| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Mar 2023 17:14:23 -0700
From: Yang Shi <shy828301@...il.com>
To: Andrew Morton <akpm@...ux-foundation.org>,
"Zach O'Keefe" <zokeefe@...gle.com>
Cc: Ivan Orlov <ivan.orlov0322@...il.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, himadrispandya@...il.com,
skhan@...uxfoundation.org,
linux-kernel-mentees@...ts.linuxfoundation.org,
syzbot+9578faa5475acb35fa50@...kaller.appspotmail.com
Subject: Re: [PATCH] mm: khugepaged: Fix kernel BUG in hpage_collapse_scan_file
On Wed, Mar 29, 2023 at 2:53 PM Andrew Morton <akpm@...ux-foundation.org> wrote:
>
> On Wed, 29 Mar 2023 18:53:30 +0400 Ivan Orlov <ivan.orlov0322@...il.com> wrote:
>
> > Syzkaller reported the following issue:
> >
> > ...
> >
> > The 'xas_store' call during page cache scanning can potentially
> > translate 'xas' into the error state (with the reproducer provided
> > by the syzkaller the error code is -ENOMEM). However, there are no
> > further checks after the 'xas_store', and the next call of 'xas_next'
> > at the start of the scanning cycle doesn't increase the xa_index,
> > and the issue occurs.
> >
> > This patch will add the xarray state error checking after the
> > 'xas_store' and the corresponding result error code.
> >
> > Tested via syzbot.
> >
> > Reported-by: syzbot+9578faa5475acb35fa50@...kaller.appspotmail.com
> > Link: https://syzkaller.appspot.com/bug?id=7d6bb3760e026ece7524500fe44fb024a0e959fc
> > Signed-off-by: Ivan Orlov <ivan.orlov0322@...il.com>
> > ---
> > mm/khugepaged.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/mm/khugepaged.c b/mm/khugepaged.c
> > index 92e6f56a932d..4d9850d9ea7f 100644
> > --- a/mm/khugepaged.c
> > +++ b/mm/khugepaged.c
> > @@ -55,6 +55,7 @@ enum scan_result {
> > SCAN_CGROUP_CHARGE_FAIL,
> > SCAN_TRUNCATED,
> > SCAN_PAGE_HAS_PRIVATE,
> > + SCAN_STORE_FAILED,
> > };
> >
> > #define CREATE_TRACE_POINTS
> > @@ -1840,6 +1841,15 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr,
> > goto xa_locked;
> > }
> > xas_store(&xas, hpage);
> > + if (xas_error(&xas)) {
> > + /* revert shmem_charge performed
> > + * in the previous condition
> > + */
> > + mapping->nrpages--;
> > + shmem_uncharge(mapping->host, 1);
> > + result = SCAN_STORE_FAILED;
> > + goto xa_locked;
> > + }
> > nr_none++;
> > continue;
> > }
>
> Needs this, I assume.
>
> --- a/include/trace/events/huge_memory.h~mm-khugepaged-fix-kernel-bug-in-hpage_collapse_scan_file-fix
> +++ a/include/trace/events/huge_memory.h
> @@ -36,7 +36,8 @@
> EM( SCAN_ALLOC_HUGE_PAGE_FAIL, "alloc_huge_page_failed") \
> EM( SCAN_CGROUP_CHARGE_FAIL, "ccgroup_charge_failed") \
> EM( SCAN_TRUNCATED, "truncated") \
> - EMe(SCAN_PAGE_HAS_PRIVATE, "page_has_private") \
> + EM( SCAN_PAGE_HAS_PRIVATE, "page_has_private") \
> + EMe(SCAN_STORE_FAILED, "store_failed")
I'm a little bit reluctant to make the error code list longer, can we
just return SCAN_FAIL? IIUC this issue should happen very rarely,
maybe not worth a new error code.
Basically the rollback approach makes sense to me. IIRC Zach was
looking into the same problem, loop him in. He may share some
thoughts.
>
> #undef EM
> #undef EMe
> _
>
>
Powered by blists - more mailing lists