From patchwork Thu Oct 15 03:37:09 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 11838583
Return-Path: <SRS0=XY0j=DW=kvack.org=owner-linux-mm@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3A2DD14B3
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Thu, 15 Oct 2020 03:37:21 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id DF86222257
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Thu, 15 Oct 2020 03:37:20 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=chromium.org header.i=@chromium.org header.b="IOO8H0dW"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DF86222257
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=chromium.org
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 8A27F6B0070; Wed, 14 Oct 2020 23:37:18 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 852756B0071; Wed, 14 Oct 2020 23:37:18 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 769326B0072; Wed, 14 Oct 2020 23:37:18 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0042.hostedemail.com
 [216.40.44.42])
	by kanga.kvack.org (Postfix) with ESMTP id 4D7456B0070
	for <linux-mm@kvack.org>; Wed, 14 Oct 2020 23:37:18 -0400 (EDT)
Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id DC788181AC9CC
	for <linux-mm@kvack.org>; Thu, 15 Oct 2020 03:37:17 +0000 (UTC)
X-FDA: 77372749314.29.frog60_0915cdc27211
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin29.hostedemail.com (Postfix) with ESMTP id BC75D180868C1
	for <linux-mm@kvack.org>; Thu, 15 Oct 2020 03:37:17 +0000 (UTC)
X-Spam-Summary: 
 10,1,0,eaa4ac8c76434b8b,d41d8cd98f00b204,keescook@chromium.org,,RULES_HIT:41:69:355:379:541:800:965:966:967:973:988:989:1260:1311:1314:1345:1437:1515:1534:1541:1711:1730:1747:1777:1792:2196:2199:2393:2525:2559:2564:2682:2685:2859:2898:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3315:3353:3865:3866:3867:3868:3870:3871:3872:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4321:4362:4385:4390:4395:4605:5007:6119:6261:6653:6742:7875:7901:7903:8531:8603:9025:9040:10004:11026:11473:11658:11914:12043:12297:12517:12519:12555:12683:12895:12986:13069:13132:13180:13229:13231:13311:13357:13846:13894:14095:14096:14181:14384:14394:14721:21080:21433:21444:21451:21627:21740:21771:21811:21891:21984:21987:30054:30069:30070,0,RBL:209.85.214.196:@chromium.org:.lbl8.mailshell.net-66.100.201.201
 62.2.0.100;04yghn3mnpcz6enponofcgrmkkswbypzkodfhrytdbjxy998d88u199jxqyzcm7.mn8ecam9ofddoadsd5ef4h9616u3cgb1ntndi1smcispw6c6r9eewyxokf7wiyp.k-lbl8.mailshell.n
 et-223.2
X-HE-Tag: frog60_0915cdc27211
X-Filterd-Recvd-Size: 4455
Received: from mail-pl1-f196.google.com (mail-pl1-f196.google.com
 [209.85.214.196])
	by imf26.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Thu, 15 Oct 2020 03:37:17 +0000 (UTC)
Received: by mail-pl1-f196.google.com with SMTP id b19so855334pld.0
        for <linux-mm@kvack.org>; Wed, 14 Oct 2020 20:37:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=jsm32m5dqMZ9IiRke0HVSKp+LJR7Zhu1oKQCmbEY7PY=;
        b=IOO8H0dWn3N0RbwRjQeTPWULpmZsYMrAismeJ5mH3OIt63p1U2lVGjxYmRLmMP5NfM
         tAjyUj4Rf2dDJbKAZfDVfzlR+h90Ty8QSbdPN1PTkMwi+qQa36geDK7sbfpGiRau26gQ
         wCtjFU5m8bUXpmG20GId8iynohBSJPr50lXmc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=jsm32m5dqMZ9IiRke0HVSKp+LJR7Zhu1oKQCmbEY7PY=;
        b=CftOhcOmAfKR0PHrUajTM3qyhwwmASb4qAfolacpSn61cPUN1+69J6NLckEGMTXHSi
         2tP+g4bLQBqMxPl8TyxiyCDBZ83YDfq8X8pUmLl//TqT/qd5+3fyGmogVRdaG1+qkgPa
         2tAtTcCO8XyGefzh/xxN1/agUW3ENkvRIhUMYAQM055AsCcfNEB/FKQIVNju+v9/+0cV
         F9WQxglM8qgp2KXOPp4CzQcBfPLObacLOGZKTVjDDIs0KJcjKmVRmHEVluA3h37jfMOU
         8fCz5S4Fpt61ly3rQeetNfwcSit1r0jPz6uus1u/QPBzgfdMTpgleOf4HeoMIcMS6C79
         JjdA==
X-Gm-Message-State: AOAM531y2HoJZSrjQEEX/opTcYQlLUX5wj+UHWl7cEmUc8LdzqyPpH/2
	Qmr79TiqhgOIj82lJJaSa+O+Hw==
X-Google-Smtp-Source: 
 ABdhPJx1504xJWTWPoVAFTEpicwDTBJJ7j3HEOcF90ph658Opd7eFK0JH7ITgILQct6plxjGXI0JWQ==
X-Received: by 2002:a17:90a:8403:: with SMTP id
 j3mr2307849pjn.127.1602733036268;
        Wed, 14 Oct 2020 20:37:16 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id
 q21sm1139267pgg.45.2020.10.14.20.37.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 14 Oct 2020 20:37:14 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>,
	Christoph Lameter <cl@linux.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	Waiman Long <longman@redhat.com>,
	Marco Elver <elver@google.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Roman Gushchin <guro@fb.com>,
	linux-kernel@vger.kernel.org,
	linux-doc@vger.kernel.org,
	linux-mm@kvack.org
Subject: [PATCH v3 0/3] Actually fix freelist pointer vs redzoning
Date: Wed, 14 Oct 2020 20:37:09 -0700
Message-Id: <20201015033712.1491731-1-keescook@chromium.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

v3:
- fix commit messages to properly reflect the direction of the overwrite
- justify the less-than-word-size patch better
- add Acks
- move some Fixes up into the commit log as just references
v2: https://lore.kernel.org/lkml/20201009195411.4018141-1-keescook@chromium.org
v1: https://lore.kernel.org/lkml/20201008233443.3335464-1-keescook@chromium.org

This fixes redzoning vs the freelist pointer (both for middle-position
and very small caches). Both are "theoretical" fixes, in that I see no
evidence of such small-sized caches actually be used in the kernel, but
that's no reason to let the bugs continue to exist. :)

Note on patch 2: Christopher NAKed it, but I actually think this is a
reasonable thing to add -- the "too small" check is only made when built
with CONFIG_DEBUG_VM, so it *is* actually possible for someone to trip
over this directly, even if it would never make it into a released
kernel. I see no reason to just leave this foot-gun in place, though, so
we might as well just fix it too. (Which seems to be what Longman was
similarly supporting, IIUC.)

Anyway, if patch 2 stays NAKed, that's fine. It's entirely separable,
and the other 2 can land. :)

Thanks!

-Kees


Kees Cook (3):
  mm/slub: Clarify verification reporting
  mm/slub: Fix redzoning for small allocations
  mm/slub: Actually fix freelist pointer vs redzoning

 Documentation/vm/slub.rst | 10 +++++-----
 mm/slub.c                 | 36 +++++++++++++++---------------------
 2 files changed, 20 insertions(+), 26 deletions(-)