lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 14 Mar 2007 19:10:05 +0000
From:	mel@...net.ie (Mel Gorman)
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Bjorn Helgaas <bjorn.helgaas@...com>, linux-kernel@...r.kernel.org
Subject: [PATCH] Avoid unsafe use of struct pages in move_freepages when CONFIG_HOLES_IN_ZONE is set


In the majority of situations, mem_map is guaranteed to be valid within
a MAX_ORDER_NR_PAGES block of pages. However, when CONFIG_HOLES_IN_ZONE
is set, there is no guarantee that mem_map exists for the entire block.
This means that when checking struct pages around a known valid page, there
is no guarantee they are valid. 

move_freepages() operates on a MAX_ORDER_NR_PAGES range of pages based on
a known valid page retrieved from the free lists. However, a bug check is
unsafe when CONFIG_HOLES_IN_ZONE is set and pfn_valid() is called too late.

This patch disables the bug check when CONFIG_HOLES_IN_ZONE and checks
pfn_valid() earlier before calling PageBuddy(). It applies on top of
move-free-pages-between-lists-on-steal-fix-2.patch from Yasunori Goto in -mm.

Credit to Bjorn Helgaas for reporting this bug and testing.

Signed-off-by: Mel Gorman <mel@....ul.ie>

 page_alloc.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff -rup -X /usr/src/patchset-0.6/bin//dontdiff linux-2.6.21-rc3-mm2-goto/mm/page_alloc.c linux-2.6.21-rc3-mm2-zone_holes_ia64_fix/mm/page_alloc.c
--- linux-2.6.21-rc3-mm2-goto/mm/page_alloc.c	2007-03-14 16:07:23.000000000 +0000
+++ linux-2.6.21-rc3-mm2-zone_holes_ia64_fix/mm/page_alloc.c	2007-03-14 18:51:41.000000000 +0000
@@ -707,13 +707,18 @@ int move_freepages(struct zone *zone,
 	unsigned long order;
 	int blocks_moved = 0;
 
+#ifndef CONFIG_HOLES_IN_ZONE
+	/*
+	 * page_zone is not safe to call in this context when
+	 * CONFIG_HOLES_IN_ZONE is set. This bug check is probably redundant
+	 * anyway as we check zone boundaries in move_freepages_block().
+	 * Remove at a later date when no bug reports exist related to
+	 * CONFIG_PAGE_GROUP_BY_MOBILITY
+	 */
 	BUG_ON(page_zone(start_page) != page_zone(end_page - 1));
+#endif
 
 	for (page = start_page; page < end_page;) {
-		if (!PageBuddy(page)) {
-			page++;
-			continue;
-		}
 #ifdef CONFIG_HOLES_IN_ZONE
 		if (!pfn_valid(page_to_pfn(page))) {
 			page++;
@@ -721,6 +726,11 @@ int move_freepages(struct zone *zone,
 		}
 #endif
 
+		if (!PageBuddy(page)) {
+			page++;
+			continue;
+		}
+
 		order = page_order(page);
 		list_del(&page->lru);
 		list_add(&page->lru,
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ