| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 Sep 2016 01:38:35 +0800
From: zijun_hu <zijun_hu@...o.com>
To: Tejun Heo <tj@...nel.org>
Cc: zijun_hu@....com, Andrew Morton <akpm@...ux-foundation.org>,
cl@...ux.com, linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 1/1] mm/percpu.c: fix potential memory leakage for
pcpu_embed_first_chunk()
On 2016/9/30 0:44, Tejun Heo wrote:
> Hello,
>
> On Fri, Sep 30, 2016 at 12:03:20AM +0800, zijun_hu wrote:
>> From: zijun_hu <zijun_hu@....com>
>>
>> it will cause memory leakage for pcpu_embed_first_chunk() to go to
>> label @out_free if the chunk spans over 3/4 VMALLOC area. all memory
>> are allocated and recorded into array @areas for each CPU group, but
>> the memory allocated aren't be freed before returning after going to
>> label @out_free
>>
>> in order to fix this bug, we check chunk spanned area immediately
>> after completing memory allocation for all CPU group, we go to label
>> @out_free_areas other than @out_free to free all memory allocated if
>> the checking is failed.
>>
>> Signed-off-by: zijun_hu <zijun_hu@....com>
> ...
>> @@ -2000,6 +2001,21 @@ int __init pcpu_embed_first_chunk(size_t reserved_size, size_t dyn_size,
>> areas[group] = ptr;
>>
>> base = min(ptr, base);
>> + if (ptr > areas[j])
>> + j = group;
>> + }
>> + max_distance = areas[j] - base;
>> + max_distance += ai->unit_size * ai->groups[j].nr_units;
>> +
>> + /* warn if maximum distance is further than 75% of vmalloc space */
>> + if (max_distance > VMALLOC_TOTAL * 3 / 4) {
>> + pr_warn("max_distance=0x%lx too large for vmalloc space 0x%lx\n",
>> + max_distance, VMALLOC_TOTAL);
>> +#ifdef CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK
>> + /* and fail if we have fallback */
>> + rc = -EINVAL;
>> + goto out_free_areas;
>> +#endif
>
> Isn't it way simpler to make the error path jump to out_free_areas?
> There's another similar case after pcpu_setup_first_chunk() failure
> too. Also, can you please explain how you tested the changes?
>
> Thanks.
>
1) the simpler way don't work because it maybe free many memory block twice
let us take a CPU group as a example, after we allocate All memory
needed by a CPU group, we maybe free a unit memory block which
don't map to a available CPU, we maybe free a part of unit memory which
we don't used too, you can refer to following code segments for detailed
info.
for (group = 0; group < ai->nr_groups; group++) {
struct pcpu_group_info *gi = &ai->groups[group];
void *ptr = areas[group];
for (i = 0; i < gi->nr_units; i++, ptr += ai->unit_size) {
if (gi->cpu_map[i] == NR_CPUS) {
/* unused unit, free whole */
free_fn(ptr, ai->unit_size);
continue;
}
/* copy and return the unused part */
memcpy(ptr, __per_cpu_load, ai->static_size);
free_fn(ptr + size_sum, ai->unit_size - size_sum);
}
}
2) as we seen, pcpu_setup_first_chunk() doesn't cause a failure, it return 0
always or panic by BUG_ON(), even if it fails, we can conclude the allocated
memory based on information recorded by it, such as pcpu_base_addr and many of
static variable, we can complete the free operations; but we can't if we
fail in the case pointed by this patch
3) my test way is simple, i force "if (max_distance > VMALLOC_TOTAL * 3 / 4)"
to if (1) and print which memory i allocate before the jumping, then print which memory
i free after the jumping and before returning, then check whether i free the memory i
allocate in this function, the result is okay
Powered by blists - more mailing lists