lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1430896099-18017-1-git-send-email-zhuhui@xiaomi.com>
Date:	Wed, 6 May 2015 15:08:19 +0800
From:	Hui Zhu <zhuhui@...omi.com>
To:	<akpm@...ux-foundation.org>, <vbabka@...e.cz>,
	<iamjoonsoo.kim@....com>, <lauraa@...eaurora.org>,
	<linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>
CC:	<teawater@...il.com>, Hui Zhu <zhuhui@...omi.com>
Subject: [PATCH v3] CMA: page_isolation: check buddy before access it

Changelog:
v3, Change the behavior according to the review of Joonsoo.
v2, Change pfn_present to pfn_valid_within according to the review of Laura.

I got a issue:
[  214.294917] Unable to handle kernel NULL pointer dereference at virtual address 0000082a
[  214.303013] pgd = cc970000
[  214.305721] [0000082a] *pgd=00000000
[  214.309316] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[  214.335704] PC is at get_pageblock_flags_group+0x5c/0xb0
[  214.341030] LR is at unset_migratetype_isolate+0x148/0x1b0
[  214.346523] pc : [<c00cc9a0>]    lr : [<c0109874>]    psr: 80000093
[  214.346523] sp : c7029d00  ip : 00000105  fp : c7029d1c
[  214.358005] r10: 00000001  r9 : 0000000a  r8 : 00000004
[  214.363231] r7 : 60000013  r6 : 000000a4  r5 : c0a357e4  r4 : 00000000
[  214.369761] r3 : 00000826  r2 : 00000002  r1 : 00000000  r0 : 0000003f
[  214.376291] Flags: Nzcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  214.383516] Control: 10c5387d  Table: 2cb7006a  DAC: 00000015
[  214.949720] Backtrace:
[  214.952192] [<c00cc944>] (get_pageblock_flags_group+0x0/0xb0) from [<c0109874>] (unset_migratetype_isolate+0x148/0x1b0)
[  214.962978]  r7:60000013 r6:c0a357c0 r5:c0a357e4 r4:c1555000
[  214.968693] [<c010972c>] (unset_migratetype_isolate+0x0/0x1b0) from [<c0109adc>] (undo_isolate_page_range+0xd0/0xdc)
[  214.979222] [<c0109a0c>] (undo_isolate_page_range+0x0/0xdc) from [<c00d097c>] (__alloc_contig_range+0x254/0x34c)
[  214.989398]  r9:000abc00 r8:c7028000 r7:000b1f53 r6:000b3e00 r5:00000005
r4:c7029db4
[  214.997308] [<c00d0728>] (__alloc_contig_range+0x0/0x34c) from [<c00d0a88>] (alloc_contig_range+0x14/0x18)
[  215.006973] [<c00d0a74>] (alloc_contig_range+0x0/0x18) from [<c0398148>] (dma_alloc_from_contiguous_addr+0x1ac/0x304)

This issue is because when call unset_migratetype_isolate to unset a part
of CMA memory, it try to access the buddy page to get its status:
		if (order >= pageblock_order) {
			page_idx = page_to_pfn(page) & ((1 << MAX_ORDER) - 1);
			buddy_idx = __find_buddy_index(page_idx, order);
			buddy = page + (buddy_idx - page_idx);

			if (!is_migrate_isolate_page(buddy)) {
But the begin addr of this part of CMA memory is very close to a part of
memory that is reserved in the boot time (not in buddy system).
So add a check before access it.

Suggested-by: Laura Abbott <labbott@...hat.com>
Suggested-by: Joonsoo Kim <iamjoonsoo.kim@....com>
Signed-off-by: Hui Zhu <zhuhui@...omi.com>
---
 mm/page_isolation.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/page_isolation.c b/mm/page_isolation.c
index 755a42c..4a5624c 100644
--- a/mm/page_isolation.c
+++ b/mm/page_isolation.c
@@ -101,7 +101,8 @@ void unset_migratetype_isolate(struct page *page, unsigned migratetype)
 			buddy_idx = __find_buddy_index(page_idx, order);
 			buddy = page + (buddy_idx - page_idx);
 
-			if (!is_migrate_isolate_page(buddy)) {
+			if (pfn_valid_within(page_to_pfn(buddy))
+			    && !is_migrate_isolate_page(buddy)) {
 				__isolate_free_page(page, order);
 				kernel_map_pages(page, (1 << order), 1);
 				set_page_refcounted(page);
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ