| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Apr 2011 18:46:12 -0700 From: Hugh Dickins <hughd@...gle.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Robert Święcki <robert@...ecki.net>, Andrew Morton <akpm@...ux-foundation.org>, Miklos Szeredi <miklos@...redi.hu>, Michel Lespinasse <walken@...gle.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, linux-kernel@...r.kernel.org, linux-mm@...ck.org, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Rik van Riel <riel@...hat.com> Subject: Re: [PATCH] mm: fix possible cause of a page_mapped BUG On Fri, Apr 1, 2011 at 8:44 AM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Fri, Apr 1, 2011 at 7:34 AM, Robert Święcki <robert@...ecki.net> wrote: >> >> Hey, I'll apply your patch and check it out. In the meantime I >> triggered another Oops (NULL-ptr deref via sys_mprotect). >> >> The oops is here: >> >> http://alt.swiecki.net/linux_kernel/sys_mprotect-2.6.38.txt > > That's not a NULL pointer dereference. That's a BUG_ON(). > > And for some reason you've turned off the BUG_ON() messages, saving > some tiny amount of memory. > > Anyway, it looks like the first BUG_ON() in vma_prio_tree_add(), so it > would be this one: > > BUG_ON(RADIX_INDEX(vma) != RADIX_INDEX(old)); > > but it is possible that gcc has shuffled things around (so it _might_ > be the HEAP_INDEX() one). If you had CONFIG_DEBUG_BUGVERBOSE=y, you'd > get a filename and line number. One reason I hate -O2 in cases like > this is that the basic block movement makes it way harder to actually > debug things. I would suggest using -Os too (CONFIG_OPTIMIZE_FOR_SIZE > or whatever it's called). > > Anyway, I do find it worrying. The vma code shouldn't be this fragile. Hugh? > > I do wonder what triggers this. Is it a huge-page vma? We seem to be > lacking the check to see that mprotect() is on a hugepage boundary - > and that seems bogus. Or am I missing some check? The new transparent > hugepage support splits the page, but what if it's a _static_ hugepage > thing? > > But why would that affect the radix_index thing? I have no idea. I'd > like to blame the anon_vma rewrites last year, but I can't see why > that should matter either. Again, hugepages had some special rules, I > think (and that would explain why nobody normal sees this). > > Guys, please give this one a look. I do intend to look, but I think it makes more sense to wait until Robert has reproduced it (or something like it) with my debugging patch in. He's fuzzing, so no reason to get anxious about recent changes, it may have been lurking there for years. He did already report a vma_prio_tree_add() crash, which led me to send him the patch: so the issue seems to be reproducible, and the patch dumps out the vma_area_structs involved, which has some hope of telling us more. Down the years we've had about three earlier reports of crashes there: so rare we've tended to put them down to bad memory or slab corruption, but never had anything like a reproducible case to study until now. Hugh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists