The patch titled Subject: slub: choose the right freelist pointer location when creating small caches has been added to the -mm tree. Its filename is slub-choose-the-right-freelist-pointer-location-when-creating-small-caches.patch This patch should soon appear at https://ozlabs.org/~akpm/mmots/broken-out/slub-choose-the-right-freelist-pointer-location-when-creating-small-caches.patch and later at https://ozlabs.org/~akpm/mmotm/broken-out/slub-choose-the-right-freelist-pointer-location-when-creating-small-caches.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: "Lin, Zhenpeng" <zplin@xxxxxxx> Subject: slub: choose the right freelist pointer location when creating small caches When enabling CONFIG_SLUB_DEBUG and booting with "slub_debug=Z", the kernel crashes at creating caches if the object size is smaller than 2*sizeof(void*). The problem is due to the wrong calculation of freepointer_area. The freelist pointer can be stored in the middle of object only if the object size is not smaller than 2*sizeof(void*). Otherwise, the freelist pointer will be corrupted by SLUB_RED_ZONE. Link: https://lkml.kernel.org/r/6746FEEA-FD69-4792-8DDA-C78F5FE7DA02@xxxxxxx Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object") Fixes: 89b83f282d8b ("slub: avoid redzone when choosing freepointer location") Signed-off-by: Zhenpeng Lin <zplin@xxxxxxx> Cc: Christoph Lameter <cl@xxxxxxxxx> Cc: Pekka Enberg <penberg@xxxxxxxxxx> Cc: David Rientjes <rientjes@xxxxxxxxxx> Cc: Joonsoo Kim <iamjoonsoo.kim@xxxxxxx> Cc: Vlastimil Babka <vbabka@xxxxxxx> Cc: Kees Cook <keescook@xxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- mm/slub.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/mm/slub.c~slub-choose-the-right-freelist-pointer-location-when-creating-small-caches +++ a/mm/slub.c @@ -3752,7 +3752,7 @@ static int calculate_sizes(struct kmem_c * can't use that portion for writing the freepointer, so * s->offset must be limited within this for the general case. */ - freepointer_area = size; + freepointer_area = s->object_size; #ifdef CONFIG_SLUB_DEBUG /* @@ -3799,7 +3799,7 @@ static int calculate_sizes(struct kmem_c */ s->offset = size; size += sizeof(void *); - } else if (freepointer_area > sizeof(void *)) { + } else if (freepointer_area > 2 * sizeof(void *)) { /* * Store freelist pointer near middle of object to keep * it away from the edges of the object to avoid small _ Patches currently in -mm which might be from zplin@xxxxxxx are slub-choose-the-right-freelist-pointer-location-when-creating-small-caches.patch