mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
slab: make check_object() more consistent
Now check_object() calls check_bytes_and_report() multiple times to check every section of the object it cares about, like left and right redzones, object poison, paddings poison and freepointer. It will abort the checking process and return 0 once it finds an error. There are two inconsistencies in check_object(), which are alignment padding checking and object padding checking. We only print the error messages but don't return 0 to tell callers that something is wrong and needs to be handled. Please see alloc_debug_processing() and free_debug_processing() for details. We want to do all checks without skipping, so use a local variable "ret" to save each check result and change check_bytes_and_report() to only report specific error findings. Then at end of check_object(), print the trailer once if any found an error. Suggested-by: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Chengming Zhou <chengming.zhou@linux.dev> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
This commit is contained in:
Chengming Zhou
Vlastimil Babka
parent
4d2bcefa96
commit
47d911b02c
1 changed files with 41 additions and 21 deletions
62
mm/slub.c
62
mm/slub.c
|
|
@ -788,8 +788,24 @@ static bool slab_add_kunit_errors(void)
|
||||||
kunit_put_resource(resource);
|
kunit_put_resource(resource);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool slab_in_kunit_test(void)
|
||||||
|
{
|
||||||
|
struct kunit_resource *resource;
|
||||||
|
|
||||||
|
if (!kunit_get_current_test())
|
||||||
|
return false;
|
||||||
|
|
||||||
|
resource = kunit_find_named_resource(current->kunit_test, "slab_errors");
|
||||||
|
if (!resource)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
kunit_put_resource(resource);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
#else
|
#else
|
||||||
static inline bool slab_add_kunit_errors(void) { return false; }
|
static inline bool slab_add_kunit_errors(void) { return false; }
|
||||||
|
static inline bool slab_in_kunit_test(void) { return false; }
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static inline unsigned int size_from_object(struct kmem_cache *s)
|
static inline unsigned int size_from_object(struct kmem_cache *s)
|
||||||
|
|
@ -1190,8 +1206,6 @@ static int check_bytes_and_report(struct kmem_cache *s, struct slab *slab,
|
||||||
pr_err("0x%p-0x%p @offset=%tu. First byte 0x%x instead of 0x%x\n",
|
pr_err("0x%p-0x%p @offset=%tu. First byte 0x%x instead of 0x%x\n",
|
||||||
fault, end - 1, fault - addr,
|
fault, end - 1, fault - addr,
|
||||||
fault[0], value);
|
fault[0], value);
|
||||||
print_trailer(s, slab, object);
|
|
||||||
add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
|
|
||||||
|
|
||||||
skip_bug_print:
|
skip_bug_print:
|
||||||
restore_bytes(s, what, value, fault, end);
|
restore_bytes(s, what, value, fault, end);
|
||||||
|
|
@ -1300,15 +1314,16 @@ static int check_object(struct kmem_cache *s, struct slab *slab,
|
||||||
u8 *p = object;
|
u8 *p = object;
|
||||||
u8 *endobject = object + s->object_size;
|
u8 *endobject = object + s->object_size;
|
||||||
unsigned int orig_size, kasan_meta_size;
|
unsigned int orig_size, kasan_meta_size;
|
||||||
|
int ret = 1;
|
||||||
|
|
||||||
if (s->flags & SLAB_RED_ZONE) {
|
if (s->flags & SLAB_RED_ZONE) {
|
||||||
if (!check_bytes_and_report(s, slab, object, "Left Redzone",
|
if (!check_bytes_and_report(s, slab, object, "Left Redzone",
|
||||||
object - s->red_left_pad, val, s->red_left_pad))
|
object - s->red_left_pad, val, s->red_left_pad))
|
||||||
return 0;
|
ret = 0;
|
||||||
|
|
||||||
if (!check_bytes_and_report(s, slab, object, "Right Redzone",
|
if (!check_bytes_and_report(s, slab, object, "Right Redzone",
|
||||||
endobject, val, s->inuse - s->object_size))
|
endobject, val, s->inuse - s->object_size))
|
||||||
return 0;
|
ret = 0;
|
||||||
|
|
||||||
if (slub_debug_orig_size(s) && val == SLUB_RED_ACTIVE) {
|
if (slub_debug_orig_size(s) && val == SLUB_RED_ACTIVE) {
|
||||||
orig_size = get_orig_size(s, object);
|
orig_size = get_orig_size(s, object);
|
||||||
|
|
@ -1317,14 +1332,15 @@ static int check_object(struct kmem_cache *s, struct slab *slab,
|
||||||
!check_bytes_and_report(s, slab, object,
|
!check_bytes_and_report(s, slab, object,
|
||||||
"kmalloc Redzone", p + orig_size,
|
"kmalloc Redzone", p + orig_size,
|
||||||
val, s->object_size - orig_size)) {
|
val, s->object_size - orig_size)) {
|
||||||
return 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if ((s->flags & SLAB_POISON) && s->object_size < s->inuse) {
|
if ((s->flags & SLAB_POISON) && s->object_size < s->inuse) {
|
||||||
check_bytes_and_report(s, slab, p, "Alignment padding",
|
if (!check_bytes_and_report(s, slab, p, "Alignment padding",
|
||||||
endobject, POISON_INUSE,
|
endobject, POISON_INUSE,
|
||||||
s->inuse - s->object_size);
|
s->inuse - s->object_size))
|
||||||
|
ret = 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1340,27 +1356,25 @@ static int check_object(struct kmem_cache *s, struct slab *slab,
|
||||||
!check_bytes_and_report(s, slab, p, "Poison",
|
!check_bytes_and_report(s, slab, p, "Poison",
|
||||||
p + kasan_meta_size, POISON_FREE,
|
p + kasan_meta_size, POISON_FREE,
|
||||||
s->object_size - kasan_meta_size - 1))
|
s->object_size - kasan_meta_size - 1))
|
||||||
return 0;
|
ret = 0;
|
||||||
if (kasan_meta_size < s->object_size &&
|
if (kasan_meta_size < s->object_size &&
|
||||||
!check_bytes_and_report(s, slab, p, "End Poison",
|
!check_bytes_and_report(s, slab, p, "End Poison",
|
||||||
p + s->object_size - 1, POISON_END, 1))
|
p + s->object_size - 1, POISON_END, 1))
|
||||||
return 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
* check_pad_bytes cleans up on its own.
|
* check_pad_bytes cleans up on its own.
|
||||||
*/
|
*/
|
||||||
check_pad_bytes(s, slab, p);
|
if (!check_pad_bytes(s, slab, p))
|
||||||
|
ret = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!freeptr_outside_object(s) && val == SLUB_RED_ACTIVE)
|
/*
|
||||||
/*
|
* Cannot check freepointer while object is allocated if
|
||||||
* Object and freepointer overlap. Cannot check
|
* object and freepointer overlap.
|
||||||
* freepointer while object is allocated.
|
*/
|
||||||
*/
|
if ((freeptr_outside_object(s) || val != SLUB_RED_ACTIVE) &&
|
||||||
return 1;
|
!check_valid_pointer(s, slab, get_freepointer(s, p))) {
|
||||||
|
|
||||||
/* Check free pointer validity */
|
|
||||||
if (!check_valid_pointer(s, slab, get_freepointer(s, p))) {
|
|
||||||
object_err(s, slab, p, "Freepointer corrupt");
|
object_err(s, slab, p, "Freepointer corrupt");
|
||||||
/*
|
/*
|
||||||
* No choice but to zap it and thus lose the remainder
|
* No choice but to zap it and thus lose the remainder
|
||||||
|
|
@ -1368,9 +1382,15 @@ static int check_object(struct kmem_cache *s, struct slab *slab,
|
||||||
* another error because the object count is now wrong.
|
* another error because the object count is now wrong.
|
||||||
*/
|
*/
|
||||||
set_freepointer(s, p, NULL);
|
set_freepointer(s, p, NULL);
|
||||||
return 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
return 1;
|
|
||||||
|
if (!ret && !slab_in_kunit_test()) {
|
||||||
|
print_trailer(s, slab, object);
|
||||||
|
add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
|
||||||
|
}
|
||||||
|
|
||||||
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int check_slab(struct kmem_cache *s, struct slab *slab)
|
static int check_slab(struct kmem_cache *s, struct slab *slab)
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue