| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 May 2020 11:11:18 -0700
From: Mike Kravetz <mike.kravetz@...cle.com>
To: Miklos Szeredi <miklos@...redi.hu>
Cc: syzbot <syzbot+d6ec23007e951dadf3de@...kaller.appspotmail.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, Miklos Szeredi <mszeredi@...hat.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Al Viro <viro@...iv.linux.org.uk>
Subject: Re: kernel BUG at mm/hugetlb.c:LINE!
On 5/12/20 8:04 AM, Miklos Szeredi wrote:
> On Tue, Apr 7, 2020 at 12:06 AM Mike Kravetz <mike.kravetz@...cle.com> wrote:
>> On 4/5/20 8:06 PM, syzbot wrote:
>>
>> The routine is_file_hugepages() is just comparing the file ops to huegtlbfs:
>>
>> if (file->f_op == &hugetlbfs_file_operations)
>> return true;
>>
>> Since the file is in an overlayfs, file->f_op == ovl_file_operations.
>> Therefore, length will not be rounded up to huge page size and we create a
>> mapping with incorrect size which leads to the BUG.
>>
>> Because of the code in mmap, the hugetlbfs mmap() routine assumes length is
>> rounded to a huge page size. I can easily add a check to hugetlbfs mmap
>> to validate length and return -EINVAL. However, I think we really want to
>> do the 'round up' earlier in mmap. This is because the man page says:
>>
>> Huge page (Huge TLB) mappings
>> For mappings that employ huge pages, the requirements for the arguments
>> of mmap() and munmap() differ somewhat from the requirements for map‐
>> pings that use the native system page size.
>>
>> For mmap(), offset must be a multiple of the underlying huge page size.
>> The system automatically aligns length to be a multiple of the underly‐
>> ing huge page size.
>>
>> Since the location for the mapping is chosen BEFORE getting to the hugetlbfs
>> mmap routine, we can not wait until then to round up the length. Is there a
>> defined way to go from a struct file * to the underlying filesystem so we
>> can continue to do the 'round up' in early mmap code?
>
> That's easy enough:
>
> static inline struct file *real_file(struct file *file)
> {
> return file->f_op != ovl_file_operations ? file : file->private_data;
> }
>
> But adding more filesystem specific code to generic code does not
> sound like the cleanest way to solve this...
We can incorporate the above 'real_file' functionality in the filesystem
specific routine is_file_hugepages(), and I think that would address this
specific issue. I'll code that up.
>> One other thing I noticed with overlayfs is that it does not contain a
>> specific get_unmapped_area file_operations routine. I would expect it to at
>> least check for and use the get_unmapped_area of the underlying filesystem?
>> Can someone comment if this is by design?
>
> Not sure. What exactly is f_op->get_unmapped_area supposed to do?
>
IIUC, filesystems can define their own routines to get addresses for mmap
operations. Quite a few filesystems define get_unmapped_area.
The generic mmap code does the following,
get_area = current->mm->get_unmapped_area;
if (file) {
if (file->f_op->get_unmapped_area)
get_area = file->f_op->get_unmapped_area;
} else if (flags & MAP_SHARED) {
/*
* mmap_region() will call shmem_zero_setup() to create a file,
* so use shmem's get_unmapped_area in case it can be huge.
* do_mmap_pgoff() will clear pgoff, so match alignment.
*/
pgoff = 0;
get_area = shmem_get_unmapped_area;
}
addr = get_area(file, addr, len, pgoff, flags);
If the filesystem provides a get_unmapped_area, it will use it. I beleive
overlayfs prevents this from happening for the underlying filesystem.
Perhaps we do need to add something like a call 'real_file' to this generic
code? I can't think of any other way to get to the underlying filesystem
get_unmapped_area here.
--
Mike Kravetz
Powered by blists - more mailing lists