mm: slab: fix potential double free in ___cache_free

shakeelb · torvalds · commit 678ff6a7afcc · 2020-09-26T10:15:01.000-07:00
With the commit 10befea ("mm: memcg/slab: use a single set of kmem_caches for all allocations"), it becomes possible to call kfree() from the slabs_destroy(). The functions cache_flusharray() and do_drain() calls slabs_destroy() on array_cache of the local CPU without updating the size of the array_cache. This enables the kfree() call from the slabs_destroy() to recursively call cache_flusharray() which can potentially call free_block() on the same elements of the array_cache of the local CPU and causing double free and memory corruption. To fix the issue, simply update the local CPU array_cache cache before calling slabs_destroy(). Fixes: 10befea ("mm: memcg/slab: use a single set of kmem_caches for all allocations") Signed-off-by: Shakeel Butt <shakeelb@google.com> Reviewed-by: Roman Gushchin <guro@fb.com> Tested-by: Ming Lei <ming.lei@redhat.com> Reported-by: kernel test robot <rong.a.chen@intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Ted Ts'o <tytso@mit.edu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
diff --git a/mm/slab.c b/mm/slab.c
@@ -1632,6 +1632,10 @@ static void slab_destroy(struct kmem_cache *cachep, struct page *page)
 		kmem_cache_free(cachep->freelist_cache, freelist);
 }
 
+/*
+ * Update the size of the caches before calling slabs_destroy as it may
+ * recursively call kfree.
+ */
 static void slabs_destroy(struct kmem_cache *cachep, struct list_head *list)
 {
 	struct page *page, *n;
@@ -2153,8 +2157,8 @@ static void do_drain(void *arg)
 	spin_lock(&n->list_lock);
 	free_block(cachep, ac->entry, ac->avail, node, &list);
 	spin_unlock(&n->list_lock);
-	slabs_destroy(cachep, &list);
 	ac->avail = 0;
+	slabs_destroy(cachep, &list);
 }
 
 static void drain_cpu_caches(struct kmem_cache *cachep)
@@ -3402,9 +3406,9 @@ static void cache_flusharray(struct kmem_cache *cachep, struct array_cache *ac)
 	}
 #endif
 	spin_unlock(&n->list_lock);
-	slabs_destroy(cachep, &list);
 	ac->avail -= batchcount;
 	memmove(ac->entry, &(ac->entry[batchcount]), sizeof(void *)*ac->avail);
+	slabs_destroy(cachep, &list);
 }
 
 /*

Original file line number	Diff line number	Diff line change
`@@ -1632,6 +1632,10 @@ static void slab_destroy(struct kmem_cache cachep, struct page page)`
`1632`	`1632`	`kmem_cache_free(cachep->freelist_cache, freelist);`
`1633`	`1633`	`}`
`1634`	`1634`
	`1635`	`+/*`
	`1636`	`+ * Update the size of the caches before calling slabs_destroy as it may`
	`1637`	`+ * recursively call kfree.`
	`1638`	`+ */`
`1635`	`1639`	`static void slabs_destroy(struct kmem_cache cachep, struct list_head list)`
`1636`	`1640`	`{`
`1637`	`1641`	`struct page page, n;`
`@@ -2153,8 +2157,8 @@ static void do_drain(void *arg)`
`2153`	`2157`	`spin_lock(&n->list_lock);`
`2154`	`2158`	`free_block(cachep, ac->entry, ac->avail, node, &list);`
`2155`	`2159`	`spin_unlock(&n->list_lock);`
`2156`		`- slabs_destroy(cachep, &list);`
`2157`	`2160`	`ac->avail = 0;`
	`2161`	`+ slabs_destroy(cachep, &list);`
`2158`	`2162`	`}`
`2159`	`2163`
`2160`	`2164`	`static void drain_cpu_caches(struct kmem_cache *cachep)`
`@@ -3402,9 +3406,9 @@ static void cache_flusharray(struct kmem_cache cachep, struct array_cache ac)`
`3402`	`3406`	`}`
`3403`	`3407`	`#endif`
`3404`	`3408`	`spin_unlock(&n->list_lock);`
`3405`		`- slabs_destroy(cachep, &list);`
`3406`	`3409`	`ac->avail -= batchcount;`
`3407`	`3410`	`memmove(ac->entry, &(ac->entry[batchcount]), sizeof(void )ac->avail);`
	`3411`	`+ slabs_destroy(cachep, &list);`
`3408`	`3412`	`}`
`3409`	`3413`
`3410`	`3414`	`/*`