[PATCH v2] mm/slab: fix probable issue of dentries registration under /sys/kernel/slab

[Vladimir Zapolskiy]

L2TP/IP and L2TP/IPv6 protocol names contain a slash symbol, however these
names are blindly used as symlinks to slab cache objects registered under
/sys/kernel/slab. This kind of symlink creation is successful, but its
dentry is obviously broken, as well it breaks the access to the list of
/sys/kernel/slab dentries.

Likely L2TP protocol renames cannot be done, since the defined protocol
names are exposed over /proc/net/protocols for years, but the symlink
names can be renamed, because they are yet to be properly created, and
this should be eventually done by this change.

The problem manifests itself, if CONFIG_L2TP_IP build symbol is selected.

Fixes: 81819f0fc8285 ("SLUB core")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@xxxxxxxxxx>
---
Changes from v2 to v1:
* added slash symbol replacement to __kmem_cache_create_args() as well,
  many thanks to Hao and Harry for review.

Link to v1:
* https://lore.kernel.org/linux-mm/8a80496b-1568-4a0b-a878-836c27d19ad5@xxxxxxxxxx/

 mm/slab_common.c | 23 +++++++++++++++++++----
 mm/slub.c        | 23 ++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..b9930521496d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -366,16 +366,31 @@ struct kmem_cache *__kmem_cache_create_args(const char *name,
 		    object_size - args->usersize < args->useroffset))
 		args->usersize = args->useroffset = 0;
 
-	s = __kmem_cache_alias(name, object_size, flags, args);
-	if (s)
-		goto out_unlock;
-
 	cache_name = kstrdup_const(name, GFP_KERNEL);
 	if (!cache_name) {
 		err = -ENOMEM;
 		goto out_unlock;
 	}
 
+	if (strchr(cache_name, '/')) {
+		char *n;
+
+		n = kstrdup(cache_name, GFP_KERNEL);
+		kfree_const(cache_name);
+		if (!n) {
+			err = -ENOMEM;
+			goto out_unlock;
+		}
+
+		cache_name = strreplace(n, '/', '_');
+	}
+
+	s = __kmem_cache_alias(cache_name, object_size, flags, args);
+	if (s) {
+		kfree_const(cache_name);
+		goto out_unlock;
+	}
+
 	args->align = calculate_alignment(flags, args->align, object_size);
 	s = create_cache(cache_name, object_size, args, flags);
 	if (IS_ERR(s)) {
diff --git a/mm/slub.c b/mm/slub.c
index 0baa906f39ab..843bed864a7f 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -9634,6 +9634,7 @@ static struct saved_alias *alias_list;
 int sysfs_slab_alias(struct kmem_cache *s, const char *name)
 {
 	struct saved_alias *al;
+	const char *al_name;
 
 	if (slab_state == FULL) {
 		/*
@@ -9652,8 +9653,27 @@ int sysfs_slab_alias(struct kmem_cache *s, const char *name)
 	if (!al)
 		return -ENOMEM;
 
+	al_name = kstrdup_const(name, GFP_KERNEL);
+	if (!al_name) {
+		kfree(al);
+		return -ENOMEM;
+	}
+
+	if (strchr(al_name, '/')) {
+		char *n;
+
+		n = kstrdup(al_name, GFP_KERNEL);
+		kfree_const(al_name);
+		if (!n) {
+			kfree(al);
+			return -ENOMEM;
+		}
+
+		al_name = strreplace(n, '/', '_');
+	}
+
 	al->s = s;
-	al->name = name;
+	al->name = al_name;
 	al->next = alias_list;
 	alias_list = al;
 	kmsan_unpoison_memory(al, sizeof(*al));
@@ -9691,6 +9711,7 @@ static int __init slab_sysfs_init(void)
 		if (err)
 			pr_err("SLUB: Unable to add boot slab alias %s to sysfs\n",
 			       al->name);
+		kfree_const(al->name);
 		kfree(al);
 	}
 
-- 
2.49.0