lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 4 Aug 2022 11:02:59 -0400
From:   Peter Xu <peterx@...hat.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Mike Kravetz <mike.kravetz@...cle.com>,
        syzbot <syzbot+824e71311e757a9689ff@...kaller.appspotmail.com>,
        akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org, llvm@...ts.linux.dev, nathan@...nel.org,
        ndesaulniers@...gle.com, songmuchun@...edance.com,
        syzkaller-bugs@...glegroups.com, trix@...hat.com
Subject: Re: [syzbot] WARNING in hugetlb_change_protection

On Thu, Aug 04, 2022 at 07:29:56AM +0200, Dmitry Vyukov wrote:
> ,On Wed, 3 Aug 2022 at 23:03, Peter Xu <peterx@...hat.com> wrote:
> >
> > Hi, Mike,
> >
> > Thanks for forwarding.
> >
> > On Wed, Aug 03, 2022 at 10:02:37AM -0700, Mike Kravetz wrote:
> > > I'll start looking at this, but adding Peter this may be related to his
> > > recent changes.
> > > --
> > > Mike Kravetz
> > >
> > > On 08/03/22 08:32, syzbot wrote:
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit:    e65c6a46df94 Merge tag 'drm-fixes-2022-07-30' of git://ano..
> > > > git tree:       upstream
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=139cc282080000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=26034e6fe0075dad
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=824e71311e757a9689ff
> > > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > > userspace arch: i386
> > > >
> > > > Unfortunately, I don't have any reproducer for this issue yet.
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+824e71311e757a9689ff@...kaller.appspotmail.com
> > > >
> > > > ------------[ cut here ]------------
> > > > WARNING: CPU: 1 PID: 28745 at include/linux/swapops.h:319 make_pte_marker_entry include/linux/swapops.h:319 [inline]
> >
> > This is the warning code I added to make sure pte marker won't be created
> > if not configured at all:
> >
> > static inline swp_entry_t make_pte_marker_entry(pte_marker marker)
> > {
> >         /* This should never be called if !CONFIG_PTE_MARKER */
> >         WARN_ON_ONCE(1);
> >         return swp_entry(0, 0);
> > }
> >
> > The stack below comes from a UFFDIO_WRITEPROTECT, however logically it
> > shouldn't really reach there - if with !PTE_MARKER then it must be with
> > !PTE_MARKER_UFFD_WP, then we should have returned "false" if hugetlb wanted
> > to register with uffd-wp:
> >
> > static inline bool vma_can_userfault(struct vm_area_struct *vma,
> >                                      unsigned long vm_flags)
> > {
> >         if (vm_flags & VM_UFFD_MINOR)
> >                 return is_vm_hugetlb_page(vma) || vma_is_shmem(vma);
> >
> > #ifndef CONFIG_PTE_MARKER_UFFD_WP
> >         /*
> >          * If user requested uffd-wp but not enabled pte markers for
> >          * uffd-wp, then shmem & hugetlbfs are not supported but only
> >          * anonymous.
> >          */
> >         if ((vm_flags & VM_UFFD_WP) && !vma_is_anonymous(vma))
> >                 return false;
> > #endif
> >         return vma_is_anonymous(vma) || is_vm_hugetlb_page(vma) ||
> >             vma_is_shmem(vma);
> > }
> >
> > Then the UFFDIO_WRITEPROTECT should have failed already.. at:
> >
> >         if (!userfaultfd_wp(dst_vma))
> >                 goto out_unlock;
> >
> > in mwriteprotect_range().
> >
> > I still have no idea how the bot managed to trigger a real wr-protect upon
> > this vma (which I don't think should have registered with uffd-wp but maybe
> > it can be worked around somehow..).  However to make this even safer we can
> > also guard the pte marker callers with CONFIG_PTE_MARKER_UFFD_WP. Patch
> > attached for that, but since this seems to have no reproducer yet maybe no
> > easy way to verify it.
> >
> > At the meantime, I'd also like to double check the kernel config to make
> > sure CONFIG_PTE_MARKER_UFFD_WP will always be unset when CONFIG_PTE_MARKER=n.
> > Anyone knows where I can fetch the config somewhere?
> 
> Hi Peter,
> 
> If you mean the kernel config for the kernel that produces the
> WARNING, it's in the report above under the "kernel config" link.

Thanks Dmitry. That was a stupid question and Mike helped me to figure it
out..  Somehow I had an impression that config was normally attached to the
end of the email so I didn't try looking upwards. :(

> 
> Note that so far it was triggered only once:
> https://syzkaller.appspot.com/bug?extid=824e71311e757a9689ff
> which may suggest a very narrow race condition.

I found that the config is as expected (PTE_MARKER_UFFD_WP not defined), so
far I still don't know how the race has happened, so maybe the patch
attachd can at least help avoid the warning.  It'll be interesting to know
the race if hopefully it can have a reproducer somehow.

Thanks,

-- 
Peter Xu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ