[Devel] [PATCH RHEL7 COMMIT] slub_debug: fail allocation on a bad freelist pointer

[Konstantin Khorenko]

The commit is pushed to "branch-rh7-3.10.0-1160.105.1.vz7.220.x-ovz" and will 
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.105.1.vz7.220.8
------>
commit 5f35c8797c455d83e4083e48744f5a2f8561d882
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date:   Wed Jul 3 16:11:58 2024 +0800

    slub_debug: fail allocation on a bad freelist pointer
    
    We saw crashes where slub percpu freelist was corrupted, this may catch
    the problem earlier where we first time see bad freelist, and suppress
    further corruption.
    
    This is enabled with 'slub_debug=F'.
    
    https://virtuozzo.atlassian.net/browse/PSBM-155867
    
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
---
 mm/slub.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/mm/slub.c b/mm/slub.c
index 7ec3f8b37701..6d181a2e841c 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1085,6 +1085,19 @@ static void setup_object_debug(struct kmem_cache *s, 
struct page *page,
        init_tracking(s, object);
 }
 
+static inline int alloc_valid_pointer_check(struct kmem_cache *s,
+                                           struct page *page, void *object)
+{
+       if (s->flags & SLAB_CONSISTENCY_CHECKS &&
+           !check_valid_pointer(s, page, object)) {
+               if (printk_ratelimit())
+                       object_err(s, page, object, "Freelist Pointer 
corrupted");
+               return 0;
+       }
+
+       return 1;
+}
+
 static inline int alloc_consistency_checks(struct kmem_cache *s, struct page 
*page,
                                        void *object)
 {
@@ -1346,6 +1359,10 @@ static unsigned long kmem_cache_flags(unsigned long 
object_size,
 static inline void setup_object_debug(struct kmem_cache *s,
                        struct page *page, void *object) {}
 
+static inline int alloc_valid_pointer_check(struct kmem_cache *s,
+                                           struct page *page,
+                                           void *object) { return 0; }
+
 static inline int alloc_debug_processing(struct kmem_cache *s,
        struct page *page, void *object, unsigned long addr) { return 0; }
 
@@ -2530,6 +2547,10 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t 
gfpflags, int node,
         * That page must be frozen for per cpu allocations to work.
         */
        VM_BUG_ON(!c->page->frozen);
+
+       if (kmem_cache_debug(s) && !alloc_valid_pointer_check(s, c->page, 
freelist))
+               return NULL;
+
        c->freelist = get_freepointer(s, freelist);
        c->tid = next_tid(c->tid);
        goto restore_pfmemalloc;
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel