lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 28 Jan 2014 15:29:56 -0800
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Dave Hansen <dave@...1.net>
Cc:	linux-mm@...ck.org, linux-kernel@...r.kernel.org,
	cl@...ux-foundation.org, penberg@...nel.org, mpm@...enic.com,
	pshelar@...ira.com
Subject: Re: [PATCH] mm: slub: fix page->_count corruption (again)

On Tue, 28 Jan 2014 15:17:22 -0800 Dave Hansen <dave@...1.net> wrote:

> Commit abca7c496 notes that we can not _set_ a page->counters
> directly, except when using a real double-cmpxchg.  Doing so can
> lose updates to ->_count.
> 
> That an absolute rule:
> 
>         You may not *set* page->counters except via a cmpxchg.
> 
> Commit abca7c496 fixed this for the folks who have the slub
> cmpxchg_double code turned off at compile time, but it left the
> bad alone.  It can still be reached, and the same bug triggered
> in two cases:
> 1. Turning on slub debugging at runtime, which is available on
>    the distro kernels that I looked at.
> 2. On 64-bit CPUs with no CMPXCHG16B (some early AMD x86-64
>    cpus, evidently)
> 
> There are at least 3 ways we could fix this:
> 
> 1. Take all of the exising calls to cmpxchg_double_slab() and
>    __cmpxchg_double_slab() and convert them to take an old, new
>    and target 'struct page'.
> 2. Do (1), but with the newly-introduced 'slub_data'.
> 3. Do some magic inside the two cmpxchg...slab() functions to
>    pull the counters out of new_counters and only set those
>    fields in page->{inuse,frozen,objects}.

This code is borderline insane.

Yes, struct page is special and it's worth spending time and doing
weird things to optimise it.  But sheesh.

An alternative is to make that cmpxchg quietly go away.  Is it more
trouble than it is worth?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ