[Devel] [PATCH rh7 0/5] slab: God mode allocations for SLABs

Konstantin Khorenko khorenko at virtuozzo.com
Fri Sep 6 20:34:05 MSK 2024 

We suspect some SLAB allocation failures handling code is not ideal
and leads to memory corruptions, in particular we often see slab freelist
corruptions.

In order to minimize damage / possibility of those corruptions we have
implemented several things:

 1. Moved slab freelist pointer to the middle of object.
    The hope is to have corrupted data of an alive or even already freed
    SLAB object instead of corrupted freelist.

 2. Added more sanity checks for SLAB freelist. Can be enabled along with
    other sanity checks by "slub_debug=F" kernel boot option.

 3. Introduced a tweak to allow bypassing the memcg limits during
    SLAB object allocations.
    No SLAB allocation failures => no buggy failures handling code
    execution => no memory corruptions => peace.
    An ugly crutch.

    The tweak is disabled by default.
    To enable the tweak you can use either:
      * "unlimited_slabs=1" kernel boot option
      * /sys/kernel/debug/unlimited_slabs entry (on the fly)
        * echo 1 > /sys/kernel/debug/unlimited_slabs to enable  the tweak
        * echo 0 > /sys/kernel/debug/unlimited_slabs to disable the tweak

    After the tweak is enabled, SLAB object flags are checked during each
    object allocation and if the SLAB is marked, memcg limits are ignored.

    To mark/unmark a particular SLAB:
      * echo 1 > /sys/kernel/slab/$SLAB_NAME/pf_memalloc
      * echo 0 > /sys/kernel/slab/$SLAB_NAME/pf_memalloc

    To mark all SLABs you can use kernel boot option: "slub_debug=M"

    Marking SLABs and enabling/disabling the tweak are completely
    independent and can be performed in any order.

https://virtuozzo.atlassian.net/browse/PSBM-155867

Kees Cook (1):
  ms/slub: relocate freelist pointer to middle of object

Konstantin Khorenko (2):
  slab: ignore memcg limits during marked SLAB allocations
  slub: introduce static_key switch for unlimited_slabs tweak

Pavel Tikhomirov (1):
  slub_debug: fail allocation on a bad freelist pointer

Waiman Long (1):
  ms/mm/slub: fix incorrect interpretation of s->offset

 include/linux/slab.h |   1 +
 mm/slub.c            | 191 +++++++++++++++++++++++++++++++++++++++----
 2 files changed, 174 insertions(+), 18 deletions(-)

-- 
2.24.3

More information about the Devel mailing list