lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20200403121947.sk5oif775op6mubk@box>
Date:   Fri, 3 Apr 2020 15:19:47 +0300
From:   "Kirill A. Shutemov" <kirill@...temov.name>
To:     Vlastimil Babka <vbabka@...e.cz>
Cc:     Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, Matthew Wilcox <willy@...radead.org>,
        John Hubbard <jhubbard@...dia.com>,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Petr Tesarik <ptesarik@...e.cz>
Subject: Re: [PATCH] mm, dump_page(): do not crash with invalid mapping
 pointer

On Thu, Apr 02, 2020 at 10:30:35AM +0200, Vlastimil Babka wrote:
> On 4/1/20 4:05 PM, Kirill A. Shutemov wrote:
> > On Tue, Mar 31, 2020 at 06:54:54PM +0200, Vlastimil Babka wrote:
> >> We have seen a following problem on a RPi4 with 1G RAM:
> >> 
> >> Besides the underlying issue with page->mapping containing a bogus value for
> >> some reason, we can see that __dump_page() crashed by trying to read the
> >> pointer at mapping->host, turning a recoverable warning into full Oops.
> >> 
> >> It can be expected that when page is reported as bad state for some reason, the
> >> pointers there should not be trusted blindly. So this patch treats all data in
> >> __dump_page() that depends on page->mapping as lava, using
> >> probe_kernel_read_strict(). Ideally this would include the dentry->d_parent
> >> recursively, but that would mean changing printk handler for %pd. Chances of
> >> reaching the dentry printing part with an initially bogus mapping pointer
> >> should be rather low, though.
> >> 
> >> Also prefix printing mapping->a_ops with a description of what is being
> >> printed.  In case the value is bogus, %ps will print raw value instead of
> >> the symbol name and then it's not obvious at all that it's printing a_ops.
> >> 
> >> Reported-by: Petr Tesarik <ptesarik@...e.cz>
> >> Signed-off-by: Vlastimil Babka <vbabka@...e.cz>
> >> ---
> >>  mm/debug.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++------
> >>  1 file changed, 50 insertions(+), 6 deletions(-)
> > 
> > I'm not sure it worth the effort. It looks way too complex for what it
> > does.
> 
> Well the human effort is done, and CPU cycles are cheap :P Complex is better
> than to crash, IMHO.
> 
> > I also expect it to slowdown dump_page(), which is hotpath for some debug
> > scenarios :P
> 
> It's still a debug code, better safe than fast :P

Crash fast, crash often :P

> > Maybe just move printing this info to the end, so we would see the rest
> > even if ->mapping is bogus?
> 
> Well the thing is designed to be recoverable. Just today "mm: improve
> dump_page() for compound pages" was merged that AFAICS prevents similar crashes
> when the compound_head() is bogus.

Okay, fair enough.

Acked-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>

-- 
 Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ