lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 14 Mar 2019 06:27:55 +0000
From:   Naoya Horiguchi <n-horiguchi@...jp.nec.com>
To:     zhong jiang <zhongjiang@...wei.com>
CC:     Minchan Kim <minchan@...nel.org>, Michal Hocko <mhocko@...nel.org>,
        Vlastimil Babka <vbabka@...e.cz>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [Qestion] Hit a WARN_ON_ONCE in try_to_unmap_one when runing
 syzkaller

Hi,

On Wed, Mar 13, 2019 at 12:03:20AM +0800, zhong jiang wrote:
...
> 
> Minchan has changed the conditon check from  BUG_ON  to WARN_ON_ONCE in try_to_unmap_one.
> However,  It is still an abnormal condition when PageSwapBacked is not equal to PageSwapCache.
> 
> But Is there any case it will meet the conditon in the mainline.
> 
> It is assumed that PageSwapBacked(page) is true in the anonymous page,   This is to say,  PageSwapcache
> is false. however,  That is impossible because we will update the pte for hwpoison entry.
> 
> Because page is locked ,  Its page flags should not be changed except for PageSwapBacked

try_to_unmap_one() from hwpoison_user_mappings() could reach the
WARN_ON_ONCE() only if TTU_IGNORE_HWPOISON is set, because PageHWPoison()
is set at the beginning of memory_failure().

Clearing TTU_IGNORE_HWPOISON might happen on the following two paths:

  static bool hwpoison_user_mappings(struct page *p, unsigned long pfn,
                                    int flags, struct page **hpagep)
  {
      ...
  
      if (PageSwapCache(p)) {
              pr_err("Memory failure: %#lx: keeping poisoned page in swap cache\n",
                      pfn);
              ttu |= TTU_IGNORE_HWPOISON;
      }
      ...

      mapping = page_mapping(hpage);                                                                           
      if (!(flags & MF_MUST_KILL) && !PageDirty(hpage) && mapping &&                                           
          mapping_cap_writeback_dirty(mapping)) {                                                              
              if (page_mkclean(hpage)) {                                                                       
                      SetPageDirty(hpage);                                                                     
              } else {                                                                                         
                      kill = 0;                                                                                
                      ttu |= TTU_IGNORE_HWPOISON;                                                              
                      pr_info("Memory failure: %#lx: corrupted page was clean: dropped without side effects\n",
                              pfn);                                                                            
              }                                                                                                
      }                                                                                                        
      ...

      unmap_success = try_to_unmap(hpage, ttu);
      ...

So either of the above "ttu |= TTU_IGNORE_HWPOISON" should be executed.
I'm not sure which one, but both paths show printk messages, so if you
could have kernel message log, that might help ...

Thanks,
Naoya Horiguchi

Powered by blists - more mailing lists