| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Oct 2019 16:28:56 +0000
From: Ajay Kaher <akaher@...are.com>
To: Vlastimil Babka <vbabka@...e.cz>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
CC: "torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
"punit.agrawal@....com" <punit.agrawal@....com>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
"willy@...radead.org" <willy@...radead.org>,
"will.deacon@....com" <will.deacon@....com>,
"mszeredi@...hat.com" <mszeredi@...hat.com>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Srivatsa Bhat <srivatsab@...are.com>,
"srivatsa@...il.mit.edu" <srivatsa@...il.mit.edu>,
Alexey Makhalov <amakhalov@...are.com>,
Srinidhi Rao <srinidhir@...are.com>,
Vikash Bansal <bvikas@...are.com>,
Anish Swaminathan <anishs@...are.com>,
Vasavi Sirnapalli <vsirnapalli@...are.com>,
Steven Rostedt <srostedt@...are.com>,
"stable@...nel.org" <stable@...nel.org>,
Ben Hutchings <ben@...adent.org.uk>
Subject: Re: [PATCH v2 6/8] mm: prevent get_user_pages() from overflowing page
refcount
On 09/10/19, 6:43 PM, "Vlastimil Babka" <vbabka@...e.cz> wrote:
>> Reported-by: Jann Horn <jannh@...gle.com>
>> Acked-by: Matthew Wilcox <willy@...radead.org>
>> Cc: stable@...nel.org
>> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
>> [ 4.4.y backport notes:
>> Ajay: Added local variable 'err' with-in follow_hugetlb_page()
>> from 2be7cfed995e, to resolve compilation error
>> Srivatsa: Replaced call to get_page_foll() with try_get_page_foll() ]
>> Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@...il.mit.edu>
>> Signed-off-by: Ajay Kaher <akaher@...are.com>
>> ---
>> mm/gup.c | 43 ++++++++++++++++++++++++++++++++-----------
>> mm/hugetlb.c | 16 +++++++++++++++-
>> 2 files changed, 47 insertions(+), 12 deletions(-)
>
> This seems to have the same issue as the 4.9 stable version [1], in not
> touching the arch-specific gup.c variants.
>
> [1]
> https://lore.kernel.org/lkml/6650323f-dbc9-f069-000b-f6b0f941a065@suse.cz/
Thanks Vlastimil for highlighting this here.
Yes, arch-specific gup.c variants also need to handle not only for 4.4.y,
however it should be handled till 4.19.y. I believe it's better to start
from 4.19.y and then backport those changes till 4.4.y.
Affected areas of gup.c (where page->count have been used) are:
#1: get_page() used in these files and this is safe as
it's defined in mm.h (here it's already taken care of)
#2: get_head_page_multiple() has following:
VM_BUG_ON_PAGE(page_count(page) == 0, page);
Need to change this to:
VM_BUG_ON_PAGE(page_ref_zero_or_close_to_overflow(page), page);
#3: Some of the files have used page_cache_get_speculative(),
page_cache_add_speculative() with combination of compound_head(),
this scenario needs to be handled as it was handled here:
https://lore.kernel.org/stable/1570581863-12090-7-git-send-email-akaher@vmware.com/
Please share with me any suggestions or patches if you have already
worked on this.
Could we handle arch-specific gup.c in different patch sets and
let these patches to merge to 4.4.y?
- Ajay
Powered by blists - more mailing lists