| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LSU.2.00.1106030957090.1901@sister.anvils> Date: Fri, 3 Jun 2011 10:06:14 -0700 (PDT) From: Hugh Dickins <hughd@...gle.com> To: Andrea Arcangeli <aarcange@...hat.com> cc: Chris Wright <chrisw@...s-sol.org>, Andrea Righi <andrea@...terlinux.com>, CAI Qian <caiqian@...hat.com>, Rik van Riel <riel@...hat.com>, Mel Gorman <mel@....ul.ie>, KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com>, linux-mm@...ck.org, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [BUG 3.0.0-rc1] ksm: NULL pointer dereference in ksm_do_scan() On Thu, 2 Jun 2011, Andrea Arcangeli wrote: > On Thu, Jun 02, 2011 at 10:29:39AM -0700, Hugh Dickins wrote: > > AndreaA, I didn't study the patch you posted half an hour ago, > > since by that time I'd worked it out and was preparing patch below. > > I think your patch would be for a different bug, hopefully one we > > don't have, it looks more complicated than we should need for this. > > I didn't expect two different bugs leading to double free. There wasn't a double free there, just failure to cope with race emptying the list, so accessing head when expecting a full entry. > > If you've time please review my other patch too because mmput runs > with no mmap_sem hold and I think the ksm scan code runs under the > assumption that __ksm_exit is waiting in down_write() when > ksm_mmlist_lock is released (before freeing the mm_slot), and that > assumption is wrong. ksm_test_exit may very well be true despite > __ksm_exit didn't run yet, and ksm scan will proceed freeing after > changing the mm_slot and ksm_exit will be free to run and free again > immediately after the ksm scan releases the ksm_mmlist_lock and before > it clears the MMF_VM_MERGEABLE (because the mm_slot has been changed > before releasing the ksm_mmlist_lock). > > The rmap_list being null will kind of hide it, the fact there's so > little time between the unlock of the ksm_mmlist_lock and the clearing > of MMF_VM_MERGEABLE (that will stop ksm_exit from calling __ksm_exit > at all) will also hide it. At least in > unmerge_and_remove_all_rmap_items remove_trailing_rmap_items will nuke > the rmap_list just before this race runs so making it more likely > possible. You'll see from the "beware" comment in scan_get_next_rmap_item() that this case is expected, that it sometimes reaches freeing the slots before the exiting task reaches __ksm_exit(). That race should already be handled. I believe your patch is unnecessary, because get_mm_slot() is a hashlist lookup, and will return NULL once either end has done the hlist_del(&mm_slot->link). Hugh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists