mm/slub.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-)
L2TP/IP and L2TP/IPv6 protocol names contain a slash symbol, however these
names are blindly used as symlinks to slab cache objects registered under
/sys/kernel/slab. This kind of symlink creation is successful, but its
dentry is obviously broken, as well it breaks the access to the list of
/sys/kernel/slab dentries.
Likely L2TP protocol renames cannot be done, since the defined protocol
names are exposed over /proc/net/protocols for years, but the symlink
names can be renamed, because they are yet to be properly created, and
this should be eventually done by this change.
The problem manifests itself, if CONFIG_L2TP_IP build symbol is selected.
Fixes: 81819f0fc8285 ("SLUB core")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
---
mm/slub.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/mm/slub.c b/mm/slub.c
index 0baa906f39ab..843bed864a7f 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -9634,6 +9634,7 @@ static struct saved_alias *alias_list;
int sysfs_slab_alias(struct kmem_cache *s, const char *name)
{
struct saved_alias *al;
+ const char *al_name;
if (slab_state == FULL) {
/*
@@ -9652,8 +9653,27 @@ int sysfs_slab_alias(struct kmem_cache *s, const char *name)
if (!al)
return -ENOMEM;
+ al_name = kstrdup_const(name, GFP_KERNEL);
+ if (!al_name) {
+ kfree(al);
+ return -ENOMEM;
+ }
+
+ if (strchr(al_name, '/')) {
+ char *n;
+
+ n = kstrdup(al_name, GFP_KERNEL);
+ kfree_const(al_name);
+ if (!n) {
+ kfree(al);
+ return -ENOMEM;
+ }
+
+ al_name = strreplace(n, '/', '_');
+ }
+
al->s = s;
- al->name = name;
+ al->name = al_name;
al->next = alias_list;
alias_list = al;
kmsan_unpoison_memory(al, sizeof(*al));
@@ -9691,6 +9711,7 @@ static int __init slab_sysfs_init(void)
if (err)
pr_err("SLUB: Unable to add boot slab alias %s to sysfs\n",
al->name);
+ kfree_const(al->name);
kfree(al);
}
--
2.49.0
On 5/20/26 10:10 AM, Vladimir Zapolskiy wrote:
> L2TP/IP and L2TP/IPv6 protocol names contain a slash symbol, however these
> names are blindly used as symlinks to slab cache objects registered under
> /sys/kernel/slab. This kind of symlink creation is successful, but its
> dentry is obviously broken, as well it breaks the access to the list of
> /sys/kernel/slab dentries.
Oops. I just loaded l2tp_ip module and it indeed broke it.
$ ls
ls: reading directory '.': Input/output error
:0000136/ kmalloc-rnd-01-16/ kmalloc-rnd-15-32/
:0000192/ kmalloc-rnd-02-512/ memdup_user-32/
:0000560/ kmalloc-rnd-06-192/ memdup_user-4k/
:0000768/ kmalloc-rnd-06-512/ pde_opener@
:a-0000168/ kmalloc-rnd-07-4k/ pidfs_xattr_cache@
:A-0000184/ kmalloc-rnd-11-8/ RAWv6/
audit_buffer@ kmalloc-rnd-11-96/ rpc_inode_cache/
configfs_dir_cache@ kmalloc-rnd-12-4k/ task_delay_info@
ecryptfs_global_auth_tok_cache@ kmalloc-rnd-13-128/ TCPv6/
fscache_cookie_jar@ kmalloc-rnd-14-96/
io_kiocb/ kmalloc-rnd-15-2k/
> Likely L2TP protocol renames cannot be done, since the defined protocol
> names are exposed over /proc/net/protocols for years, but the symlink
> names can be renamed, because they are yet to be properly created, and
> this should be eventually done by this change.
>
> The problem manifests itself, if CONFIG_L2TP_IP build symbol is selected.
>
> Fixes: 81819f0fc8285 ("SLUB core")
> Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
> ---
There is also a debugfs feature that would cause a similar issue.
Can we replace '/' in the cache name, without renaming the protocol name?
--
Cheers,
Harry / Hyeonggon
Harry,
On 5/20/26 06:42, Harry Yoo wrote:
>
>
> On 5/20/26 10:10 AM, Vladimir Zapolskiy wrote:
>> L2TP/IP and L2TP/IPv6 protocol names contain a slash symbol, however these
>> names are blindly used as symlinks to slab cache objects registered under
>> /sys/kernel/slab. This kind of symlink creation is successful, but its
>> dentry is obviously broken, as well it breaks the access to the list of
>> /sys/kernel/slab dentries.
>
> Oops. I just loaded l2tp_ip module and it indeed broke it.
>
> $ ls
> ls: reading directory '.': Input/output error
> :0000136/ kmalloc-rnd-01-16/ kmalloc-rnd-15-32/
> :0000192/ kmalloc-rnd-02-512/ memdup_user-32/
> :0000560/ kmalloc-rnd-06-192/ memdup_user-4k/
> :0000768/ kmalloc-rnd-06-512/ pde_opener@
> :a-0000168/ kmalloc-rnd-07-4k/ pidfs_xattr_cache@
> :A-0000184/ kmalloc-rnd-11-8/ RAWv6/
> audit_buffer@ kmalloc-rnd-11-96/ rpc_inode_cache/
> configfs_dir_cache@ kmalloc-rnd-12-4k/ task_delay_info@
> ecryptfs_global_auth_tok_cache@ kmalloc-rnd-13-128/ TCPv6/
> fscache_cookie_jar@ kmalloc-rnd-14-96/
> io_kiocb/ kmalloc-rnd-15-2k/
>
>> Likely L2TP protocol renames cannot be done, since the defined protocol
>> names are exposed over /proc/net/protocols for years, but the symlink
>> names can be renamed, because they are yet to be properly created, and
>> this should be eventually done by this change.
>>
>> The problem manifests itself, if CONFIG_L2TP_IP build symbol is selected.
>>
>> Fixes: 81819f0fc8285 ("SLUB core")
>> Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
>> ---
>
> There is also a debugfs feature that would cause a similar issue.
thank you for review, I've just sent v2 fixing __kmem_cache_create_args()
side. As for debugfs I haven't reproduced any similar issue, please give
me a clue here, also likely any non-slab changes should be done separately.
> Can we replace '/' in the cache name, without renaming the protocol name?
>
I believe that's exactly how it's done, the protocol name is left unchanged.
--
Best wishes,
Vladimir
On 5/21/26 8:24 PM, Vladimir Zapolskiy wrote:
> Harry,
>
> On 5/20/26 06:42, Harry Yoo wrote:
>>
>>
>> On 5/20/26 10:10 AM, Vladimir Zapolskiy wrote:
>>> L2TP/IP and L2TP/IPv6 protocol names contain a slash symbol, however
>>> these
>>> names are blindly used as symlinks to slab cache objects registered
>>> under
>>> /sys/kernel/slab. This kind of symlink creation is successful, but its
>>> dentry is obviously broken, as well it breaks the access to the list of
>>> /sys/kernel/slab dentries.
>>
>> Oops. I just loaded l2tp_ip module and it indeed broke it.
>>
>> $ ls
>> ls: reading directory '.': Input/output error
>> :0000136/ kmalloc-rnd-01-16/ kmalloc-rnd-15-32/
>> :0000192/ kmalloc-rnd-02-512/ memdup_user-32/
>> :0000560/ kmalloc-rnd-06-192/ memdup_user-4k/
>> :0000768/ kmalloc-rnd-06-512/ pde_opener@
>> :a-0000168/ kmalloc-rnd-07-4k/ pidfs_xattr_cache@
>> :A-0000184/ kmalloc-rnd-11-8/ RAWv6/
>> audit_buffer@ kmalloc-rnd-11-96/ rpc_inode_cache/
>> configfs_dir_cache@ kmalloc-rnd-12-4k/ task_delay_info@
>> ecryptfs_global_auth_tok_cache@ kmalloc-rnd-13-128/ TCPv6/
>> fscache_cookie_jar@ kmalloc-rnd-14-96/
>> io_kiocb/ kmalloc-rnd-15-2k/
>>
>>> Likely L2TP protocol renames cannot be done, since the defined protocol
>>> names are exposed over /proc/net/protocols for years, but the symlink
>>> names can be renamed, because they are yet to be properly created, and
>>> this should be eventually done by this change.
>>>
>>> The problem manifests itself, if CONFIG_L2TP_IP build symbol is
>>> selected.
>>>
>>> Fixes: 81819f0fc8285 ("SLUB core")
>>> Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
>>> ---
>>
>> There is also a debugfs feature that would cause a similar issue.
>
> thank you for review, I've just sent v2 fixing __kmem_cache_create_args()
> side. As for debugfs I haven't reproduced any similar issue, please give
> me a clue here, also likely any non-slab changes should be done separately.
Ah, nevermind! I totally misread the patch.
I thought it only addresses the symlink name.
>> Can we replace '/' in the cache name, without renaming the protocol name?
>>
>
> I believe that's exactly how it's done, the protocol name is left
> unchanged.
Yeah, now I see :)
--
Cheers,
Harry / Hyeonggon
On 5/22/26 10:31 AM, Harry Yoo wrote:
>
>
> On 5/21/26 8:24 PM, Vladimir Zapolskiy wrote:
>> Harry,
>>
>> On 5/20/26 06:42, Harry Yoo wrote:
>>>
>>>
>>> On 5/20/26 10:10 AM, Vladimir Zapolskiy wrote:
>>>> L2TP/IP and L2TP/IPv6 protocol names contain a slash symbol, however
>>>> these
>>>> names are blindly used as symlinks to slab cache objects registered
>>>> under
>>>> /sys/kernel/slab. This kind of symlink creation is successful, but its
>>>> dentry is obviously broken, as well it breaks the access to the list of
>>>> /sys/kernel/slab dentries.
>>>
>>> Oops. I just loaded l2tp_ip module and it indeed broke it.
>>>
>>> $ ls
>>> ls: reading directory '.': Input/output error
>>> :0000136/ kmalloc-rnd-01-16/ kmalloc-rnd-15-32/
>>> :0000192/ kmalloc-rnd-02-512/ memdup_user-32/
>>> :0000560/ kmalloc-rnd-06-192/ memdup_user-4k/
>>> :0000768/ kmalloc-rnd-06-512/ pde_opener@
>>> :a-0000168/ kmalloc-rnd-07-4k/ pidfs_xattr_cache@
>>> :A-0000184/ kmalloc-rnd-11-8/ RAWv6/
>>> audit_buffer@ kmalloc-rnd-11-96/ rpc_inode_cache/
>>> configfs_dir_cache@ kmalloc-rnd-12-4k/ task_delay_info@
>>> ecryptfs_global_auth_tok_cache@ kmalloc-rnd-13-128/ TCPv6/
>>> fscache_cookie_jar@ kmalloc-rnd-14-96/
>>> io_kiocb/ kmalloc-rnd-15-2k/
>>>
>>>> Likely L2TP protocol renames cannot be done, since the defined protocol
>>>> names are exposed over /proc/net/protocols for years, but the symlink
>>>> names can be renamed, because they are yet to be properly created, and
>>>> this should be eventually done by this change.
>>>>
>>>> The problem manifests itself, if CONFIG_L2TP_IP build symbol is
>>>> selected.
>>>>
>>>> Fixes: 81819f0fc8285 ("SLUB core")
>>>> Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
>>>> ---
>>>
>>> There is also a debugfs feature that would cause a similar issue.
>>
>> thank you for review, I've just sent v2 fixing __kmem_cache_create_args()
>> side. As for debugfs I haven't reproduced any similar issue, please give
>> me a clue here, also likely any non-slab changes should be done
>> separately.
>
> Ah, nevermind! I totally misread the patch.
> I thought it only addresses the symlink name.
Oh wait, no. I did not misread v1.
I meant debugfs_slab_add() creates a directory under
/sys/kernel/debug/slab/ based on s->name, so sysfs is not only thing
that's broken :)
So I think we should either reject '/' in s->name or replace it with
another character, or let sysfs/kernfs handle it (as replied on v2)
--
Cheers,
Harry / Hyeonggon
On Wed, May 20, 2026 at 04:10:19AM +0300, Vladimir Zapolskiy wrote: > L2TP/IP and L2TP/IPv6 protocol names contain a slash symbol, however these > names are blindly used as symlinks to slab cache objects registered under > /sys/kernel/slab. This kind of symlink creation is successful, but its > dentry is obviously broken, as well it breaks the access to the list of > /sys/kernel/slab dentries. > > Likely L2TP protocol renames cannot be done, since the defined protocol > names are exposed over /proc/net/protocols for years, but the symlink > names can be renamed, because they are yet to be properly created, and > this should be eventually done by this change. > > The problem manifests itself, if CONFIG_L2TP_IP build symbol is selected. Hello, thanks for the patch. Could L2TP possibly be loaded as a module? I noticed that __kmem_cache_create_args can also call into sysfs_slab_alias. If L2TP is loaded as a module after boot and dynamically creates a slub cache, it may bypass your fix.. -- Thanks, Hao
Hi Hao, On 5/20/26 06:21, Hao Li wrote: > On Wed, May 20, 2026 at 04:10:19AM +0300, Vladimir Zapolskiy wrote: >> L2TP/IP and L2TP/IPv6 protocol names contain a slash symbol, however these >> names are blindly used as symlinks to slab cache objects registered under >> /sys/kernel/slab. This kind of symlink creation is successful, but its >> dentry is obviously broken, as well it breaks the access to the list of >> /sys/kernel/slab dentries. >> >> Likely L2TP protocol renames cannot be done, since the defined protocol >> names are exposed over /proc/net/protocols for years, but the symlink >> names can be renamed, because they are yet to be properly created, and >> this should be eventually done by this change. >> >> The problem manifests itself, if CONFIG_L2TP_IP build symbol is selected. > > Hello, thanks for the patch. > > Could L2TP possibly be loaded as a module? I noticed that > __kmem_cache_create_args can also call into sysfs_slab_alias. If L2TP is loaded > as a module after boot and dynamically creates a slub cache, it may bypass your > fix.. > you're totally right, __kmem_cache_create_args execution path should also be fixed, I'll send v2. Thank you for review! -- Best wishes, Vladimir
© 2016 - 2026 Red Hat, Inc.