lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <875zaivm37.fsf@yhuang-dev.intel.com>
Date:   Mon, 20 Jul 2020 12:37:00 +0800
From:   "Huang\, Ying" <ying.huang@...el.com>
To:     Qian Cai <cai@....pw>
Cc:     Linux-MM <linux-mm@...ck.org>, LKML <linux-kernel@...r.kernel.org>,
        Minchan Kim <minchan@...nel.org>,
        Hugh Dickins <hughd@...gle.com>,
        "Andrew Morton" <akpm@...ux-foundation.org>
Subject: Re: linux-next: not-present page at swap_vma_readahead()

Qian Cai <cai@....pw> writes:

> On Mon, Jul 20, 2020 at 03:32:59AM +0000, Huang, Ying wrote:
>> Thanks!  Can you try the dbg patch attached?  That will print more debugging information when abnormal PTE pointer is detected.
>
> Here with both of your patches applied,
>
> [  183.627876][ T3959] ra_info: 8, 3, 4, 00000000aabe3209
> [  183.633160][ T3959] i: 0, pte: 00000000aabe3209, faddr: 0
> [  183.638574][ T3959] ra_info: 8, 3, 4, 00000000aabe3209
> [  183.643787][ T3959] i: 1, pte: 0000000006e61f24, faddr: 0
> [  183.649189][ T3959] ra_info: 8, 3, 4, 00000000aabe3209
> [  183.654371][ T3959] i: 2, pte: 00000000ce16a68e, faddr: 0
> [  183.851372][ T3839] ra_info: 8, 3, 4, 0000000085efad17
> [  183.856550][ T3839] i: 0, pte: 0000000085efad17, faddr: 0
> [  183.862503][ T3839] ==================================================================
> [  183.870563][ T3839] BUG: KASAN: slab-out-of-bounds in swapin_readahead+0x840/0xd60
> [  183.878147][ T3839] Read of size 8 at addr ffff008919f1ffe8 by task trinity-c128/3839
> [  183.886001][ T3839] CPU: 9 PID: 3839 Comm: trinity-c128 Not tainted 5.8.0-rc5-next-20200717+ #2
> [  183.894710][ T3839] Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.11 06/18/2019
> [  183.905157][ T3839] Call trace:
> [  183.908314][ T3839]  dump_backtrace+0x0/0x398
> [  183.912680][ T3839]  show_stack+0x14/0x20
> [  183.916704][ T3839]  dump_stack+0x140/0x1c8
> [  183.920910][ T3839]  print_address_description.constprop.10+0x54/0x550
> [  183.927454][ T3839]  kasan_report+0x134/0x1b8
> [  183.931833][ T3839]  __asan_report_load8_noabort+0x2c/0x50
> [  183.937334][ T3839]  swapin_readahead+0x840/0xd60
> [  183.942049][ T3839]  do_swap_page+0xb1c/0x1a78
> [  183.946508][ T3839]  handle_mm_fault+0xfd0/0x2c50
> [  183.948789][ T3754] ra_info: 8, 3, 4, 00000000d0b6ebd5
> [  183.951229][ T3839]  do_page_fault+0x230/0x818
> [  183.956402][ T3754] i: 0, pte: 00000000d0b6ebd5, faddr: 0
> [  183.960896][ T3839]  do_translation_fault+0x90/0xb0
> [  183.966330][ T3754] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [  183.971172][ T3839]  do_mem_abort+0x64/0x180
> [  183.971192][ T3839]  el0_sync_handler+0x2a0/0x410
> [  183.971207][ T3839]  el0_sync+0x140/0x180
> [  183.977984][ T3754] ra_info: 8, 3, 4, 00000000d0b6ebd5
> [  183.977997][ T3754] i: 1, pte: 00000000530a7b17, faddr: 0
> [  183.982278][ T3839] Allocated by task 3699:
> [  183.982296][ T3839]  kasan_save_stack+0x24/0x50
> [  183.982310][ T3839]  __kasan_kmalloc.isra.10+0xc4/0xe0
> [  183.987003][ T3754] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [  183.987019][ T3754] ra_info: 8, 3, 4, 00000000d0b6ebd5
> [  183.991033][ T3839]  kasan_slab_alloc+0x14/0x20
> [  183.991048][ T3839]  slab_post_alloc_hook+0x58/0x5d0
> [  183.991064][ T3839]  kmem_cache_alloc+0x19c/0x448
> [  183.996185][ T3754] i: 2, pte: 00000000031f0751, faddr: 0
> [  183.996200][ T3754] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [  184.001617][ T3839]  create_object+0x58/0x960
> [  184.001639][ T3839]  kmemleak_alloc+0x2c/0x38
> [  184.001657][ T3839]  slab_post_alloc_hook+0x78/0x5d0
> [  184.025674][ T3830] ra_info: 8, 3, 4, 00000000d77f2b57
> [  184.027442][ T3839]  kmem_cache_alloc+0x19c/0x448
> [  184.032002][ T3830] i: 0, pte: 0026 (3737) used g  184.047047][ T193][ T3839]  co T3932] i: 0, pt59417][ T3932] i: 1, pte: 00000000e38ee039, faddr: 0
> [  184.059424][ T3932] ra_info: 8, 3, 4, 000000004ae69ce9
> [  184.059431][ T3932] i: 2, pte: 0000000035544c25, faddr: 0
> [  184.062563][ T3830] ra_info: 8, 3, 4, 00000000d77f2b57
> [  184.067511][ T3839]  _do_fork+0x128/0x11f8
> [  184.072663][ T3830] i: 2, pte: 000000002f241b20, faddr: 0
> [  184.077369][ T3839]  __do_sys_clone+0xac/0xd8
> [  184.110993][ T3997] ra_info: 8, 3, 4, 00000000d40684b7
> [  184.113421][ T3839]  __arm64_sys_clone+0xa0/0xf8

This appears to run on ARM64.  Can you help to try this on x86?  I'm
not familiar with ARM.

Best Regards,
Huang, Ying

> [  184.116524][ T3832] ra_info: 8, 3, 4, 00000000b572965a
> [  184.116534][ T3832] i: 0, pte: 00000000b572965a, faddr: 0
> [  184.116541][ T3832] ra_info: 8, 3, 4, 00000000b572965a
> [  184.116549][ T3832] i: 1, pte: 000000007c91cc64, faddr: 0
> [  184.116556][ T3832] ra_info: 8, 3, 4, 00000000b572965a
> [  184.116563][ T3832] i: 2, pte: 0000000024f944e4, faddr: 0
> [  184.118541][ T3997] i: 0, pte: 00000000d40684b7, faddr: 0
> [  184.118552][ T3997] ra_info: 8, 3, 4, 00000000d40684b7
> [  184.123956][ T3839]  do_el0_svc+0x124/0x228
> [  184.123970][ T3839]  el0_sync_handler+0x260/0x410
> [  184.123988][ T3839]  el0_sync+0x140/0x180
> [  184.129119][ T3997] i: 1, pte: 0000000035d81ad0, faddr: 0
> [  184.134523][ T3839] The buggy address belongs to the object at ffff008919f1fd28
> [  184.134523][ T3839]  which belongs to the cache kmemleak_object of size 368
> [  184.134535][ T3839] The buggy address is located 336 bytes to the right of
> [  184.134535][ T3839]  368-byte region [ffff008919f1fd28, ffff008919f1fe98)
> [  184.134542][ T3839] The buggy address belongs to the page:
> [  184.139678][ T3997] ra_info: 8, 3, 4, 00000000d40684b7
> [  184.142537][ T3814] ra_info: 8, 3, 4, 000000005be43c1f
> [  184.142548][ T3814] i: 0, pte: 000000005be43c1f, faddr: 0
> [  184.142555][ T3814] ra_info: 8, 3, 4, 000000005be43c1f
> [  184.142563][ T3814] i: 1, pte: 00000000f65153b4, faddr: 0
> [  184.142570][ T3814] ra_info: 8, 3, 4, 000000005be43c1f
> [  184.142577][ T3814] i: 2, pte: 0000000057432c18, faddr: 0
> [  184.145074][ T3839] page:00000000ab369b24 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8999f1
> [  184.145085][ T3839] flags: 0x7ffff800000200(slab)
> [  184.145097][ T3839] raw: 007ffff800000200 ffffffe0222685c8 ffffffe022268848 ffff000000322480
> [  184.145107][ T3839] raw: 0000000000000000 00000000005b005b 00000001ffffffff 0000000000000000
> [  184.145117][ T3839] page dumped because: kasan: bad access detected
> [  184.150249][ T3997] i: 2, pte: 0000000073c2aff0, faddr: 0
> [  184.154339][ T3839] Memory state around the buggy address:
> [  184.154347][ T3839]  ffff008919f1fe80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  184.154353][ T3839]  ffff008919f1ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  184.154359][ T3839] >ffff008919f1ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  184.154366][ T3839]                                                           ^
> [  184.171894][ T3831] ra_info: 8, 3, 4, 00000000cf472abe
> [  184.173847][ T3839]  ffff008919f20000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  184.178980][ T3831] i: 0, pte: 00000000cf472abe, faddr: 0
> [  184.184366][ T3839]  ffff008919f20080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  184.184370][ T3839] ==================================================================
> [  184.184374][ T3839] Disabling lock debugging due to kernel taint
> [  184.184407][ T3839] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [  184.184415][ T3839] ra_info: 8, 3, 4, 0000000085efad17
> [  184.184420][ T3839] i: 1, pte: 00000000e75f3a33, faddr: 0
> [  184.184425][ T3839] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [  184.184445][ T3839] ra_info: 8, 3, 4, 0000000085efad17
> [  184.189580][ T3831] ra_info: 8, 3, 4, 00000000cf472abe
> [  184.194979][ T3839] i: 2, pte: 0000000076a382e8, faddr: 0
> [  184.194985][ T3839] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [  184.211498][ T3749] ra_info: 8, 3, 4, 000000001c9e06b8
> [  184.216321][ T3831] i: 1, pte: 00000000d0a5b31e, faddr: 0
> [  184.220485][ T3749] i: 0, pte: 000000001c9e06b8, faddr: 0
> [  184.220499][ T3749] ra_info: 8, 3, 4, 000000001c9e06b8
> [  184.225255][ T3831] ra_info: 8, 3, 4, 00000000cf472abe
> [  184.229226][ T3749] i: 1, pte: 000000003db42685, faddr: 0
> [  184.229238][ T3749] ra_info: 8, 3, 4, 000000001c9e06b8
> [  184.234658][ T3831] i: 2, pte: 000000002ff7eea4, faddr: 0
> [  184.248902][ T3749] i: 2, pte: 00000000f6f36e76, faddr: 0
> [  184.278122][ T3946] ra_info: 8, 3, 4, 0000000084aa2721
> [  184.279536][ T3720] trinity-c9 (3720) used greatest stack depth: 19440 bytes left
> [  184.283740][ T3946] i: 0, pte: 0000000084aa2721, faddr: 0
> [  184.283746][ T3946] ra_info: 8, 3, 4, 0000000084aa2721
> [  184.283751][ T3946] i: 1, pte: 00000000baf34b7a, faddr: 0
> [  184.283757][ T3946] ra_info: 8, 3, 4, 0000000084aa2721
> [  184.283762][ T3946] i: 2, pte: 0000000097da2f82, faddr: 0
> [  184.311719][ T3789] ra_info: 8, 3, 4, 00000000642615f8
> [  184.346297][ T3846] ra_info: 8, 3, 4, 00000000bfc701b4
> [  184.348700][ T3789] i: 0, pte: 00000000642615f8, faddr: 0
> [  184.357498][ T3846] i: 0, pte: 00000000bfc701b4, faddr: 0
> [  184.362168][ T3789] ra_info: 8, 3, 4, 00000000642615f8
> [  184.370076][ T3846] ra_info: 8, 3, 4, 00000000bfc701b4
> [  184.377998][ T3789] i: 1, pte: 000000002e399dd1, faddr: 0
> [  184.378008][ T3789] ra_info: 8, 3, 4, 00000000642615f8
> [  184.385317][ T3846] i: 1, pte: 000000002f17c4d4, faddr: 0
> [  184.385324][ T3846] ra_info: 8, 3, 4, 00000000bfc701b4
> [  184.390452][ T3789] i: 2, pte: 000000006b9fd0f4, faddr: 0
> [  184.398368][ T3846] i: 2, pte: 00000000b6695126, faddr: 0
>
>> 
>> > From b6cad43ad3cf63d73e539e3eaadd4ec9d2744dc6 Mon Sep 17 00:00:00 2001
>> > From: Huang Ying <ying.huang@...el.com>
>> > Date: Fri, 10 Jul 2020 17:27:45 +0800
>> > Subject: [PATCH] dbg: Fix a logic hole in swap_ra_info()
>> >
>> > ---
>> >  mm/swap_state.c | 5 ++---
>> >  1 file changed, 2 insertions(+), 3 deletions(-)
>> >
>> > diff --git a/mm/swap_state.c b/mm/swap_state.c
>> > index 05889e8e3c97..8481c15829b2 100644
>> > --- a/mm/swap_state.c
>> > +++ b/mm/swap_state.c
>> > @@ -669,12 +669,11 @@ static void swap_ra_info(struct vm_fault *vmf,
>> >       pte_t *tpte;
>> >  #endif
>> >
>> > +     ra_info->win = 1;
>> >       max_win = 1 << min_t(unsigned int, READ_ONCE(page_cluster),
>> >                            SWAP_RA_ORDER_CEILING);
>> > -     if (max_win == 1) {
>> > -             ra_info->win = 1;
>> > +     if (max_win == 1)
>> >               return;
>> > -     }
>> >
>> >       faddr = vmf->address;
>> >       orig_pte = pte = pte_offset_map(vmf->pmd, faddr);
>> > --
>> > 2.27.0
>> >
>> 
>
>> From 3ca7a9ba58541d8692d3f83cbded2ad17be23359 Mon Sep 17 00:00:00 2001
>> From: Huang Ying <ying.huang@...el.com>
>> Date: Mon, 20 Jul 2020 11:29:38 +0800
>> Subject: [PATCH] dbg: dump upon abnormal pte values
>> 
>> ---
>>  mm/swap_state.c | 11 +++++++++++
>>  1 file changed, 11 insertions(+)
>> 
>> diff --git a/mm/swap_state.c b/mm/swap_state.c
>> index 05889e8e3c97..c1973136d035 100644
>> --- a/mm/swap_state.c
>> +++ b/mm/swap_state.c
>> @@ -756,6 +756,17 @@ static struct page *swap_vma_readahead(swp_entry_t fentry, gfp_t gfp_mask,
>>  	blk_start_plug(&plug);
>>  	for (i = 0, pte = ra_info.ptes; i < ra_info.nr_pte;
>>  	     i++, pte++) {
>> +		pte_t *tpte = pte_offset_map(vmf->pmd, vmf->address);
>> +
>> +		if (((unsigned long)pte >> PAGE_SHIFT) !=
>> +		    ((unsigned long)tpte >> PAGE_SHIFT)) {
>> +			pr_info("ra_info: %d, %d, %d, %p\n",
>> +				ra_info.win, ra_info.offset, ra_info.nr_pte,
>> +				ra_info.ptes);
>> +			pr_info("i: %d, pte: %p, faddr: %lx\n", i, pte,
>> +				vmf->address);
>> +		}
>> +		pte_unmap(tpte);
>>  		pentry = *pte;
>>  		if (pte_none(pentry))
>>  			continue;
>> -- 
>> 2.27.0
>> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ