| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Apr 2018 10:21:59 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Pavel Tatashin <pasha.tatashin@...cle.com>,
Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc: Steven Sistare <steven.sistare@...cle.com>,
Daniel Jordan <daniel.m.jordan@...cle.com>,
Bob Picco <bob.picco@...cle.com>,
Linux Memory Management List <linux-mm@...ck.org>,
linux-kernel@...r.kernel.org, LKP <lkp@...org>,
Petr Mladek <pmladek@...e.com>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Steven Rostedt <rostedt@...dmis.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Nicolas Pitre <nicolas.pitre@...aro.org>,
Nikitas Angelinas <nikitas.angelinas@...il.com>,
Matt Redfearn <matt.redfearn@...s.com>,
Dmitry Vyukov <dvyukov@...gle.com>, kasan-dev@...glegroups.com
Subject: a4a3ede213 ("mm: zero reserved and unavailable struct pages"): [
0.010000] BUG: KASAN: use-after-scope in console_unlock
On Thu, Apr 19, 2018 at 10:17:57AM +0800, Fengguang Wu wrote:
>Hello,
>
>FYI this happens in mainline kernel 4.17.0-rc1.
>It at least dates back to v4.15-rc1 .
>
>The regression was reported before
>
> https://lkml.org/lkml/2017/11/30/33
>
>Where the last message from Dmitry mentions that use-after-scope has
>known false positives with CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
>If so, what would be the best way to workaround such false positives
>in boot testing? Disable the above config?
>
>0day bisects produce diverged results, with 2 of them converge to
>commit d17a1d97dc ("x86/mm/kasan: don't use vmemmap_populate() to
>initialize shadow") and 1 bisected to the earlier a4a3ede213 ("mm:
>zero reserved and unavailable struct pages"). I'll send the bisect
>reports in follow up emails.
Here is the bisect report for
commit a4a3ede2132ae0863e2d43e06f9b5697c51a7a3b
Author: Pavel Tatashin <pasha.tatashin@...cle.com>
AuthorDate: Wed Nov 15 17:36:31 2017 -0800
Commit: Linus Torvalds <torvalds@...ux-foundation.org>
CommitDate: Wed Nov 15 18:21:05 2017 -0800
mm: zero reserved and unavailable struct pages
Some memory is reserved but unavailable: not present in memblock.memory
(because not backed by physical pages), but present in memblock.reserved.
Such memory has backing struct pages, but they are not initialized by
going through __init_single_page().
In some cases these struct pages are accessed even if they do not
contain any data. One example is page_to_pfn() might access page->flags
if this is where section information is stored (CONFIG_SPARSEMEM,
SECTION_IN_PAGE_FLAGS).
One example of such memory: trim_low_memory_range() unconditionally
reserves from pfn 0, but e820__memblock_setup() might provide the
exiting memory from pfn 1 (i.e. KVM).
Since struct pages are zeroed in __init_single_page(), and not during
allocation time, we must zero such struct pages explicitly.
The patch involves adding a new memblock iterator:
for_each_resv_unavail_range(i, p_start, p_end)
Which iterates through reserved && !memory lists, and we zero struct pages
explicitly by calling mm_zero_struct_page().
===
Here is more detailed example of problem that this patch is addressing:
Run tested on qemu with the following arguments:
-enable-kvm -cpu kvm64 -m 512 -smp 2
This patch reports that there are 98 unavailable pages.
They are: pfn 0 and pfns in range [159, 255].
Note, trim_low_memory_range() reserves only pfns in range [0, 15], it does
not reserve [159, 255] ones.
e820__memblock_setup() reports linux that the following physical ranges are
available:
[1 , 158]
[256, 130783]
Notice, that exactly unavailable pfns are missing!
Now, lets check what we have in zone 0: [1, 131039]
pfn 0, is not part of the zone, but pfns [1, 158], are.
However, the bigger problem we have if we do not initialize these struct
pages is with memory hotplug. Because, that path operates at 2M
boundaries (section_nr). And checks if 2M range of pages is hot
removable. It starts with first pfn from zone, rounds it down to 2M
boundary (sturct pages are allocated at 2M boundaries when vmemmap is
created), and checks if that section is hot removable. In this case
start with pfn 1 and convert it down to pfn 0. Later pfn is converted
to struct page, and some fields are checked. Now, if we do not zero
struct pages, we get unpredictable results.
In fact when CONFIG_VM_DEBUG is enabled, and we explicitly set all
vmemmap memory to ones, the following panic is observed with kernel test
without this patch applied:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: is_pageblock_removable_nolock+0x35/0x90
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT
...
task: ffff88001f4e2900 task.stack: ffffc90000314000
RIP: 0010:is_pageblock_removable_nolock+0x35/0x90
Call Trace:
? is_mem_section_removable+0x5a/0xd0
show_mem_removable+0x6b/0xa0
dev_attr_show+0x1b/0x50
sysfs_kf_seq_show+0xa1/0x100
kernfs_seq_show+0x22/0x30
seq_read+0x1ac/0x3a0
kernfs_fop_read+0x36/0x190
? security_file_permission+0x90/0xb0
__vfs_read+0x16/0x30
vfs_read+0x81/0x130
SyS_read+0x44/0xa0
entry_SYSCALL_64_fastpath+0x1f/0xbd
Link: http://lkml.kernel.org/r/20171013173214.27300-7-pasha.tatashin@oracle.com
Signed-off-by: Pavel Tatashin <pasha.tatashin@...cle.com>
Reviewed-by: Steven Sistare <steven.sistare@...cle.com>
Reviewed-by: Daniel Jordan <daniel.m.jordan@...cle.com>
Reviewed-by: Bob Picco <bob.picco@...cle.com>
Tested-by: Bob Picco <bob.picco@...cle.com>
Acked-by: Michal Hocko <mhocko@...e.com>
Cc: Alexander Potapenko <glider@...gle.com>
Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: Catalin Marinas <catalin.marinas@....com>
Cc: Christian Borntraeger <borntraeger@...ibm.com>
Cc: David S. Miller <davem@...emloft.net>
Cc: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Heiko Carstens <heiko.carstens@...ibm.com>
Cc: "H. Peter Anvin" <hpa@...or.com>
Cc: Ingo Molnar <mingo@...hat.com>
Cc: Mark Rutland <mark.rutland@....com>
Cc: Matthew Wilcox <willy@...radead.org>
Cc: Mel Gorman <mgorman@...hsingularity.net>
Cc: Michal Hocko <mhocko@...nel.org>
Cc: Sam Ravnborg <sam@...nborg.org>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Will Deacon <will.deacon@....com>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
ea1f5f3712 mm: define memblock_virt_alloc_try_nid_raw
a4a3ede213 mm: zero reserved and unavailable struct pages
0b412605ef Merge tag 'drm-fixes-for-v4.16-rc8' of git://people.freedesktop.org/~airlied/linux
7373fc81da Add linux-next specific files for 20180328
+--------------------------------------------------+------------+------------+------------+---------------+
| | ea1f5f3712 | a4a3ede213 | 0b412605ef | next-20180328 |
+--------------------------------------------------+------------+------------+------------+---------------+
| boot_successes | 0 | 0 | 0 | 0 |
| boot_failures | 44 | 11 | 17 | 11 |
| BUG:KASAN:use-after-scope_in__free_pages_bootmem | 44 | | | |
| BUG:KASAN:use-after-scope_in_c | 0 | 11 | 17 | 11 |
+--------------------------------------------------+------------+------------+------------+---------------+
[ 0.000000] ** **
[ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000] **********************************************************
[ 0.010000] NR_IRQS: 4352, nr_irqs: 256, preallocated irqs: 16
[ 0.010000] ==================================================================
[ 0.010000] BUG: KASAN: use-after-scope in console_unlock+0x303/0x645
[ 0.010000] Write of size 4 at addr ffffffff83607ac0 by task swapper/0
[ 0.010000]
[ 0.010000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.14.0-04318-ga4a3ede #1
[ 0.010000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 0.010000] Call Trace:
[ 0.010000] ? dump_stack+0x2a/0x39
[ 0.010000] ? print_address_description+0xb2/0x397
[ 0.010000] ? console_unlock+0x303/0x645
[ 0.010000] ? kasan_report+0x31b/0x36d
[ 0.010000] ? __asan_store4+0xe0/0xe8
[ 0.010000] ? console_unlock+0x303/0x645
[ 0.010000] ? wake_up_klogd+0x112/0x112
[ 0.010000] ? do_raw_spin_unlock+0x10d/0x118
[ 0.010000] ? arch_local_irq_restore+0xe/0x16
[ 0.010000] ? vprintk_emit+0x364/0x393
[ 0.010000] ? __down_trylock_console_sem+0x88/0x9e
[ 0.010000] ? vprintk_emit+0x364/0x393
[ 0.010000] ? vprintk_emit+0x37b/0x393
[ 0.010000] ? vprintk_default+0x20/0x28
[ 0.010000] ? vprintk_func+0x9a/0xa2
[ 0.010000] ? printk+0xa2/0xcc
[ 0.010000] ? show_regs_print_info+0x4e/0x4e
[ 0.010000] ? pte_offset_kernel+0x29/0x71
[ 0.010000] ? kasan_populate_zero_shadow+0x696/0x7a9
[ 0.010000] ? kasan_init+0x303/0x375
[ 0.010000] ? setup_arch+0x1d33/0x1efb
[ 0.010000] ? reserve_standard_io_resources+0x9d/0x9d
[ 0.010000] ? vprintk_emit+0x37b/0x393
[ 0.010000] ? vprintk_default+0x20/0x28
[ 0.010000] ? vprintk_func+0x9a/0xa2
[ 0.010000] ? printk+0xa2/0xcc
[ 0.010000] ? show_regs_print_info+0x4e/0x4e
[ 0.010000] ? cgroup_wq_init+0x8d/0x8d
[ 0.010000] ? load_idt+0x16/0x16
[ 0.010000] ? start_kernel+0x10e/0xb00
[ 0.010000] ? mem_encrypt_init+0x3a/0x3a
[ 0.010000] ? early_idt_handler_common+0x3b/0x52
[ 0.010000] ? x86_64_start_reservations+0x71/0x99
[ 0.010000] ? x86_64_start_kernel+0xeb/0x115
[ 0.010000] ? secondary_startup_64+0xa5/0xb0
[ 0.010000]
[ 0.010000] Memory state around the buggy address:
[ 0.010000] ffffffff83607980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 0.010000] ffffffff83607a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 0.010000] >ffffffff83607a80: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 f2 f2
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start v4.15 v4.14 --
git bisect bad e017b4db26d03c1a6531f814ecc5ab41bcb889e9 # 09:33 B 0 11 25 0 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad e0bcb42e602816415f6fe07313b6fc84932244b7 # 09:51 B 0 11 25 0 Merge tag 'ecryptfs-4.15-rc1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs
git bisect good 23c258763ba992f6a95a4b8980ffa7c1890bc8d8 # 10:13 G 11 0 11 11 Merge tag 'dmaengine-4.15-rc1' of git://git.infradead.org/users/vkoul/slave-dma
git bisect bad 93ea0eb7d77afab34657715630d692a78b8cea6a # 10:35 B 0 11 25 0 Merge tag 'leaks-4.15-rc1' of git://github.com/tcharding/linux
git bisect good 373c4557d2aa362702c4c2d41288fb1e54990b7c # 10:56 G 10 0 10 10 mm/pagewalk.c: report holes in hugetlb ranges
git bisect good 1bc03573e1c9024d4e4be97df4a1e0931edbae2c # 11:17 G 11 0 11 11 Merge branch 'for-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata
git bisect good ad0835a93008e5901415a0a27847d6a27649aa3a # 11:37 G 11 0 11 11 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma
git bisect good 6363b3f3ac5be096d08c8c504128befa0c033529 # 11:55 G 11 0 11 11 Merge tag 'ipmi-for-4.15' of git://github.com/cminyard/linux-ipmi
git bisect bad 7c225c69f86c934e3be9be63ecde754e286838d7 # 12:11 B 0 11 25 0 Merge branch 'akpm' (patches from Andrew)
git bisect good 4be90299a1693c2112edb20ca78d6cc9f2183326 # 12:26 G 11 0 11 11 ceph: use pagevec_lookup_range_nr_tag()
git bisect bad 76253fbc8fbf6018401755fc5c07814a837cc832 # 12:47 B 0 1 15 0 mm: move accounting updates before page_cache_tree_delete()
git bisect good 353b1e7b5859e98860f984d8894fa7ddc242a90e # 13:24 G 11 0 11 11 x86/mm: set fields in deferred pages
git bisect bad 78c943662f4b1d53ddbfc515e427827915781377 # 13:44 B 0 11 25 0 sparc64: optimize struct page zeroing
git bisect bad a4a3ede2132ae0863e2d43e06f9b5697c51a7a3b # 13:59 B 0 11 25 0 mm: zero reserved and unavailable struct pages
git bisect good df8ee578894ebb591c2995cce422e6189c8bb757 # 14:18 G 11 0 11 11 sparc64: simplify vmemmap_populate
git bisect good ea1f5f3712afe895dfa4176ec87376b4a9ac23be # 14:31 G 11 0 11 11 mm: define memblock_virt_alloc_try_nid_raw
# first bad commit: [a4a3ede2132ae0863e2d43e06f9b5697c51a7a3b] mm: zero reserved and unavailable struct pages
git bisect good ea1f5f3712afe895dfa4176ec87376b4a9ac23be # 14:32 G 33 0 33 44 mm: define memblock_virt_alloc_try_nid_raw
# extra tests with debug options
git bisect bad a4a3ede2132ae0863e2d43e06f9b5697c51a7a3b # 14:45 B 0 11 25 0 mm: zero reserved and unavailable struct pages
# extra tests on HEAD of linux-devel/devel-catchup-201803290753
git bisect bad 5551da2e0f5324564f98bf5ac7d66449740c4934 # 14:46 B 0 13 30 0 0day head guard for 'devel-catchup-201803290753'
# extra tests on tree/branch linus/master
git bisect bad 0b412605ef5f5c64b31f19e2910b1d5eba9929c3 # 15:01 B 0 11 25 0 Merge tag 'drm-fixes-for-v4.16-rc8' of git://people.freedesktop.org/~airlied/linux
# extra tests on tree/branch linux-next/master
git bisect bad 7373fc81dadd068a8f2ea26011774f00f1f156bd # 15:24 B 0 11 25 0 Add linux-next specific files for 20180328
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Download attachment "dmesg-yocto-vp-17:20180329135720:x86_64-randconfig-s5-03290803:4.14.0-04318-ga4a3ede:1.gz" of type "application/gzip" (8597 bytes)
Download attachment "dmesg-yocto-vp-10:20180329143211:x86_64-randconfig-s5-03290803:4.14.0-04317-gea1f5f3:1.gz" of type "application/gzip" (8420 bytes)
View attachment "reproduce-yocto-vp-17:20180329135720:x86_64-randconfig-s5-03290803:4.14.0-04318-ga4a3ede:1" of type "text/plain" (922 bytes)
View attachment "config-4.14.0-04318-ga4a3ede" of type "text/plain" (121626 bytes)
Powered by blists - more mailing lists