On Wed, Apr 15, 2020 at 06:47:26PM +0200, Marco Elver wrote: > On Wed, 01 Apr 2020, Andrew Morton wrote: > > From: Kees Cook <keescook@xxxxxxxxxxxx> > > Subject: slub: relocate freelist pointer to middle of object > > [...] > > With kernel v5.7-rc1 I am unable to boot when using the SLUB allocator > and red zoning (slub_debug=Z), but otherwise a default config. Bisect > points to this patch, and when reverting it, the kernel boots again. > > Splat: > [...] > [ 0.328713] rcu: Hierarchical RCU implementation. > [ 0.329169] rcu: RCU event tracing is enabled. > [ 0.329611] rcu: RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=8. > [ 0.330251] rcu: RCU calculated value of scheduler-enlistment delay is 100 jiffies. > [ 0.330984] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=8 > [ 0.332130] NR_IRQS: 4352, nr_irqs: 488, preallocated irqs: 16 > [ 0.332713] general protection fault, probably for non-canonical address 0xccccccccccccccd4: 0000 [#1] SMP PTI > [ 0.333680] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc1+ #3 > [ 0.334280] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014 > [ 0.335079] RIP: 0010:deactivate_slab.isra.0+0x5b/0x460 Thanks for the report! It seems something isn't using get_freepointer() (and is missing the s->offset calculation). I will try to track it down... > Can you reproduce this? Let me know if you need more information. Yup! I see a crash in the same place with slub_debug=Z. Since I'm building with CONFIG_SLAB_FREELIST_HARDENED=y, I see a random number instead of 0xccccccccccccccd4. I'll keep digging... -- Kees Cook
