lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190423102017.GO18914@techsingularity.net>
Date:   Tue, 23 Apr 2019 11:20:17 +0100
From:   Mel Gorman <mgorman@...hsingularity.net>
To:     Meelis Roos <mroos@...ux.ee>
Cc:     LKML <linux-kernel@...r.kernel.org>, linux-mm@...ck.org,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: 5.1-rc6: UBSAN: Undefined behaviour in mm/compaction.c:1167:30

On Mon, Apr 22, 2019 at 12:14:57PM +0300, Meelis Roos wrote:
> The warning UBSAN: Undefined behaviour in mm/compaction.c:1167:30 happened with 5.1-rc6 on UP 32-bit P4 PC with highmem.
> 
> [   95.135408] ================================================================================
> [   95.135478] UBSAN: Undefined behaviour in mm/compaction.c:1167:30
> [   95.135528] shift exponent 32 is too large for 32-bit type 'long unsigned int'
> [   95.135579] CPU: 0 PID: 13 Comm: kcompactd0 Not tainted 5.1.0-rc6 #71
> [   95.135626] Hardware name: MSI                              MS-6547                         /MS-6547                         , BIOS 07.00T
> [   95.135681] Call Trace:
> [   95.135742]  dump_stack+0x16/0x1e
> [   95.135791]  ubsan_epilogue+0xb/0x29
> [   95.135836]  __ubsan_handle_shift_out_of_bounds.cold.14+0x20/0x6a
> [   95.135887]  ? page_vma_mapped_walk+0x125/0x410
> [   95.135935]  ? page_counter_cancel+0x16/0x30
> [   95.135984]  compaction_alloc.cold.43+0x56/0xbc
> [   95.136033]  ? free_unref_page_commit.isra.95+0x7a/0x80
> [   95.136082]  migrate_pages+0x99/0x732
> [   95.136127]  ? isolate_migratepages_block+0x940/0x940
> [   95.136172]  ? __ClearPageMovable+0x10/0x10
> [   95.136217]  compact_zone+0x7e2/0xb70
> [   95.136262]  ? compaction_suitable+0x49/0x60
> [   95.136306]  kcompactd_do_work+0xdb/0x1d0
> [   95.136389]  ? __switch_to_asm+0x26/0x4c
> [   95.136470]  kcompactd+0x4f/0x110
> [   95.136550]  ? wait_woken+0x60/0x60
> [   95.136630]  kthread+0xe5/0x100
> [   95.136709]  ? kcompactd_do_work+0x1d0/0x1d0
> [   95.136789]  ? kthread_create_worker_on_cpu+0x20/0x20
> [   95.136870]  ret_from_fork+0x2e/0x38
> [   95.136949] ================================================================================
> 
> It is not reproducible at will - did not happen on 2 next reboots, so it probably originates
> from an earlier version.
> 

A fix for this is waiting in Andrew's tree
mm-compaction-fix-an-undefined-behaviour.patch . I expect it'll be merged
during the next merge window as the issue is not severe. Once merged,
it should be picked up for 5.1-stable.

Thanks.

---8<---
From: Qian Cai <cai@....pw>
Subject: mm/compaction.c: fix an undefined behaviour

In a low-memory situation, cc->fast_search_fail can keep increasing as it
is unable to find an available page to isolate in
fast_isolate_freepages().  As the result, it could trigger an error below,
so just compare with the maximum bits can be shifted first.

UBSAN: Undefined behaviour in mm/compaction.c:1160:30
shift exponent 64 is too large for 64-bit type 'unsigned long'
CPU: 131 PID: 1308 Comm: kcompactd1 Kdump: loaded Tainted: G
W    L    5.0.0+ #17
Call trace:
 dump_backtrace+0x0/0x450
 show_stack+0x20/0x2c
 dump_stack+0xc8/0x14c
 __ubsan_handle_shift_out_of_bounds+0x7e8/0x8c4
 compaction_alloc+0x2344/0x2484
 unmap_and_move+0xdc/0x1dbc
 migrate_pages+0x274/0x1310
 compact_zone+0x26ec/0x43bc
 kcompactd+0x15b8/0x1a24
 kthread+0x374/0x390
 ret_from_fork+0x10/0x18

Link: http://lkml.kernel.org/r/20190320203338.53367-1-cai@lca.pw
Fixes: 70b44595eafe ("mm, compaction: use free lists to quickly locate a migration source")
Signed-off-by: Qian Cai <cai@....pw>
Acked-by: Vlastimil Babka <vbabka@...e.cz>
Acked-by: Mel Gorman <mgorman@...hsingularity.net>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
---

 mm/compaction.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/mm/compaction.c~mm-compaction-fix-an-undefined-behaviour
+++ a/mm/compaction.c
@@ -1164,7 +1164,9 @@ static bool suitable_migration_target(st
 static inline unsigned int
 freelist_scan_limit(struct compact_control *cc)
 {
-	return (COMPACT_CLUSTER_MAX >> cc->fast_search_fail) + 1;
+	return (COMPACT_CLUSTER_MAX >>
+		min((unsigned short)(BITS_PER_LONG - 1), cc->fast_search_fail))
+		+ 1;
 }
 
 /*
_

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ