lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 9 Jul 2014 17:36:24 -0400
From:	Naoya Horiguchi <n-horiguchi@...jp.nec.com>
To:	"Kirill A. Shutemov" <kirill@...temov.name>
Cc:	linux-mm@...ck.org, Andrew Morton <akpm@...ux-foundation.org>,
	Dave Hansen <dave.hansen@...el.com>,
	Hugh Dickins <hughd@...gle.com>,
	Jerome Marchand <jmarchan@...hat.com>,
	linux-kernel@...r.kernel.org,
	Naoya Horiguchi <nao.horiguchi@...il.com>
Subject: Re: [PATCH v4 13/13] mincore: apply page table walker on do_mincore()

On Wed, Jul 09, 2014 at 04:34:36PM +0300, Kirill A. Shutemov wrote:
> On Tue, Jul 01, 2014 at 01:07:31PM -0400, Naoya Horiguchi wrote:
> > This patch makes do_mincore() use walk_page_vma(), which reduces many lines
> > of code by using common page table walk code.
> > 
> > ChangeLog v4:
> > - remove redundant vma
> > 
> > ChangeLog v3:
> > - add NULL vma check in mincore_unmapped_range()
> > - don't use pte_entry()
> > 
> > ChangeLog v2:
> > - change type of args of callbacks to void *
> > - move definition of mincore_walk to the start of the function to fix compiler
> >   warning
> > 
> > Signed-off-by: Naoya Horiguchi <n-horiguchi@...jp.nec.com>
> 
> Trinity crases this implementation of mincore pretty easily:
> 
> [   42.775369] BUG: unable to handle kernel paging request at ffff88007bb61000
> [   42.776656] IP: [<ffffffff81126f8f>] mincore_unmapped_range+0xdf/0x100

Thanks for your testing/reporting.

...
> 
> Looks like 'vec' overflow. I don't see what could prevent do_mincore() to
> write more than PAGE_SIZE to 'vec'.

I found the miscalculation of walk->private (vec) on thp and hugetlbfs.
I confirmed that the reported problem is fixed (I checked that trinity
never triggers the reported BUG) with the following changes on this patch.

diff --git a/mm/mincore.c b/mm/mincore.c
index 3c64dcbcb3e2..9eb10d867a6f 100644
--- a/mm/mincore.c
+++ b/mm/mincore.c
@@ -34,7 +34,7 @@ static int mincore_hugetlb(pte_t *pte, unsigned long hmask, unsigned long addr,
 	present = pte && !huge_pte_none(huge_ptep_get(pte));
 	for (; addr != end; vec++, addr += PAGE_SIZE)
 		*vec = present;
-	walk->private += (end - addr) >> PAGE_SHIFT;
+	walk->private = vec;
 #else
 	BUG();
 #endif
@@ -118,8 +118,10 @@ static int mincore_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
 		return 0;
 	}
 
-	if (pmd_trans_unstable(pmd))
+	if (pmd_trans_unstable(pmd)) {
+		walk->private += (end - addr) >> PAGE_SHIFT;
 		return 0;
+	}
 
 	ptep = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
 	for (; addr != end; ptep++, addr += PAGE_SIZE) {

Thanks,
Naoya Horiguchi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ