lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <MWHPR18MB152034C6BAE8CC6D503DDEBEE3D09@MWHPR18MB1520.namprd18.prod.outlook.com>
Date:   Wed, 6 Jan 2021 16:17:41 +0000
From:   Bharat Bhushan <bbhushan2@...vell.com>
To:     "ankur.a.arora@...cle.com" <ankur.a.arora@...cle.com>,
        "alex.williamson@...hat.com" <alex.williamson@...hat.com>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "Sunil Kovvuri Goutham" <sgoutham@...vell.com>
Subject: vfio-pci: protect remap_pfn_range() from simultaneous calls 

Hi Ankur,

We are observing below BUG_ON() with latest kernel 

   [10011.321645] ------------[ cut here ]------------
   [10011.322262] kernel BUG at mm/memory.c:1816!
   [10011.323793] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
   [10011.326108] CPU: 2 PID: 1147 Comm: odp_l2fwd Not tainted 5.4.74-05938-gb9598e49fe61 #15
   [10011.328272] Hardware name: Marvell CN106XX board (DT)
   [10011.330328] pstate: 80400009 (Nzcv daif +PAN -UAO)
   [10011.332402] pc : remap_pfn_range+0x1a4/0x260
   [10011.334383] lr : remap_pfn_range+0x14c/0x260
   [10011.335911] sp : ffff8000156afc10
   [10011.337360] x29: ffff8000156afc10 x28: ffffffdffa240000 
   [10011.339671] x27: ffff00014a241000 x26: 0000002182000000 
   [10011.341984] x25: ffff0001489fbe00 x24: 0000002182040000  
   [10011.344279] x23: 0000002182040000 x22: 0068000000000fc3 
   [10011.346539] x21: 0000002182040000 x20: ffff000149d70860 
   [10011.348846] x19: 0000000000000041 x18: 0000000000000000 
   [10011.351064] x17: 0000000000000000 x16: 0000000000000000 
   [10011.353304] x15: 0000000000000000 x14: 0000000000000000 
   [10011.355519] x13: 0000000000000000 x12: 0000000000000000 
   [10011.357812] x11: 0000000000000000 x10: ffffffdfffe00000 
   [10011.360136] x9 : 0000000000000000 x8 : 0000000000000000 
   [10011.362414] x7 : 0000000000000000 x6 : 0000042182000000 
   [10011.364773] x5 : 0001000000000000 x4 : 0000000000000000 
   [10011.367103] x3 : ffffffe000328928 x2 : 016800017c240fc3 
   [10011.369462] x1 : 0000000000000000 x0 : ffffffe000328928 
   [10011.371694] Call trace:
   [10011.373510]  remap_pfn_range+0x1a4/0x260
   [10011.375386]  vfio_pci_mmap_fault+0x9c/0x114
   [10011.377346]  __do_fault+0x38/0x100
   [10011.379253]  __handle_mm_fault+0x81c/0xce4
   [10011.381247]  handle_mm_fault+0xb4/0x17c
   [10011.383220]  do_page_fault+0x110/0x430
   [10011.385188]  do_translation_fault+0x80/0x90
   [10011.387069]  do_mem_abort+0x3c/0xa0
   [10011.388852]  el0_da+0x20/0x24
   [10011.391239] Code: eb1a02ff 54000080 f9400362 b4fffe42 (d4210000) 
   [10011.393306] ---[ end trace ae8b75b32426d53c ]---
   [10011.395140] note: odp_l2fwd[1147] exited with preempt_count 2

This is observed after patch "vfio-pci: Fault mmaps to enable vma tracking" where actual mapping delayed on page fault.
When address of same page accessed by multiple threads at/around same time by threads running on different cores causes page fault for same page on multiple cores at same time. One of the fault hander creates mapping while second hander find that page-table mapping already exists and leads to above kernel BUG_ON().

While article  https://lwn.net/Articles/828536/ suggest that you have already faced and fixed this issue
       "- vfio-pci: protect remap_pfn_range() from simultaneous calls (Ankur  Arora) [Orabug: 31663628] {CVE-2020-12888} {CVE-2020-12888}"

But I do not see any patch submitted or under review in upstream, hopefully I did not missed some discussion. Please let us know in case you already submitted or planning to submit fix or someone else fixed same.

Thanks
-Bharat

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ