| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Mar 2021 09:12:31 +0100
From: David Hildenbrand <david@...hat.com>
To: Anshuman Khandual <anshuman.khandual@....com>,
Will Deacon <will@...nel.org>,
Catalin Marinas <catalin.marinas@....com>
Cc: Mark Rutland <mark.rutland@....com>, linux-kernel@...r.kernel.org,
Mike Rapoport <rppt@...ux.ibm.com>, linux-mm@...ck.org,
Jérôme Glisse <jglisse@...hat.com>,
James Morse <james.morse@....com>,
Dan Williams <dan.j.williams@...el.com>,
Robin Murphy <robin.murphy@....com>,
Ard Biesheuvel <ardb@...nel.org>,
linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH V2 1/2] arm64/mm: Fix pfn_valid() for ZONE_DEVICE based
memory
On 04.03.21 04:31, Anshuman Khandual wrote:
>
>
> On 3/4/21 2:54 AM, Will Deacon wrote:
>> On Wed, Mar 03, 2021 at 07:04:33PM +0000, Catalin Marinas wrote:
>>> On Thu, Feb 11, 2021 at 01:35:56PM +0100, David Hildenbrand wrote:
>>>> On 11.02.21 13:10, Anshuman Khandual wrote:
>>>>> On 2/11/21 5:23 PM, Will Deacon wrote:
>>>>>> ... and dropped. These patches appear to be responsible for a boot
>>>>>> regression reported by CKI:
>>>>>
>>>>> Ahh, boot regression ? These patches only change the behaviour
>>>>> for non boot memory only.
>>>>>
>>>>>> https://lore.kernel.org/r/cki.8D1CB60FEC.K6NJMEFQPV@redhat.com
>>>>>
>>>>> Will look into the logs and see if there is something pointing to
>>>>> the problem.
>>>>
>>>> It's strange. One thing I can imagine is a mis-detection of early sections.
>>>> However, I don't see that happening:
>>>>
>>>> In sparse_init_nid(), we:
>>>> 1. Initialize the memmap
>>>> 2. Set SECTION_IS_EARLY | SECTION_HAS_MEM_MAP via
>>>> sparse_init_one_section()
>>>>
>>>> Only hotplugged sections (DIMMs, dax/kmem) set SECTION_HAS_MEM_MAP without
>>>> SECTION_IS_EARLY - which is correct, because these are not early.
>>>>
>>>> So once we know that we have valid_section() -- SECTION_HAS_MEM_MAP is set
>>>> -- early_section() should be correct.
>>>>
>>>> Even if someone would be doing a pfn_valid() after
>>>> memblocks_present()->memory_present() but before
>>>> sparse_init_nid(), we should be fine (!valid_section() -> return 0).
>>>
>>> I couldn't figure out how this could fail with Anshuman's patches.
>>> Will's suspicion is that some invalid/null pointer gets dereferenced
>>> before being initialised but the only case I see is somewhere in
>>> pfn_section_valid() (ms->usage) if valid_section() && !early_section().
>>>
>>> Assuming that we do get a valid_section(ms) && !early_section(ms), is
>>> there a case where ms->usage is not initialised? I guess races with
>>> section_deactivate() are not possible this early.
>>>
>>> Another situation could be that pfn_valid() returns true when no memory
>>> is mapped for that pfn.
>>
>> The case I wondered about was __pfn_to_section() with a bogus pfn, since
>> with patch 2/2 we call that *before* checking that pfn_to_section_nr() is
>> sane.
>
> Right, that is problematic. __pfn_to_section() should not be called without
> first validating pfn_to_section_nr(), as it could cause out-of-bound access
> on mem_section buffer. Will fix that order but as there is no test scenario
> which is definitive for this reported regression, how should we ensure that
> it fixes the problem ?
Oh, right, I missed that in patch #2. (and when comparing to generic
pfn_valid()).
I thought bisecting pointed at patch #1, that's why I didn't even have
another look at patch #2. Makes sense.
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists