<div dir="ltr"><div dir="ltr">On Sat, May 29, 2021 at 4:43 AM Kazuhito Hagio <<a href="mailto:kazuhito.hagio@gmail.com">kazuhito.hagio@gmail.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> -----Original Message-----<br>
> > Linux 5.7 and later kernels that contain kernel commit <1ad53d9fa3f6><br>
> > ("slub: improve bit diffusion for freelist ptr obfuscation") changed<br>
> > the calculation formula in the freelist_ptr(), which added a swab()<br>
> > call to mix bits a little more. When kernel is built with the<br>
> > "CONFIG_SLAB_FREELIST_HARDENED=y",the "kmem -s" option fails with the<br>
> > following errors, if there is no such patch.<br>
> ><br>
> > crash> kmem -s<br>
> > CACHE OBJSIZE ALLOCATED TOTAL SLABS SSIZE NAME<br>
> > 82166d00 144 0 0 0 4k fuse_request<br>
> > 82166e00 792 0 0 0 16k fuse_inode<br>
> > 87201e00 528 0 0 0 8k xfs_dqtrx<br>
> > 87201f00 496 0 0 0 8k xfs_dquot<br>
> > kmem: xfs_buf: slab: 37202e6e900 invalid freepointer: b844bab900001d70<br>
> > kmem: xfs_buf: slab: 3720250fd80 invalid freepointer: b8603f9400001370<br>
> > ...<br>
><br>
> Good catch! And the patch diff looks good to me.<br>
<br>
Sorry, I completely misread the code.. Please ignore the comments below.<br>
I will check again next week.<br>
<br></blockquote><div>No worry. Thanks for the review. </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Thanks,<br>
Kazu<br>
<br>
><br>
> But the freelist_ptr() function, which is patched, is called only when<br>
> the error message is NOT printed. So it seems like the patch does not<br>
> stop the message, right?<br>
<br></blockquote><div>No, the patch fixes the above errors. Upstream kernel has changed the calculation formula in the</div><div>freelist_ptr() as below(marked it with "^^^^"), which added the "swab()" operation, crash also needs</div><div>to follow up this change, otherwise crash will get the error of "invalid freepointer".</div><div><br></div><div>diff --git a/mm/slub.c b/mm/slub.c<br>index fc911c222b11..bc949e3428c9 100644<br>--- a/mm/slub.c<br>+++ b/mm/slub.c<br>@@ -259,7 +259,7 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,<br> * freepointer to be restored incorrectly.<br> */<br> return (void *)((unsigned long)ptr ^ s->random ^<br>- (unsigned long)kasan_reset_tag((void *)ptr_addr));<br>+ <b>swab</b>((unsigned long)kasan_reset_tag((void *)ptr_addr)));<br></div><div> <b> ^^^^^</b></div><div><br></div><div>Before:</div>crash> kmem -s<br>CACHE OBJSIZE ALLOCATED TOTAL SLABS SSIZE NAME<br>c0000000311a4200 152 0 0 0 64k fuse_request<br>c0000000311a8700 800 0 0 0 64k fuse_inode<br>c000000035df7600 528 0 0 0 64k xfs_dqtrx<br>c000000035df6600 496 0 0 0 64k xfs_dquot<br>kmem: xfs_buf: slab: c00c0000000b6500 invalid freepointer: 3808942d00004eb0<br>kmem: xfs_buf: slab: c00c00000116ba00 invalid freepointer: b83fe85a040027b0<br>...<br></div><div class="gmail_quote"><br></div><div class="gmail_quote">After:</div><div class="gmail_quote">crash> kmem -s<br>CACHE OBJSIZE ALLOCATED TOTAL SLABS SSIZE NAME<br>c0000000311a4200 152 0 0 0 64k fuse_request<br>c0000000311a8700 800 0 0 0 64k fuse_inode<br>c000000035df7600 528 0 0 0 64k xfs_dqtrx<br>c000000035df6600 496 0 0 0 64k xfs_dquot<br>c000000035dff500 360 7865 9010 53 64k xfs_buf<br>...<br><div> <br></div><div>Thanks.</div><div>Lianbo</div></div></div>