000003 x4 : 00000000007000c0
> [80138.529935] x3 : ffffff8011f6bba4 x2 : ffffffa188e8c964
> [80138.529942] x1 : 00000000007102c0 x0 : 0000000000000000
>
> [80138.530481] Call trace:
> [80138.530488] __kmalloc_track_caller+0x1d0/0x318
> [80138.530498] __alloc_skb+0x94/0x198
> [80138.530504] alloc_skb_with_frags+0x5c/0x198
> [80138.530511] sock_alloc_send_pskb+0x1d0/0x2c8
> [80138.530520] unix_dgram_sendmsg+0x234/0xa80
> [80138.530525] sock_write_iter+0xb8/0x110
> [80138.530532] do_iter_readv_writev+0x118/0x158
> [80138.530540] do_iter_write+0x7c/0x190
> [80138.530544] vfs_writev+0x84/0xe8
> [80138.530549] do_writev+0x78/0x118
> [80138.530554] __arm64_sys_writev+0x1c/0x28
> [80138.530564] el0_svc_common+0xa0/0x158
> [80138.530569] el0_svc_handler+0x6c/0x88
> [80138.530578] el0_svc+0x8/0xc
>
> Signed-off-by: lijiazi <lijiazi@xxxxxxxxxx>
> ---
> Changes in v2:
> - bug only if CONFIG_DEBUG_VM is enabled.
> - only check when next_object is not NULL.
> Reported-by: kernel test robot <lkp@xxxxxxxxx>
> ---
> mm/slub.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index a0b335d..cfdfd49 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -2744,6 +2744,7 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s,
> } else {
> void *next_object = get_freepointer_safe(s, object);
>
> + VM_BUG_ON(next_object && !virt_addr_valid(next_object));
> /*
> * The cmpxchg will only match if there was no additional
> * operation and if we are on the right processor.
>
