| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <72cae3c0-e06e-4fe5-24d5-a2c94d99780f@suse.cz>
Date: Thu, 27 Jan 2022 19:30:59 +0100
From: Vlastimil Babka <vbabka@...e.cz>
To: Pasha Tatashin <pasha.tatashin@...een.com>,
linux-kernel@...r.kernel.org, linux-mm@...ck.org,
linux-m68k@...ts.linux-m68k.org, anshuman.khandual@....com,
willy@...radead.org, akpm@...ux-foundation.org,
william.kucharski@...cle.com, mike.kravetz@...cle.com,
geert@...ux-m68k.org, schmitzmic@...il.com, rostedt@...dmis.org,
mingo@...hat.com, hannes@...xchg.org, guro@...com,
songmuchun@...edance.com, weixugc@...gle.com, gthelen@...gle.com,
rientjes@...gle.com, pjt@...gle.com, hughd@...gle.com
Subject: Re: [PATCH v3 1/9] mm: add overflow and underflow checks for
page->_refcount
On 1/26/22 19:34, Pasha Tatashin wrote:
> The problems with page->_refcount are hard to debug, because usually
> when they are detected, the damage has occurred a long time ago. Yet,
> the problems with invalid page refcount may be catastrophic and lead to
> memory corruptions.
>
> Reduce the scope of when the _refcount problems manifest themselves by
> adding checks for underflows and overflows into functions that modify
> _refcount.
>
> Use atomic_fetch_* functions to get the old values of the _refcount,
> and use it to check for overflow/underflow.
>
> Signed-off-by: Pasha Tatashin <pasha.tatashin@...een.com>
> ---
> include/linux/page_ref.h | 59 +++++++++++++++++++++++++++++-----------
> 1 file changed, 43 insertions(+), 16 deletions(-)
>
> diff --git a/include/linux/page_ref.h b/include/linux/page_ref.h
> index 2e677e6ad09f..fe4864f7f69c 100644
> --- a/include/linux/page_ref.h
> +++ b/include/linux/page_ref.h
> @@ -117,7 +117,10 @@ static inline void init_page_count(struct page *page)
>
> static inline void page_ref_add(struct page *page, int nr)
> {
> - atomic_add(nr, &page->_refcount);
> + int old_val = atomic_fetch_add(nr, &page->_refcount);
> + int new_val = old_val + nr;
> +
> + VM_BUG_ON_PAGE((unsigned int)new_val < (unsigned int)old_val, page);
This seems somewhat weird, as it will trigger not just on overflow, but also
if nr is negative. Which I think is valid usage, even though the function
has 'add' in name, because 'nr' is signed?
Powered by blists - more mailing lists