lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1218713213.10673.17.camel@localhost>
Date:	Thu, 14 Aug 2008 21:26:53 +1000
From:	Michael Ellerman <michael@...erman.id.au>
To:	David Miller <davem@...emloft.net>
Cc:	linuxppc-dev@...abs.org, linux-kernel@...r.kernel.org
Subject: Re: bug in lmb_enforce_memory_limit()

On Thu, 2008-08-14 at 01:20 -0700, David Miller wrote:
> I just mentioned this to Ben H. on IRC and promised I would report it
> here. :-)
> 
> The first loop over lmb.memory in this function interprets the
> memory_limit as a raw size limit, and that's fine so far.
> 
> But the second loop over lmb.reserved interprets this value
> instead as an "address limit."
>
> I haven't cobbled together a fix myself, but probably the way to do
> this is, when we're about break out of the first loop over lmb.memory,
> walk through the now-trimmed memory blobs and trim those from
> lmb.reserved, one by one.

Perhaps after the first loop we should set memory_limit to equal
lmb_end_of_DRAM(), then the second loop should work as it is.

I think that actually makes memory_limit (the variable) more useful, and
avoids more code like we have in numa_enforce_memory_limit(), which
doesn't use memory_limit exactly because it isn't the value we're
actually interested in (because of holes).


> This bug got introduced by:
> 
>    commit 2babf5c2ec2f2d5de3e38d20f7df7fd815fd10c9
>    Author: Michael Ellerman <michael@...erman.id.au>
>    Date:   Wed May 17 18:00:46 2006 +1000
> 
>        [PATCH] powerpc: Unify mem= handling
> 
> back when LMB was still a powerpc local item. :-)

Guilty as charged. I have some tests for that code, but clearly not
enough - and it gets very little exercise otherwise.

> This led me to another bug which probably a lot of platforms are
> effected by.
> 
> If you do this command line memory limiting, and the kernel was placed
> by the boot loader into physical ram (say at the end of the available
> physical memory) that gets trimmed out by the command line option, we
> hang or crash right as we boot into userspace because freeing up
> initmem ends up freeing invalid page structs.
> 
> I think, on sparc64, instead of adding all kinds of complicated logic
> to free_initmem() I'm simply going to only poison the pages and
> not free them at all if cmdline_memory_size has been set.

Would it be that much extra logic to check that the address is less than
the limit? Especially if we changed memory_limit to incorporate holes.

cheers

-- 
Michael Ellerman
OzLabs, IBM Australia Development Lab

wwweb: http://michael.ellerman.id.au
phone: +61 2 6212 1183 (tie line 70 21183)

We do not inherit the earth from our ancestors,
we borrow it from our children. - S.M.A.R.T Person

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ