lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 5 Mar 2021 09:52:30 +0530
From:   Anshuman Khandual <anshuman.khandual@....com>
To:     Will Deacon <will@...nel.org>, David Hildenbrand <david@...hat.com>
Cc:     Catalin Marinas <catalin.marinas@....com>,
        Mark Rutland <mark.rutland@....com>,
        linux-kernel@...r.kernel.org, Mike Rapoport <rppt@...ux.ibm.com>,
        linux-mm@...ck.org,
        Jérôme Glisse <jglisse@...hat.com>,
        James Morse <james.morse@....com>,
        Dan Williams <dan.j.williams@...el.com>,
        Robin Murphy <robin.murphy@....com>,
        Ard Biesheuvel <ardb@...nel.org>, vkabatov@...hat.com,
        linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH V2 1/2] arm64/mm: Fix pfn_valid() for ZONE_DEVICE based
 memory



On 3/4/21 3:06 PM, Will Deacon wrote:
> On Thu, Mar 04, 2021 at 09:12:31AM +0100, David Hildenbrand wrote:
>> On 04.03.21 04:31, Anshuman Khandual wrote:
>>> On 3/4/21 2:54 AM, Will Deacon wrote:
>>>> On Wed, Mar 03, 2021 at 07:04:33PM +0000, Catalin Marinas wrote:
>>>>> On Thu, Feb 11, 2021 at 01:35:56PM +0100, David Hildenbrand wrote:
>>>>>> On 11.02.21 13:10, Anshuman Khandual wrote:
>>>>>>> On 2/11/21 5:23 PM, Will Deacon wrote:
>>>>>>>> ... and dropped. These patches appear to be responsible for a boot
>>>>>>>> regression reported by CKI:
>>>>>>>
>>>>>>> Ahh, boot regression ? These patches only change the behaviour
>>>>>>> for non boot memory only.
>>>>>>>
>>>>>>>> https://lore.kernel.org/r/cki.8D1CB60FEC.K6NJMEFQPV@redhat.com
>>>>>>>
>>>>>>> Will look into the logs and see if there is something pointing to
>>>>>>> the problem.
>>>>>>
>>>>>> It's strange. One thing I can imagine is a mis-detection of early sections.
>>>>>> However, I don't see that happening:
>>>>>>
>>>>>> In sparse_init_nid(), we:
>>>>>> 1. Initialize the memmap
>>>>>> 2. Set SECTION_IS_EARLY | SECTION_HAS_MEM_MAP via
>>>>>>     sparse_init_one_section()
>>>>>>
>>>>>> Only hotplugged sections (DIMMs, dax/kmem) set SECTION_HAS_MEM_MAP without
>>>>>> SECTION_IS_EARLY - which is correct, because these are not early.
>>>>>>
>>>>>> So once we know that we have valid_section() -- SECTION_HAS_MEM_MAP is set
>>>>>> -- early_section() should be correct.
>>>>>>
>>>>>> Even if someone would be doing a pfn_valid() after
>>>>>> memblocks_present()->memory_present() but before
>>>>>> sparse_init_nid(), we should be fine (!valid_section() -> return 0).
>>>>>
>>>>> I couldn't figure out how this could fail with Anshuman's patches.
>>>>> Will's suspicion is that some invalid/null pointer gets dereferenced
>>>>> before being initialised but the only case I see is somewhere in
>>>>> pfn_section_valid() (ms->usage) if valid_section() && !early_section().
>>>>>
>>>>> Assuming that we do get a valid_section(ms) && !early_section(ms), is
>>>>> there a case where ms->usage is not initialised? I guess races with
>>>>> section_deactivate() are not possible this early.
>>>>>
>>>>> Another situation could be that pfn_valid() returns true when no memory
>>>>> is mapped for that pfn.
>>>>
>>>> The case I wondered about was __pfn_to_section() with a bogus pfn, since
>>>> with patch 2/2 we call that *before* checking that pfn_to_section_nr() is
>>>> sane.
>>>
>>> Right, that is problematic. __pfn_to_section() should not be called without
>>> first validating pfn_to_section_nr(), as it could cause out-of-bound access
>>> on mem_section buffer. Will fix that order but as there is no test scenario
>>> which is definitive for this reported regression, how should we ensure that
>>> it fixes the problem ?
>>
>> Oh, right, I missed that in patch #2. (and when comparing to generic
>> pfn_valid()).
>>
>> I thought bisecting pointed at patch #1, that's why I didn't even have
>> another look at patch #2. Makes sense.
> 
> I don't think we ever bisected it beyond these two patches, so it could
> be either of them. Anshuman -- please work with Veronika on this, as she
> has access to the problematic machine and was really helpful in debugging
> this last time.

Sure, will respin the patch series with a fix for [PATCH 2/2] as discussed
and then follow up with Veronika to recreate the problem.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ