lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 05 Mar 2008 08:45:08 -0800
From:	Jeremy Fitzhardinge <jeremy@...p.org>
To:	Ingo Molnar <mingo@...e.hu>
CC:	"H. Peter Anvin" <hpa@...or.com>, Andi Kleen <ak@...e.de>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: preempt bug in set_pmd_pfn?

Ingo Molnar wrote:
> * Jeremy Fitzhardinge <jeremy@...p.org> wrote:
>
>   
>> Ingo Molnar wrote:
>>     
>>> * Jeremy Fitzhardinge <jeremy@...p.org> wrote:
>>>
>>>   
>>>       
>>>> I think set_pmd_pfn, which is only called by __set_fixmap, might have a 
>>>> preempt bug in it.
>>>>     
>>>>         
>>> yes, and we had similar preemption bugs in the past. I guess most places 
>>> are either infrequent or have some natural atomicity anyway. Wanna send a 
>>> patch?
>>>       
>> Sure.  Should it just disable preemption, or take a lock?  It calls 
>> set_pte_at without holding any pte locks; that seems to be relatively 
>> common.  Is it OK when you're operating on init_mm?
>>     
>
> no, it's not OK to modify the kernel pagetable without locking - taking 
> the pgd_lock should do the trick. Could you send the stacktrace that 
> shows the place that is preemptible?
So far I've noticed two places:

1. __set_fixmap to set up the vdso compat mapping (set_pte_at and tlb 
flush):

BUG: using smp_processor_id() in preemptible [00000000] code: init/1
caller is paravirt_get_lazy_mode+0xe/0x1b
Pid: 1, comm: init Not tainted 2.6.25-rc3-x86-latest.git #196
 [<c022be65>] debug_smp_processor_id+0x99/0xb0
 [<c011aa88>] paravirt_get_lazy_mode+0xe/0x1b
 [<c0105092>] xen_set_pte_at+0x2e/0xc0
 [<c011d322>] __set_fixmap+0x14a/0x176
 [<c011e4bb>] arch_setup_additional_pages+0x83/0x11d
 [<c01934a3>] load_elf_binary+0xad8/0x113a
 [<c016d410>] ? vfs_read+0xef/0x106
 [<c01700dd>] search_binary_handler+0xb8/0x19f
 [<c01929cb>] ? load_elf_binary+0x0/0x113a
 [<c01703ab>] ? prepare_binprm+0xc3/0xcb
 [<c0192375>] load_script+0x179/0x18c
 [<c0159caf>] ? get_user_pages+0x31d/0x397
 [<c016fe47>] ? get_arg_page+0x2d/0x80
 [<c01700dd>] search_binary_handler+0xb8/0x19f
 [<c01921fc>] ? load_script+0x0/0x18c
 [<c0171302>] do_execve+0x121/0x16a
 [<c01067d9>] sys_execve+0x29/0x52
 [<c0108286>] syscall_call+0x7/0xb
 [<c017007b>] ? search_binary_handler+0x56/0x19f
 [<c010af2f>] ? kernel_execve+0x17/0x1c
 [<c010217f>] ? _stext+0x17/0x19
 [<c01021d6>] ? init_post+0x55/0xbb
 [<c01035e7>] ? xen_irq_disable+0x21/0x23
 [<c010828f>] ? syscall_exit+0x5/0x1d
 [<c0108ee7>] ? kernel_thread_helper+0x7/0x10
 =======================
BUG: using smp_processor_id() in preemptible [00000000] code: init/1
caller is xen_flush_tlb_single+0x11/0x89
Pid: 1, comm: init Not tainted 2.6.25-rc3-x86-latest.git #196
 [<c022be65>] debug_smp_processor_id+0x99/0xb0
 [<c0103c0b>] xen_flush_tlb_single+0x11/0x89
 [<c011d33f>] __set_fixmap+0x167/0x176
 [<c011e4bb>] arch_setup_additional_pages+0x83/0x11d
 [<c01934a3>] load_elf_binary+0xad8/0x113a
 [<c016d410>] ? vfs_read+0xef/0x106
 [<c01700dd>] search_binary_handler+0xb8/0x19f
 [<c01929cb>] ? load_elf_binary+0x0/0x113a
 [<c01703ab>] ? prepare_binprm+0xc3/0xcb
 [<c0192375>] load_script+0x179/0x18c
 [<c0159caf>] ? get_user_pages+0x31d/0x397
 [<c016fe47>] ? get_arg_page+0x2d/0x80
 [<c01700dd>] search_binary_handler+0xb8/0x19f
 [<c01921fc>] ? load_script+0x0/0x18c
 [<c0171302>] do_execve+0x121/0x16a
 [<c01067d9>] sys_execve+0x29/0x52
 [<c0108286>] syscall_call+0x7/0xb
 [<c017007b>] ? search_binary_handler+0x56/0x19f
 [<c010af2f>] ? kernel_execve+0x17/0x1c
 [<c010217f>] ? _stext+0x17/0x19
 [<c01021d6>] ? init_post+0x55/0xbb
 [<c01035e7>] ? xen_irq_disable+0x21/0x23
 [<c010828f>] ? syscall_exit+0x5/0x1d
 [<c0108ee7>] ? kernel_thread_helper+0x7/0x10
 =======================


2. and vmalloc:

BUG: using smp_processor_id() in preemptible [00000000] code: multipath.stati/1981
caller is paravirt_get_lazy_mode+0xe/0x1b
Pid: 1981, comm: multipath.stati Not tainted 2.6.25-rc3-x86-latest.git #196
 [<c022be65>] debug_smp_processor_id+0x99/0xb0
 [<c011aa88>] paravirt_get_lazy_mode+0xe/0x1b
 [<c0105092>] xen_set_pte_at+0x2e/0xc0
 [<c015f736>] map_vm_area+0x1fa/0x255
 [<c015fc83>] __vmalloc_area_node+0xdb/0xfa
 [<c015fceb>] __vmalloc_node+0x49/0x58
 [<c015fd26>] __vmalloc+0x10/0x12
 [<c015fdca>] vmalloc+0x19/0x1b
 [<c038d3b4>] dm_ctl_ioctl+0x155/0x248
 [<c038c56b>] ? list_versions+0x0/0x79
 [<c0103c00>] ? xen_flush_tlb_single+0x6/0x89
 [<c038d25f>] ? dm_ctl_ioctl+0x0/0x248
 [<c01767be>] vfs_ioctl+0x22/0x67
 [<c0176a54>] do_vfs_ioctl+0x251/0x268
 [<c015b45f>] ? remove_vma+0x34/0x3a
 [<c015bdc8>] ? do_munmap+0x17d/0x197
 [<c0176a97>] sys_ioctl+0x2c/0x45
 [<c0108286>] syscall_call+0x7/0xb
 =======================

    J
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ