| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1270571019.1814.163.camel@barrios-desktop> Date: Wed, 07 Apr 2010 01:23:39 +0900 From: Minchan Kim <minchan.kim@...il.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Rik van Riel <riel@...hat.com>, KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>, Borislav Petkov <bp@...en8.de>, Andrew Morton <akpm@...ux-foundation.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Lee Schermerhorn <Lee.Schermerhorn@...com>, Nick Piggin <npiggin@...e.de>, Andrea Arcangeli <aarcange@...hat.com>, Hugh Dickins <hugh.dickins@...cali.co.uk> Subject: Re: Ugly rmap NULL ptr deref oopsie on hibernate (was Linux 2.6.34-rc3) Hi, Linus. On Tue, 2010-04-06 at 08:55 -0700, Linus Torvalds wrote: > > On Wed, 7 Apr 2010, Minchan Kim wrote: > > > > Let's see the unlink_anon_vmas. > > > > 1. list_for_each_entry_safe(avc,next, vma->anon_vma_chain, same_vma) > > 2. anon_vma_unlink > > 3. spin_lock(anon_vma->lock) <-- HERE LOCK. > > 4. list_del(anon_vma_chain->same_anon_vma); > > > > What if anon_vma is destroyed and reuse by SLAB_XXX_RCU for another > > anon_vma object between 2 and 3? > > I mean how to make sure 3) does lock valid anon_vma? > > > > I hope it is culprit. > > I don't think so. That isn't the racy case. We're working with a > anon_vma_chain, so the anonvma is all there. > But the anon_vma is using for another anon_vma. Nonetheless, anon_vma_unlink does list_del(anon_vma's same_anon_vma). I doubt it. > The racy case is when we look up an anonvma by the page, and the page gets > unmapped at the same time because somebody else is travelling over the LRU > list of the page itself, isn't it? Yes. but I thought page might travel with anon_vmas which have same_anon_vma deleted by race. > > I do wonder if "page_lock_anon_vma()" should check the whole > "page_mapped()" case _after_ taking the anon_vma lock. Because if the race > happens, we're following a anon_vma list that has nothing to do with that > page (it's stilla _valid_ list, since we locked the anon_vma, but will it > be ok?) So we always use it with (vma_address and page_check_address) to make sure validation of anon_vma. But I think it's not good design. I want to hold lock ahead checking of page_mapped but maybe performance issue? I am not sure. > > IOW, what is it that really keeps the anon_vma list reliable _and_ > relevant wrt the page? We know we may get a stale anon_vma, are we ok if > that anon_vma list doesn't actually have anything to do with the page any > more? > I think the first check in "page_address_in_vma()" protects us, but > whatever. > > However, that made me look at the PAGE_MIGRATION case. That seems to be > just broken. It's doing that page_anon_vma() + spin_lock without holding > any RCU locks, so there is no guarantee that anon_vma there is at all > valid. FYI, recently there is a patch about migration case. http://lkml.org/lkml/2010/4/2/145 > > Is that function always called with rcu_read_lock()? > > Linus -- Kind regards, Minchan Kim -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists