lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210213175151.GA4646@sequoia> Date: Sat, 13 Feb 2021 11:51:51 -0600 From: Tyler Hicks <tyhicks@...ux.microsoft.com> To: Pavel Tatashin <pasha.tatashin@...een.com> Cc: jmorris@...ei.org, catalin.marinas@....com, will@...nel.org, akpm@...ux-foundation.org, anshuman.khandual@....com, rppt@...nel.org, logang@...tatee.com, ardb@...nel.org, linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] arm64: mm: correct the start of physical address in linear map On 2021-02-12 20:23:16, Pavel Tatashin wrote: > Memory hotplug may fail on systems with CONFIG_RANDOMIZE_BASE because the > linear map range is not checked correctly. > > The start physical address that linear map covers can be actually at the > end of the range because of randmomization. Check that and if so reduce it > to 0. > > This can be verified on QEMU with setting kaslr-seed to ~0ul: > > memstart_offset_seed = 0xffff > START: __pa(_PAGE_OFFSET(vabits_actual)) = ffff9000c0000000 > END: __pa(PAGE_END - 1) = 1000bfffffff > > Signed-off-by: Pavel Tatashin <pasha.tatashin@...een.com> > Fixes: 58284a901b42 ("arm64/mm: Validate hotplug range before creating linear mapping") Tested-by: Tyler Hicks <tyhicks@...ux.microsoft.com> This fixes a memory hot plugging bug that I was seeing on 5.10, with the introduction of 58284a901b42. One comment below... > --- > arch/arm64/mm/mmu.c | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c > index ae0c3d023824..6057ecaea897 100644 > --- a/arch/arm64/mm/mmu.c > +++ b/arch/arm64/mm/mmu.c > @@ -1444,14 +1444,25 @@ static void __remove_pgd_mapping(pgd_t *pgdir, unsigned long start, u64 size) > > static bool inside_linear_region(u64 start, u64 size) > { > + u64 start_linear_pa = __pa(_PAGE_OFFSET(vabits_actual)); > + u64 end_linear_pa = __pa(PAGE_END - 1); > + > + /* > + * Check for a wrap, it is possible because of randomized linear mapping > + * the start physical address is actually bigger than the end physical > + * address. In this case set start to zero because [0, end_linear_pa] > + * range must still be able to cover all addressable physical addresses. > + */ > + if (start_linear_pa > end_linear_pa) > + start_linear_pa = 0; We're ignoring the portion from the linear mapping's start PA to the point of wraparound. Could the start and end of the hot plugged memory fall within this range and, as a result, the hot plug operation be incorrectly blocked? Tyler > + > /* > * Linear mapping region is the range [PAGE_OFFSET..(PAGE_END - 1)] > * accommodating both its ends but excluding PAGE_END. Max physical > * range which can be mapped inside this linear mapping range, must > * also be derived from its end points. > */ > - return start >= __pa(_PAGE_OFFSET(vabits_actual)) && > - (start + size - 1) <= __pa(PAGE_END - 1); > + return start >= start_linear_pa && (start + size - 1) <= end_linear_pa; > } > > int arch_add_memory(int nid, u64 start, u64 size, > -- > 2.25.1 >
Powered by blists - more mailing lists