lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210426131146.bj2r4ha7yy5norxa@ambrosehua-HP-xw6600-Workstation>
Date:   Mon, 26 Apr 2021 21:11:47 +0800
From:   Huang Pei <huangpei@...ngson.cn>
To:     Zhou Yanjie <zhouyanjie@...yeetech.com>
Cc:     Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
        linux-mips@...r.kernel.org, linux-kernel@...r.kernel.org,
        akpm@...ux-foundation.org, paul.burton@...s.com,
        paul@...pouillou.net, siyanteng@...ngson.cn, ira.weiny@...el.com,
        yangtiezhu@...ngson.cn, jun.jiang@...enic.com,
        dongsheng.qiu@...enic.com, aric.pzqi@...enic.com,
        rick.tyliu@...enic.com, sernia.zhou@...mail.com,
        sihui.liu@...enic.com
Subject: Re: [PATCH] Revert "MIPS: make userspace mapping young by default".

Hi, Thomas,
On Sat, Apr 24, 2021 at 07:24:21PM +0800, Zhou Yanjie wrote:
> Hi Thomas,
> 
> On 2021/4/23 下午10:51, Thomas Bogendoerfer wrote:
> > On Tue, Apr 20, 2021 at 10:03:01PM +0800, Zhou Yanjie wrote:
> > > Sorry for my carelessness, the log in the previous email was wrong, please
> > > check the log in this email.
> > > 
> > > [   53.684067] --- pte 1 = 07698685
> > any chance to print the virtual address to this pte ?
> > 
> > > [   53.687376] --- pte 3 = 07698685
> > > [   53.737175] --- pte 1 = 07699685
> > > [   53.740412] --- pte 3 = 07699685
> > > [   53.744064] --- pte 1 = 076c3685
> > > [..]
> > could you print PTE, which faults ? And what is mapped there ?
> > 
> > 
> > so far I haven't seen any ill-effects of the (bisected ?) patch.
> > The problem I have with reverting is that IMHO we re-introduce the bug,
> > which this patch fixed.
> 
> 
> Fortunately, Mr. Huang Pei and I are in the same city. We have done off-line
> communication, and he is very generous to help troubleshoot the problem.
> 
> 
> Thanks and best regards!
> 
> 
> > 
> > Thomas.
> > 

I add some debug info based on v5.12, see patch and kernel log below

--------------------
diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
index 808b8b61ded1..86ce01d66b03 100644
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -376,6 +376,7 @@ void show_registers(struct pt_regs *regs)
 		set_fs(KERNEL_DS);
 	show_stacktrace(current, regs, KERN_DEFAULT);
 	show_code((unsigned int __user *) regs->cp0_epc);
+	dump_tlb_all();
 	printk("\n");
 	set_fs(old_fs);
 }
diff --git a/mm/memory.c b/mm/memory.c
index 550405fc3b5e..d8f1c69de242 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2831,7 +2831,7 @@ static inline void wp_page_reuse(struct vm_fault *vmf)
  *   held to the old page, as well as updating the rmap.
  * - In any case, unlock the PTL and drop the reference we took to the old page.
  */
-static vm_fault_t wp_page_copy(struct vm_fault *vmf)
+static vm_fault_t wp_page_copy(struct vm_fault *vmf, int a)
 {
 	struct vm_area_struct *vma = vmf->vma;
 	struct mm_struct *mm = vma->vm_mm;
@@ -2862,6 +2862,8 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
 			 * the same address and we will handle the fault
 			 * from the second attempt.
 			 */
+			if (a)
+				pr_info("hp:copy ok\n");
 			put_page(new_page);
 			if (old_page)
 				put_page(old_page);
@@ -2894,6 +2896,8 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
 		} else {
 			inc_mm_counter_fast(mm, MM_ANONPAGES);
 		}
+		if (a)
+			pr_info("hp:out %p, %lx, %lx\n", vma, vmf->address, pte_val(vmf->orig_pte));
 		flush_cache_page(vma, vmf->address, pte_pfn(vmf->orig_pte));
 		entry = mk_pte(new_page, vma->vm_page_prot);
 		entry = maybe_mkwrite(pte_mkdirty(entry), vma);
@@ -3087,7 +3091,7 @@ static vm_fault_t wp_page_shared(struct vm_fault *vmf)
  * but allow concurrent faults), with pte both mapped and locked.
  * We return with mmap_lock still held, but pte unmapped and unlocked.
  */
-static vm_fault_t do_wp_page(struct vm_fault *vmf)
+static vm_fault_t do_wp_page(struct vm_fault *vmf, int a)
 	__releases(vmf->ptl)
 {
 	struct vm_area_struct *vma = vmf->vma;
@@ -3119,7 +3123,9 @@ static vm_fault_t do_wp_page(struct vm_fault *vmf)
 			return wp_pfn_shared(vmf);
 
 		pte_unmap_unlock(vmf->pte, vmf->ptl);
-		return wp_page_copy(vmf);
+		if (a)
+			pr_info("hp:in2\n");
+		return wp_page_copy(vmf, a);
 	}
 
 	/*
@@ -3157,7 +3163,9 @@ static vm_fault_t do_wp_page(struct vm_fault *vmf)
 	get_page(vmf->page);
 
 	pte_unmap_unlock(vmf->pte, vmf->ptl);
-	return wp_page_copy(vmf);
+	if (a)
+		pr_info("hp:in3\n");
+	return wp_page_copy(vmf, a);
 }
 
 static void unmap_mapping_range_vma(struct vm_area_struct *vma,
@@ -3433,6 +3441,10 @@ vm_fault_t do_swap_page(struct vm_fault *vmf)
 	}
 	set_pte_at(vma->vm_mm, vmf->address, vmf->pte, pte);
 	arch_do_swap_page(vma->vm_mm, vma, vmf->address, pte, vmf->orig_pte);
+	if (vmf->flags & FAULT_FLAG_WRITE)
+		pr_info("hp: %p, %p, %lx, %lx, %lx\n", vma->vm_mm, vma, vmf->address, pte_val(pte),
+			pte_val(vmf->orig_pte));
+
 	vmf->orig_pte = pte;
 
 	/* ksm created a completely new copy */
@@ -3462,7 +3474,7 @@ vm_fault_t do_swap_page(struct vm_fault *vmf)
 	}
 
 	if (vmf->flags & FAULT_FLAG_WRITE) {
-		ret |= do_wp_page(vmf);
+		ret |= do_wp_page(vmf, 1);
 		if (ret & VM_FAULT_ERROR)
 			ret &= VM_FAULT_ERROR;
 		goto out;
@@ -4333,7 +4345,7 @@ static vm_fault_t handle_pte_fault(struct vm_fault *vmf)
 	}
 	if (vmf->flags & FAULT_FLAG_WRITE) {
 		if (!pte_write(entry))
-			return do_wp_page(vmf);
+			return do_wp_page(vmf, 0);
 		entry = pte_mkdirty(entry);
 	}
 	entry = pte_mkyoung(entry);
-------------------------------------
[   27.502265] random: 7 urandom warning(s) missed due to ratelimiting
[371/1987]
[   40.775969] hp: 368bbd08, baf3a8c3, 77e23000, 6807685, 2017a000

!!! swap entry is 0x2017a000

[   40.781983] hp:in3
[   40.784005] hp:out baf3a8c3, 77e23000, 6807685

!!! vmf->pte is held with ptl, so and "pte_same return true" imply that
the *vmf->pte is 0x6807685, instead of 0x2017a000, aka. swap entry

[   40.788446] CPU 0 Unable to handle kernel paging request at virtual
address 77e23000, epc == 801174ec, ra == 80117fb0
[   40.799084] Oops[#1]:
[   40.801353] CPU: 0 PID: 1370 Comm: Xsession Not tainted
5.12.0-00060-g8099b2938a9d-dirty #55
[   40.809777] $ 0   : 00000000 00000001 801174e8 77e24000
[   40.815006] $ 4   : 77e23000 83a1f280 80117d7c 83995c30
[   40.820234] $ 8   : ffffffea 83995c44 00000000 0000000a
[   40.825461] $12   : 65373720 806b1270 0000000f 30303332
[   40.830688] $16   : 83a1f280 77e23000 809dcd1c 00000004
[   40.835915] $20   : 00000000 83a1f280 856c76c0 00000000
[   40.841142] $24   : 00000000 8042251c
[   40.846368] $28   : 83994000 83995d60 80860000 80117fb0
[   40.851596] Hi    : 00000000
[   40.854465] Lo    : 0000afa8
[   40.857333] epc   : 801174ec r4k_blast_dcache_page_dc32+0x4/0x9c
[   40.863338] ra    : 80117fb0 local_r4k_flush_cache_page+0x234/0x2b4
[   40.869597] Status: 10001403 KERNEL EXL IE
[   40.873779] Cause : 4080800c (ExcCode 03)
[   40.877775] BadVA : 77e23000
[   40.880645] PrId  : 00d00100 (Ingenic XBurst)
[   40.884989] Modules linked in:
[   40.888034] Process Xsession (pid: 1370, threadinfo=ca5ce8d6,
task=61c8f3ad, tls=77e28690)

!!! This is my first time debug MIPS32 kernel, I think both threadinfo
and task should be at KSEG0, instead of KSEG2 or USEG

[   40.896285] Stack : 83995dcc 00000000 80860000 8093e2f8 809dcd1c
80860000 8093e2f8 809dcd1c
[   40.904649]         856c76c0 80117c1c 00000000 00000cc0 855e7800
80860000 83995dcc 80117d48
[   40.913013]         856c76c0 806536f0 809dcd1c 856c76c0 856c76c0
77e23000 00006807 fa51a59c
[   40.921377]         83995e80 801ca8bc 00000002 856c76c0 77e23000
06807685 00000000 8387b88c
[   40.929739]         80860000 fa51a59c 83995e80 fa51a59c 809dcd1c
83995e80 00000004 856c76c0
[   40.938103]         ...
[   40.940544] Call Trace:
[   40.942979] [<801174ec>] r4k_blast_dcache_page_dc32+0x4/0x9c
[   40.948633] [<80117fb0>] local_r4k_flush_cache_page+0x234/0x2b4
[   40.954546] [<80117c1c>] r4k_on_each_cpu.isra.10+0x24/0x58
[   40.960024] [<80117d48>] r4k_flush_cache_page+0x38/0x5c
[   40.965242] [<801ca8bc>] wp_page_copy+0x1d0/0x5a8
[   40.969943] [<801cd838>] do_swap_page+0x4a0/0x588
[   40.974642] [<801ce3dc>] handle_mm_fault+0x834/0x954
[   40.979601] [<80110054>] do_page_fault+0x294/0x530
[   40.984387] [<80113fa0>] tlb_do_page_fault_1+0x10c/0x11c
[   40.989693]
[   40.991175] Code: 03e00008  00000000  24831000 <bc950000> bc950020
bc950040  bc950060  bc950080  bc9500a0
[   41.000936] Index:  7 pgmask=4kb va=77e20000 asid=5c
[   41.000936]  [pa=2017e000 c=0 d=0 v=0 g=0] [pa=058b5000 c=3 d=1 v=1
g=0]
[   41.012585] Index:  8 pgmask=4kb va=77d44000 asid=5c
[   41.012585]  [pa=013f4000 c=3 d=0 v=1 g=0] [pa=013f5000 c=3 d=0 v=1
g=0]
[   41.024232] Index:  9 pgmask=4kb va=77d40000 asid=5c
[   41.024232]  [pa=013f0000 c=3 d=0 v=1 g=0] [pa=013f1000 c=3 d=0 v=1
g=0]
[   41.035879] Index: 10 pgmask=4kb va=77d42000 asid=5c
[   41.035879]  [pa=013f2000 c=3 d=0 v=1 g=0] [pa=013f3000 c=3 d=0 v=1
g=0]
[   41.047525] Index: 11 pgmask=4kb va=77d46000 asid=5c
[   41.047525]  [pa=013f6000 c=3 d=0 v=1 g=0] [pa=013f7000 c=3 d=0 v=1
g=0]
[   41.059173] Index: 12 pgmask=4kb va=77d48000 asid=5c
[   41.059173]  [pa=013f8000 c=3 d=0 v=1 g=0] [pa=013f9000 c=3 d=0 v=1
g=0]
[   41.070819] Index: 13 pgmask=4kb va=77d4a000 asid=5c
[   41.070819]  [pa=013fa000 c=3 d=0 v=1 g=0] [pa=013fb000 c=3 d=0 v=1
g=0]
[   41.082467] Index: 14 pgmask=4kb va=77d4c000 asid=5c
[   41.082467]  [pa=013fc000 c=3 d=0 v=1 g=0] [pa=013fd000 c=3 d=0 v=1
g=0]
[   41.094113] Index: 15 pgmask=4kb va=77d4e000 asid=5c
[   41.094113]  [pa=013fe000 c=3 d=0 v=1 g=0] [pa=013ff000 c=3 d=0 v=1
g=0]
[   41.105760] Index: 16 pgmask=4kb va=77d02000 asid=5c
[   41.105760]  [pa=01c81000 c=3 d=0 v=1 g=0] [pa=01c82000 c=3 d=0 v=1
g=0]
[   41.117407] Index: 17 pgmask=4kb va=77d00000 asid=5c
[   41.117407]  [pa=01c7f000 c=3 d=0 v=1 g=0] [pa=01c80000 c=3 d=0 v=1
g=0]
[   41.129054] Index: 18 pgmask=4kb va=77d04000 asid=5c
[   41.129054]  [pa=01c83000 c=3 d=0 v=1 g=0] [pa=01c84000 c=3 d=0 v=1
g=0]
[   41.140701] Index: 19 pgmask=4kb va=77d06000 asid=5c
[   41.140701]  [pa=01c85000 c=3 d=0 v=1 g=0] [pa=01c86000 c=3 d=0 v=1
g=0]
[   41.152348] Index: 20 pgmask=4kb va=77d08000 asid=5c
[   41.152348]  [pa=01c87000 c=3 d=0 v=1 g=0] [pa=01c88000 c=3 d=0 v=1
g=0]
[   41.163995] Index: 21 pgmask=4kb va=77d0a000 asid=5c
[   41.163995]  [pa=01c89000 c=3 d=0 v=1 g=0] [pa=01c8a000 c=3 d=0 v=1
g=0]
[   41.175642] Index: 22 pgmask=4kb va=77d0c000 asid=5c
[   41.175642]  [pa=01c8b000 c=3 d=0 v=1 g=0] [pa=01c8c000 c=3 d=0 v=1
g=0]
[   41.187289] Index: 23 pgmask=4kb va=77d0e000 asid=5c
[   41.187289]  [pa=01c8d000 c=3 d=0 v=1 g=0] [pa=01c8e000 c=3 d=0 v=1
g=0]
[   41.198936] Index: 24 pgmask=4kb va=7f8ee000 asid=5c
[   41.198936]  [pa=02efd000 c=3 d=0 v=0 g=0] [pa=01a8e000 c=3 d=0 v=1
g=0]
[   41.210583] Index: 25 pgmask=4kb va=77dda000 asid=5c
[   41.210583]  [pa=022cc000 c=3 d=0 v=1 g=0] [pa=042a6000 c=3 d=0 v=1
g=0]
[   41.222230] Index: 26 pgmask=4kb va=77dd8000 asid=5c
[   41.222230]  [pa=06618000 c=3 d=0 v=0 g=0] [pa=05794000 c=3 d=0 v=1
g=0]
[   41.233877] Index: 27 pgmask=4kb va=77e22000 asid=5c
[   41.233877]  [pa=06a17000 c=3 d=0 v=0 g=0] [pa=2017a000 c=0 d=0 v=0
g=0]

!!! TLB entry is loading a SWAP entry(C=0, pa=swap) at BADV, the pte_buddy point to a valid
PFN(C=3, pa seem ok), but it is impossible, since line 116 must flush the tlb and
replaced swap entry with new page 

Am I missing something?

[   41.245524] Index: 28 pgmask=4kb va=c00a2000 asid=5c
[   41.245524]  [pa=02c3c000 c=3 d=1 v=1 g=1] [pa=02c3d000 c=3 d=1 v=1
g=1]
[   41.257171] Index: 29 pgmask=4kb va=c00aa000 asid=5c
[   41.257171]  [pa=00000000 c=0 d=0 v=0 g=1] [pa=02c45000 c=3 d=1 v=1
g=1]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ