lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a5ebb5eb-ccda-eb74-422c-cddea792894f@suse.cz>
Date:   Thu, 2 Apr 2020 10:30:35 +0200
From:   Vlastimil Babka <vbabka@...e.cz>
To:     "Kirill A. Shutemov" <kirill@...temov.name>
Cc:     Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, Matthew Wilcox <willy@...radead.org>,
        John Hubbard <jhubbard@...dia.com>,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Petr Tesarik <ptesarik@...e.cz>
Subject: Re: [PATCH] mm, dump_page(): do not crash with invalid mapping
 pointer

On 4/1/20 4:05 PM, Kirill A. Shutemov wrote:
> On Tue, Mar 31, 2020 at 06:54:54PM +0200, Vlastimil Babka wrote:
>> We have seen a following problem on a RPi4 with 1G RAM:
>> 
>> Besides the underlying issue with page->mapping containing a bogus value for
>> some reason, we can see that __dump_page() crashed by trying to read the
>> pointer at mapping->host, turning a recoverable warning into full Oops.
>> 
>> It can be expected that when page is reported as bad state for some reason, the
>> pointers there should not be trusted blindly. So this patch treats all data in
>> __dump_page() that depends on page->mapping as lava, using
>> probe_kernel_read_strict(). Ideally this would include the dentry->d_parent
>> recursively, but that would mean changing printk handler for %pd. Chances of
>> reaching the dentry printing part with an initially bogus mapping pointer
>> should be rather low, though.
>> 
>> Also prefix printing mapping->a_ops with a description of what is being
>> printed.  In case the value is bogus, %ps will print raw value instead of
>> the symbol name and then it's not obvious at all that it's printing a_ops.
>> 
>> Reported-by: Petr Tesarik <ptesarik@...e.cz>
>> Signed-off-by: Vlastimil Babka <vbabka@...e.cz>
>> ---
>>  mm/debug.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++------
>>  1 file changed, 50 insertions(+), 6 deletions(-)
> 
> I'm not sure it worth the effort. It looks way too complex for what it
> does.

Well the human effort is done, and CPU cycles are cheap :P Complex is better
than to crash, IMHO.

> I also expect it to slowdown dump_page(), which is hotpath for some debug
> scenarios :P

It's still a debug code, better safe than fast :P

> Maybe just move printing this info to the end, so we would see the rest
> even if ->mapping is bogus?

Well the thing is designed to be recoverable. Just today "mm: improve
dump_page() for compound pages" was merged that AFAICS prevents similar crashes
when the compound_head() is bogus.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ