lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170222143517.GA18974@bbox>
Date:   Wed, 22 Feb 2017 23:35:17 +0900
From:   Minchan Kim <minchan@...nel.org>
To:     Michal Hocko <mhocko@...nel.org>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        linux-kernel@...r.kernel.org, kernel-team@....com,
        Matthew Wilcox <willy@...radead.org>, stable@...r.kernel.org
Subject: Re: [PATCH] mm: do not access page->mapping directly on page_endio

On Wed, Feb 22, 2017 at 01:11:00PM +0100, Michal Hocko wrote:
> On Wed 22-02-17 14:39:24, Minchan Kim wrote:
> > With rw_page, page_endio is used for completing IO on a page
> > and it propagates write error to the address space if the IO
> > fails. The problem is it accesses page->mapping directly which
> > might be okay for file-backed pages but it shouldn't for
> > anonymous page. Otherwise, it can corrupt one of field from
> > anon_vma under us and system goes panic randomly.
> 
> I was about to say that anonymous pages shouldn't hit that path because
> the end_swap_bio_write doesn call page_endio. But then I've noticed that

No. For driver to support rw_page, every swap_writepage calls rw_page.

swap_writepage
  bdev_writepage
    ops->rw_page


> zram does call this function. On a closer look, though, it doesn't seem
> to call it with err != 0 so it cannot hit this path. So I am wondering
> whether this actually fixes anything. Why it has been marked for stable?

Look at other drivers to support rw_page, not zram, esp, brd.
They can be used for swap device and then can hit the case.

In fact, I encountered the BUG during zram development(i.e., it doesn't
land to upstream) and it was really hard to figure it out because it made
random crash, sometime mmap_sem lockdep, sometime other places where
places never related to zram/zsmalloc, sometime not reproducible.

When I consider how that bug is subtle and people do fast-swap test as brd,
it's worth to add stable mark, I think.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ