lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 27 Aug 2017 20:08:58 +0000
From:   Nadav Amit <namit@...are.com>
To:     Mike Kravetz <mike.kravetz@...cle.com>
CC:     Nadia Yvette Chambers <nyc@...omorphy.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Eric Biggers <ebiggers3@...il.com>
Subject: Re: [PATCH] hugetlbfs: change put_page/unlock_page order in
 hugetlbfs_fallocate()

Mike Kravetz <mike.kravetz@...cle.com> wrote:

> On 08/26/2017 12:11 PM, Nadav Amit wrote:
>> hugetlfs_fallocate() currently performs put_page() before unlock_page().
>> This scenario opens a small time window, from the time the page is added
>> to the page cache, until it is unlocked, in which the page might be
>> removed from the page-cache by another core. If the page is removed
>> during this time windows, it might cause a memory corruption, as the
>> wrong page will be unlocked.
>> 
>> It is arguable whether this scenario can happen in a real system, and
>> there are several mitigating factors. The issue was found by code
>> inspection (actually grep), and not by actually triggering the flow.
>> Yet, since putting the page before unlocking is incorrect it should be
>> fixed, if only to prevent future breakage or someone copy-pasting this
>> code.
>> 
>> Fixes: 70c3547e36f5c ("hugetlbfs: add hugetlbfs_fallocate()")
>> 
>> cc: Eric Biggers <ebiggers3@...il.com>
>> cc: Mike Kravetz <mike.kravetz@...cle.com>
>> 
>> Signed-off-by: Nadav Amit <namit@...are.com>
> 
> Thank you Nadav.

No problem.

> 
> Reviewed-by: Mike Kravetz <mike.kravetz@...cle.com>
> 
> Since hugetlbfs is an in memory filesystem, the only way one 'should' be
> able to remove a page (file content) is through an inode operation such as
> truncate, hole punch, or unlink.  That was the basis for my response that
> the inode lock would be required for page freeing.
> 
> Eric's question about sys_fadvise64(POSIX_FADV_DONTNEED) is interesting.
> I was expecting to see a check for hugetlbfs pages and exit (without
> modification) if encountered.  A quick review of the code did not find
> any such checks.
> 
> I'll take a closer look to determine exactly how hugetlbfs files are
> handled.  IMO, there should be something similar to the DAX check where
> the routine quickly exits.

I did not cc stable when submitting the patch, based on your previous
response. Let me know if you want me to send v2 which does so.

Thanks,
Nadav

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ