| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3c30c5e9-c2fb-9f24-1207-8c342045996b@suse.cz>
Date: Thu, 31 Mar 2022 10:57:07 +0200
From: Vlastimil Babka <vbabka@...e.cz>
To: Zi Yan <ziy@...dia.com>,
Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Steven Rostedt <rostedt@...dmis.org>,
David Hildenbrand <david@...hat.com>,
Mel Gorman <mgorman@...hsingularity.net>,
Mike Rapoport <rppt@...nel.org>,
Oscar Salvador <osalvador@...e.de>,
Andrew Morton <akpm@...ux-foundation.org>,
Linux-MM <linux-mm@...ck.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] mm: page_alloc: validate buddy before check its
migratetype.
On 3/31/22 02:10, Zi Yan wrote:
> On 30 Mar 2022, at 19:48, Zi Yan wrote:
>
>> On 30 Mar 2022, at 19:03, Linus Torvalds wrote:
>>
>>> On Wed, Mar 30, 2022 at 3:12 PM Zi Yan <zi.yan@...t.com> wrote:
>>>>
>>>> Fixes: 1dd214b8f21c ("mm: page_alloc: avoid merging non-fallbackable pageblocks with others")
>>>
>>> Oh, btw - should this perhaps be backported further back than that
>>> alleged "fixes" commit?
>>>
>>> It does look like maybe the problem potentially existed before too,
>>> and was just much harder to trigger.
>>>
>>> That said, google doesn't find any other reports that look like
>>> Steven's oops, so maybe it really never happened and backporting isn't
>>> called for.
>>>
>>> Or possibly my google-fu is just bad.
>>>
>>
>> There might not be any issue with the original code because this bug
>> could only be triggered when CONFIG_FLATMEM and CONFIG_MEMORY_ISOLATION
>> are both set, which never happens, since CONFIG_MEMORY_ISOLATION
>> depends on CONFIG_SPARSEMEM.
Good point. Which means unset_migratetype_isolate() that Linus pointed
out, is currently also safe as it's a CONFIG_MEMORY_ISOLATION code.
We could still implement the suggested page_find_buddy() wrapper using
page_is_buddy() internally, as well as the cleanup of __free_one_page(),
but it's not urgent.
>> By checking Steven's boot log, it should be PFN 0x21ee00 that triggers
>> the bug, since the physical memory range ends at PFN 0x21edff.
>> PFN 0x21ee00 is 2MB aligned instead of MAX_ORDER-1 (4MB) aligned.
>> The original code assumes all physical memory ranges are at least
>> MAX_ORDER-1 aligned, which is true when CONFIG_SPARSEMEM is set
>> (CONFIG_MEMORY_ISOLATION depends on it), since CONFIG_SPARSEMEM
>> allocates pageblock_flags array (the NULL-deferenced bitmap points
>> to) at section size granularity (128MB > 4MB). However, CONFIG_FLATMEM
>> does not do this. It allocates pageblock_flags array at the exact size
>> of the physical memory. So checking 0x21ee00 will not cause NULL
>> dereferencing when CONFIG_MEMORY_ISOLATION is set and the original
>> if statement can be true.
>>
>> Now I am wondering if the page_is_buddy() check is correct for
>> CONFIG_FLATMEM. Is mem_map allocation aligned to MAX_ORDER-1
>> or just the present physical memory range? Is PageBuddy(0x21ee00)
>> accessing some random memory location?
>
> OK. mem_map seems to be MAX_ORDER-1 aligned, so there is no
> problem with PageBuddy(0x21ee00).
Yeah mem_map has to be in all config variants, otherwise buddy merging
would have been blowing up in page_is_buddy() even prior to all the
"sometimes avoid merging pageblock" changes.
>
> --
> Best Regards,
> Yan, Zi
Powered by blists - more mailing lists