lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <599118ed-db82-a92a-6e81-0005d0af8691@linux.alibaba.com>
Date:   Tue, 14 Jun 2022 09:26:48 +0800
From:   Xianting Tian <xianting.tian@...ux.alibaba.com>
To:     Guo Ren <guoren@...nel.org>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Vlastimil Babka <vbabka@...e.cz>, ziy@...dia.com,
        Linux-MM <linux-mm@...ck.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        stable@...r.kernel.org, huanyi.xj@...baba-inc.com,
        zjb194813@...baba-inc.com, tianhu.hh@...baba-inc.com
Subject: Re: [RESEND PATCH] mm: page_alloc: validate buddy before check the
 migratetype


在 2022/6/14 上午12:08, Guo Ren 写道:
> On Mon, Jun 13, 2022 at 9:11 PM Xianting Tian
> <xianting.tian@...ux.alibaba.com> wrote:
>> Commit 787af64d05cd ("mm: page_alloc: validate buddy before check its migratetype.")
>> added buddy check code. But unfortunately, this fix isn't backported to
>> linux-5.17.y and the former stable branches. The reason is it added wrong
>> fixes message:
>>       Fixes: 1dd214b8f21c ("mm: page_alloc: avoid merging non-fallbackable
>>                             pageblocks with others")
>> Actually, this issue is involved by commit:
>>       commit d9dddbf55667 ("mm/page_alloc: prevent merging between isolated and other pageblocks")
>>
>> For RISC-V arch, the first 2M is reserved for sbi, so the start PFN is 512,
>> but it got buddy PFN 0 for PFN 0x2000:
>>       0 = 0x2000 ^ (1 << 12)
> How did we get 0? (Try it in gdb)
> (gdb) p /x (0x2000 ^ (1<<12))
> $3 = 0x3000
> Sorry, the order is 0xd = 13, not 12, it is a typo.
> I think it got buddy PFN 0 for PFN 0x1000, right?
> (gdb) p /x (0x1000 ^ (1<<12))
> $4 = 0x0
>
>> With the illegal buddy PFN 0, it got an illegal buddy page, which caused
>> crash in __get_pfnblock_flags_mask().
>>
>> With the patch, it can avoid the calling of get_pageblock_migratetype() if
>> it isn't buddy page.
>>
>> Fixes: d9dddbf55667 ("mm/page_alloc: prevent merging between isolated and other pageblocks")
>> Cc: stable@...r.kernel.org
>> Reported-by: zjb194813@...baba-inc.com
>> Reported-by: tianhu.hh@...baba-inc.com
>> Signed-off-by: Xianting Tian <xianting.tian@...ux.alibaba.com>
>> ---
>>   mm/page_alloc.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
>> index b1caa1c6c887..5b423caa68fd 100644
>> --- a/mm/page_alloc.c
>> +++ b/mm/page_alloc.c
>> @@ -1129,6 +1129,9 @@ static inline void __free_one_page(struct page *page,
>>
>>                          buddy_pfn = __find_buddy_pfn(pfn, order);
>>                          buddy = page + (buddy_pfn - pfn);
>> +
>> +                       if (!page_is_buddy(page, buddy, order))
> Right, we need to check the buddy_pfn valid, because some SoCs would
> start dram address with an offset that has an order smaller than
> MAX_ORDER.
>
>> +                               goto done_merging;
>>                          buddy_mt = get_pageblock_migratetype(buddy);
>>
>>                          if (migratetype != buddy_mt
>> --
>> 2.17.1
>>
> Fixup the comment and
>
> Reviewed-by: Guo Ren <guoren@...nel.org>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ