From patchwork Mon Mar  3 17:28:05 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Wilcox <willy@infradead.org>
X-Patchwork-Id: 13999308
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 58EC7C282D1
	for <linux-mm@archiver.kernel.org>; Mon,  3 Mar 2025 17:29:09 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id DF60D280004; Mon,  3 Mar 2025 12:29:08 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D7DF4280002; Mon,  3 Mar 2025 12:29:08 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C4571280004; Mon,  3 Mar 2025 12:29:08 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com
 [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id A1882280002
	for <linux-mm@kvack.org>; Mon,  3 Mar 2025 12:29:08 -0500 (EST)
Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id 472E9140D6A
	for <linux-mm@kvack.org>; Mon,  3 Mar 2025 17:29:08 +0000 (UTC)
X-FDA: 83180925576.24.5BF17F2
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	by imf20.hostedemail.com (Postfix) with ESMTP id B2CFA1C0002
	for <linux-mm@kvack.org>; Mon,  3 Mar 2025 17:29:05 +0000 (UTC)
Authentication-Results: imf20.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=EQQaG1Mr;
	dmarc=none;
	spf=none (imf20.hostedemail.com: domain of willy@infradead.org has no SPF
 policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741022946; a=rsa-sha256;
	cv=none;
	b=ay4Qsx0+YodSAWZU7S16XEI+p3LpaEnxx7rFE/zaEiwRdbpeh+O8MoCJMmiInTtJq7GL8O
	aw7TD7YRHq7mkzpzP5aMZRoMLksi4Rj7A26g3OsznJJozFjuzGHlgB33uVEHjKmAysGGlJ
	DFpVlpFgWB0vL6WNDwWF2oAVMR8h0wE=
ARC-Authentication-Results: i=1;
	imf20.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=EQQaG1Mr;
	dmarc=none;
	spf=none (imf20.hostedemail.com: domain of willy@infradead.org has no SPF
 policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1741022946;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:references:dkim-signature;
	bh=sLNgDpodG0zoWRVg+2d0wDOVsZXO8UNou77Y8q0lQHc=;
	b=tHZA3BE4AcnJJyoO2q2jpHGw30Msji8trwE/7Bbjwnec+obAww4xk8jU7eVql3KZK7kNHv
	H9/u6HlBL0WZT8xaM/D1/4ruZEcjvcNBkc5LdWjhP3jN+02Bs1/IQrXUzRk7IAh4tUdMPw
	k6GncNaAQ3cCtzvXkPCtZUOCSMe4K08=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version:
	Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
	Content-Description:In-Reply-To:References;
	bh=sLNgDpodG0zoWRVg+2d0wDOVsZXO8UNou77Y8q0lQHc=; b=EQQaG1Mrk4Kjr1ECtIbn7w8vAR
	QRJDnRkazuoOMuWZ6kMZW5TpXFgkxV09lP/0FurM1jnlgwUfVW5ynWDfYwsqIcBDRgZEsHn+sObX6
	jr3Dbx/EWLaMurPePynDAMlDwGNdgp4hUH99PTo0BCdDsGudZbhDYl33sBcNlyUKVAgRozi1g5WXD
	AbqvbRstRdkqk8yXiVuTf8Tl+LPELgxcU5FmDIqhqU4jgyvawOHRX1tcJwAHDJ6pJ3zHycOAe2E4+
	mQ/eFYe+ZSBuwBF0iYpJVhrMiRNgH26JUGIGSNo9107OkU6SFH650t3Q4+zEGIupfHbJkmM21br2d
	pZlF0ijw==;
Received: from willy by casper.infradead.org with local (Exim 4.98 #2 (Red Hat
 Linux))
	id 1tp9aM-0000000DNLu-1QO0;
	Mon, 03 Mar 2025 17:28:49 +0000
From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>,
	linux-mm@kvack.org,
	Harry Yoo <harry.yoo@oracle.com>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Andrew Morton <akpm@linux-foundation.org>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	David Rientjes <rientjes@google.com>,
	Pekka Enberg <penberg@kernel.org>,
	Christoph Lameter <cl@linux.com>,
	Hannes Reinecke <hare@suse.com>
Subject: [PATCH] slab: Mark large folios for debugging purposes
Date: Mon,  3 Mar 2025 17:28:05 +0000
Message-ID: <20250303172807.3187600-1-willy@infradead.org>
X-Mailer: git-send-email 2.48.1
MIME-Version: 1.0
X-Rspam-User: 
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: B2CFA1C0002
X-Stat-Signature: 3z19zx9jiaiscq189pjenegr7k8usyxr
X-HE-Tag: 1741022945-428243
X-HE-Meta: 
 U2FsdGVkX19B6XGBGIwLNeUz537UV9gmb1qVZQHC8In4HKUP/hYqRAPnEPhOaUWBZZjQS3ic9WQ1IWx91lcaIbosVDpuvWeQhugYRMPenGiDu1mSRL4+o8HLexLjdX5vmzVAbZbAoRtHuubF0baURZ09GHQZGoC+6PDV+2tEM+Cirx7+of7Z1JoQ2dICnNNq/AcIb2qHQlN6CvWKEWKoMLdtAuKbW+H1Ox2R5TFVBKKhEXhb+2BBa69JZll6U+g/S77vYyTexo8zYLcrFnT6rM2utGpz0V7DoWmbYxy+4nRo+c0CV2wmfx+5zvDK/Cd0o7x+Np/IBPVbIxGKgr+UOzI1/X449NNpKjbVEp/TUJYuKaCcqgX2wlZKbUoQa8pnHXI6Dke+IUBGeH2H40SOg03ksHd3Ys+SKii9lKvCx6tDcn3xlPHo+G2JYGQJiWw/LG/8WguQqtdyEVn/5GR63kS8TKhuFUKHDJvccErdNGup7q5Dro4bRGbVWqvozkGjEynSVBPG/yYIZIW9eL1IEG/Yxy1qiBpv17ENU2Q5FrFO+rvjZfFgGNGaTKS+31kpmJFkudHgWXlvBEyWliCuOMBOD9az3aBg/RmMNoPyTnqykewCntWDwvVwPi04MZzfatCNxIaMQQWmjvX0OO0KHEmcd/i9MO1q+jGb1ZtCBExqnA+aSJLWLXf9yoOSmdRAIKO40q59jkI1bO7XYP2no10JedoQ9EU9gr0PO7RlF2hDUJaMcp1t0uKV/syzhzKUhdEdO+p8eGgpT0TNQRuKGjPKr64oUSk50iQvHskjhbl8tjt1TWZGJfkrEMn50KpaeUJMQoy/cIGQLhYC1y/BPWjLOjY0+kJooNkZCuudfGkRhy7pT1MuuZfZjNMPjT6A6bEyPx8W65+3bLJbKY0M2iQe9Z/PWA1BfMXNSoPCtUmTY/mASB7hmtEd7RTyK0G0n9kUEdIPy+3Vwo46GQR
 Y00/phWq
 hSVdbv+2NHVDn093oZ5my5P7VQ8Fi2SsyRIA4gpWf3Pa+YHXnwTTRPMHKMoRrxHjpof+SULK6A6zi+6tlzNjYhPsESkyC9lD2AKnP2XUn92tAIm2ycpw36yPAKzmKnfYd9bvusIAHcru5eX9kVUdAQ3pSCCTYWR5Da94isEP5aAHQuHqGKsliEiEL04LUT1sMRpHWX60IyAV5b4+F85UDwMFyU1vIxFMEolJiyKn880Utyd+mrg7vRFH4KkQdKyPegpSCn3jjmdcSGViRtT94q00MUFHAgVE3h4w2qAH0TRyHzvM=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

If a user calls p = kmalloc(1024); kfree(p); kfree(p); and 'p' was the
only object in the slab, we may free the slab after the first call to
kfree().  If we do, we clear PGTY_slab and the second call to kfree()
will call free_large_kmalloc().  That will leave a trace in the logs
("object pointer: 0x%p"), but otherwise proceed to free the memory,
which is likely to corrupt the page allocator's metadata.

Allocate a new page type for large kmalloc and mark the memory with it
while it's allocated.  That lets us detect this double-free and return
without harming any data structures.

Reported-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
---
 include/linux/page-flags.h | 18 ++++++++++--------
 mm/slub.c                  |  7 +++++++
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
index 36d283552f80..df9234e5f478 100644
--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -925,14 +925,15 @@ FOLIO_FLAG_FALSE(has_hwpoisoned)
 enum pagetype {
 	/* 0x00-0x7f are positive numbers, ie mapcount */
 	/* Reserve 0x80-0xef for mapcount overflow. */
-	PGTY_buddy	= 0xf0,
-	PGTY_offline	= 0xf1,
-	PGTY_table	= 0xf2,
-	PGTY_guard	= 0xf3,
-	PGTY_hugetlb	= 0xf4,
-	PGTY_slab	= 0xf5,
-	PGTY_zsmalloc	= 0xf6,
-	PGTY_unaccepted	= 0xf7,
+	PGTY_buddy		= 0xf0,
+	PGTY_offline		= 0xf1,
+	PGTY_table		= 0xf2,
+	PGTY_guard		= 0xf3,
+	PGTY_hugetlb		= 0xf4,
+	PGTY_slab		= 0xf5,
+	PGTY_zsmalloc		= 0xf6,
+	PGTY_unaccepted		= 0xf7,
+	PGTY_large_kmalloc	= 0xf8,
 
 	PGTY_mapcount_underflow = 0xff
 };
@@ -1075,6 +1076,7 @@ PAGE_TYPE_OPS(Zsmalloc, zsmalloc, zsmalloc)
  * Serialized with zone lock.
  */
 PAGE_TYPE_OPS(Unaccepted, unaccepted, unaccepted)
+FOLIO_TYPE_OPS(large_kmalloc, large_kmalloc)
 
 /**
  * PageHuge - Determine if the page belongs to hugetlbfs
diff --git a/mm/slub.c b/mm/slub.c
index 1f50129dcfb3..872e1bab3bd1 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -4241,6 +4241,7 @@ static void *___kmalloc_large_node(size_t size, gfp_t flags, int node)
 		ptr = folio_address(folio);
 		lruvec_stat_mod_folio(folio, NR_SLAB_UNRECLAIMABLE_B,
 				      PAGE_SIZE << order);
+		__folio_set_large_kmalloc(folio);
 	}
 
 	ptr = kasan_kmalloc_large(ptr, size, flags);
@@ -4716,6 +4717,11 @@ static void free_large_kmalloc(struct folio *folio, void *object)
 {
 	unsigned int order = folio_order(folio);
 
+	if (WARN_ON_ONCE(!folio_test_large_kmalloc(folio))) {
+		dump_page(&folio->page, "Not a kmalloc allocation");
+		return;
+	}
+
 	if (WARN_ON_ONCE(order == 0))
 		pr_warn_once("object pointer: 0x%p\n", object);
 
@@ -4725,6 +4731,7 @@ static void free_large_kmalloc(struct folio *folio, void *object)
 
 	lruvec_stat_mod_folio(folio, NR_SLAB_UNRECLAIMABLE_B,
 			      -(PAGE_SIZE << order));
+	__folio_clear_large_kmalloc(folio);
 	folio_put(folio);
 }