lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2a1abf38-d321-e3c7-c3b1-53b6db6da310@intel.com>
Date:   Wed, 29 Apr 2020 09:07:13 -0700
From:   Dave Hansen <dave.hansen@...el.com>
To:     Claudio Imbrenda <imbrenda@...ux.ibm.com>,
        akpm@...ux-foundation.org, jack@...e.cz, kirill@...temov.name
Cc:     borntraeger@...ibm.com, david@...hat.com, aarcange@...hat.com,
        linux-mm@...ck.org, frankja@...ux.ibm.com, sfr@...b.auug.org.au,
        jhubbard@...dia.com, linux-kernel@...r.kernel.org,
        linux-s390@...r.kernel.org, peterz@...radead.org,
        sean.j.christopherson@...el.com
Subject: Re: [PATCH v1 1/1] fs/splice: add missing callback for inaccessible
 pages

On 4/28/20 3:50 PM, Claudio Imbrenda wrote:
> If a page is inaccesible and it is used for things like sendfile, then
> the content of the page is not always touched, and can be passed
> directly to a driver, causing issues.
> 
> This patch fixes the issue by adding a call to arch_make_page_accessible
> in page_cache_pipe_buf_confirm; this fixes the issue.

I spent about 5 minutes putting together a patch:

	https://sr71.net/~dave/intel/accessible.patch

It adds a page flag ("daccess") which starts out set.  It clears the
flag it when the page is added to the page cache or mapped as anonymous.
 This are presumably the the two mostly likely kinds of pages to be
problematic.  It re-sets the flag when it hits the new hook for s390:
arch_make_page_accessible().

It then patches the DMA mapping API.  If a page gets to the DMA mapping
API without being accessible, it hits a tracepoint.

It goes boom shortly after hitting userspace underneath a sys_sendto().
 That code uses lib/iov_iter.c which does get_user_pages_fast() and
apparently does not set FOLL_PIN, so never hits the s390 arch hooks.

I hacked out the FOLL_PIN check and just universally call the hook for
all gup_pte_range() calls.  I think you'll need to do that as well.  I
don't think the assumptions about FOLL_PIN always preceding I/O is true
universally.  Hacking out FOLL_PIN quiets down the warning spew quite a
bit, but it still hits a few of them.

Here's one example:

 0)  sd-reso-410   |               |  /* mm_accessible_error: ...
      sd-resolve-410   [000] ....   212.918838: <stack trace>
 => trace_event_raw_event_mm_accessible_error
 => check_page_accessible
 => e1000_xmit_frame
 => dev_hard_start_xmit
 => sch_direct_xmit
 => __qdisc_run
 => __dev_queue_xmit
 => ip_finish_output2
 => ip_output
 => ip_send_skb
 => udp_send_skb.isra.59
 => udp_sendmsg
 => ____sys_sendmsg
 => ___sys_sendmsg
 => __sys_sendmmsg
 => __x64_sys_sendmmsg
 => do_syscall_64
 => entry_SYSCALL_64_after_hwframe

This is just from booting and sitting on an idle Ubuntu 16.04.6 system.
 I think the process in question here is the systemd resolver.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ