| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190423165811.36699-1-cai@lca.pw>
Date: Tue, 23 Apr 2019 12:58:11 -0400
From: Qian Cai <cai@....pw>
To: bp@...en8.de, tglx@...utronix.de, mingo@...hat.com
Cc: catalin.marinas@....com, dave.hansen@...ux.intel.com,
luto@...nel.org, peterz@...radead.org, x86@...nel.org,
linux-kernel@...r.kernel.org, brijesh.singh@....com,
Qian Cai <cai@....pw>
Subject: [PATCH] x86/mm: fix a crash with kmemleak_scan()
The first kmemleak_scan() after boot would trigger a crash below because
kernel_init
free_initmem
mem_encrypt_free_decrypted_mem
free_init_pages
unmapped some memory inside the .bss with DEBUG_PAGEALLOC=y. Since
kmemleak_init() will register the .data/.bss sections (only register
.data..ro_after_init if not within .data) and then kmemleak_scan() will
scan those address and dereference them looking for pointer referencing.
If free_init_pages() free and unmap pages in those sections,
kmemleak_scan() will trigger a crash if referencing one of those
addresses.
BUG: unable to handle kernel paging request at ffffffffbd402000
CPU: 12 PID: 325 Comm: kmemleak Not tainted 5.1.0-rc4+ #4
RIP: 0010:scan_block+0x58/0x160
Call Trace:
scan_gray_list+0x1d9/0x280
kmemleak_scan+0x485/0xad0
kmemleak_scan_thread+0x9f/0xc4
kthread+0x1d2/0x1f0
ret_from_fork+0x35/0x40
Since kmemleak_free_part() is tolerant to unknown objects (not tracked by
kmemleak), it is fine to call it from free_init_pages() even if not all
address ranges passed to this function are known to kmemleak.
Signed-off-by: Qian Cai <cai@....pw>
---
arch/x86/mm/init.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
index f905a2371080..8dacdb96899e 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -5,6 +5,7 @@
#include <linux/memblock.h>
#include <linux/swapfile.h>
#include <linux/swapops.h>
+#include <linux/kmemleak.h>
#include <asm/set_memory.h>
#include <asm/e820/api.h>
@@ -766,6 +767,11 @@ void free_init_pages(const char *what, unsigned long begin, unsigned long end)
if (debug_pagealloc_enabled()) {
pr_info("debug: unmapping init [mem %#010lx-%#010lx]\n",
begin, end - 1);
+ /*
+ * Inform kmemleak about the hole in the memory since the
+ * corresponding pages will be unmapped.
+ */
+ kmemleak_free_part((void *)begin, end - begin);
set_memory_np(begin, (end - begin) >> PAGE_SHIFT);
} else {
/*
--
2.20.1 (Apple Git-117)
Powered by blists - more mailing lists