| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 29 Oct 2022 19:17:42 -0700
From: Nadav Amit <nadav.amit@...il.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Peter Zijlstra <peterz@...radead.org>,
Jann Horn <jannh@...gle.com>,
John Hubbard <jhubbard@...dia.com>, X86 ML <x86@...nel.org>,
Matthew Wilcox <willy@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>,
kernel list <linux-kernel@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>,
Andrea Arcangeli <aarcange@...hat.com>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
jroedel@...e.de, ubizjak@...il.com,
Alistair Popple <apopple@...dia.com>
Subject: Re: [PATCH 01/13] mm: Update ptep_get_lockless()s comment
On Oct 29, 2022, at 11:58 AM, Linus Torvalds <torvalds@...ux-foundation.org> wrote:
> On Sat, Oct 29, 2022 at 11:36 AM Linus Torvalds
> <torvalds@...ux-foundation.org> wrote:
>> Anyway, I think the best documentation for "this is what I meant" is
>> simply the patch. Does this affect your PoC on your setup?
>
> Here's a slightly cleaned up set with preliminary commit messages, and
> an explanation for why some of the 'struct page' declarations were
> moved around a bit in case you wondered about that part of the change
> in the full patch.
>
> The end result should be the same, so if you already looked at the
> previous unified patch, never mind. But this one tries to make for a
> better patch series.
>
> Still not tested in any way, shape, or form. I decided I wanted to
> send this one before booting into this and possibly blowing up ;^)
Running the PoC on Linux 6.0.6 with these patches caused the following splat
on the following line:
WARN_ON_ONCE(!folio_test_locked(folio) && !folio_test_dirty(folio));
Although I did not hit the warning on the next line (!folio_buffers(folio)),
the commit log for the warning that actually triggered also leads to the
same patch of Jan Kara that is intended to check if a page is dirtied
without buffers (the scenario we are concerned about).
Author: Jan Kara <jack@...e.cz>
Date: Thu Dec 1 11:46:40 2016 -0500
ext4: warn when page is dirtied without buffers
Warn when a page is dirtied without buffers (as that will likely lead to
a crash in ext4_writepages()) or when it gets newly dirtied without the
page being locked (as there is nothing that prevents buffers to get
stripped just before calling set_page_dirty() under memory pressure).
[ 908.444806] ------------[ cut here ]------------
[ 908.451010] WARNING: CPU: 16 PID: 2113 at fs/ext4/inode.c:3634 ext4_dirty_folio+0x74/0x80
[ 908.460343] Modules linked in:
[ 908.463856] CPU: 16 PID: 2113 Comm: poc Not tainted 6.0.6+ #21
[ 908.470521] Hardware name: Dell Inc. PowerEdge R630/0CNCJW, BIOS 2.13.0 05/14/2021
[ 908.479202] RIP: 0010:ext4_dirty_folio+0x74/0x80
[ 908.484489] Code: d5 ee ff 41 5c 41 5d 5d c3 cc cc cc cc be 08 00 00 00 4c 89 e7 e8 bc 03 e0 ff 4c 89 e7 e8 f4 f8 df ff 49 8b 04 24 a8 08 75 bc <0f> 0b eb b8 0f 0b eb c6 0f 1f 40 00 0f 1f 44 00 00 55 48 89 e5 41
[ 908.505851] RSP: 0018:ffff88a1197df9a8 EFLAGS: 00010246
[ 908.511826] RAX: 0057ffffc0002014 RBX: ffffffff83414b60 RCX: ffffffff818ceafc
[ 908.519964] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffea00fffd9f40
[ 908.528103] RBP: ffff88a1197df9b8 R08: 0000000000000001 R09: fffff9401fffb3e9
[ 908.536239] R10: ffffea00fffd9f47 R11: fffff9401fffb3e8 R12: ffffea00fffd9f40
[ 908.544376] R13: ffff88a087d368d8 R14: ffff88a1197dfb08 R15: ffff88a1197dfb00
[ 908.552509] FS: 00007ff7caa68700(0000) GS:ffff8897edc00000(0000) knlGS:0000000000000000
[ 908.561731] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 908.568299] CR2: 00007ff7caa67ed8 CR3: 00000020cc970001 CR4: 00000000001706e0
[ 908.576437] Call Trace:
[ 908.579252] <TASK>
[ 908.581683] folio_mark_dirty+0x69/0xa0
[ 908.586097] set_page_dirty+0x2a/0x90
[ 908.590301] tlb_flush_mmu+0xc1/0x320
[ 908.594517] tlb_finish_mmu+0x49/0x190
[ 908.598822] unmap_region+0x1fa/0x250
[ 908.603029] ? anon_vma_compatible+0x120/0x120
[ 908.608110] ? __kasan_check_read+0x11/0x20
[ 908.612926] ? __vma_rb_erase+0x38a/0x610
[ 908.617547] __do_munmap+0x313/0x770
[ 908.621669] mmap_region+0x227/0xa50
[ 908.625774] ? down_read+0x320/0x320
[ 908.629874] ? lock_acquire+0x19a/0x450
[ 908.634285] ? __x64_sys_brk+0x4e0/0x4e0
[ 908.641552] ? thp_get_unmapped_area+0xca/0x150
[ 908.649404] ? cap_mmap_addr+0x1d/0x90
[ 908.656373] ? security_mmap_addr+0x3c/0x50
[ 908.663781] ? get_unmapped_area+0x173/0x1f0
[ 908.671248] ? arch_get_unmapped_area+0x330/0x330
[ 908.679231] do_mmap+0x3c3/0x610
[ 908.685519] vm_mmap_pgoff+0x177/0x230
[ 908.692303] ? randomize_page+0x70/0x70
[ 908.699133] ksys_mmap_pgoff+0x241/0x2a0
[ 908.706011] __x64_sys_mmap+0x8d/0xb0
[ 908.712594] do_syscall_64+0x3b/0x90
[ 908.719090] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 908.727201] RIP: 0033:0x7ff7cbf868e6
[ 908.733559] Code: 00 00 00 00 f3 0f 1e fa 41 f7 c1 ff 0f 00 00 75 2b 55 48 89 fd 53 89 cb 48 85 ff 74 37 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 62 5b 5d c3 0f 1f 80 00 00 00 00 48 8b 05 71
[ 908.759522] RSP: 002b:00007ff7caa67ea8 EFLAGS: 00000206 ORIG_RAX: 0000000000000009
[ 908.770475] RAX: ffffffffffffffda RBX: 0000000000008011 RCX: 00007ff7cbf868e6
[ 908.780919] RDX: 0000000000000003 RSI: 0000000000200000 RDI: 00007ff7cbc00000
[ 908.791344] RBP: 00007ff7cbc00000 R08: 0000000000000003 R09: 0000000000000000
[ 908.801751] R10: 0000000000008011 R11: 0000000000000206 R12: 00007ffed51cbc4e
[ 908.812118] R13: 00007ffed51cbc4f R14: 00007ffed51cbc50 R15: 00007ff7caa67fc0
[ 908.822523] </TASK>
[ 908.827213] irq event stamp: 4169
[ 908.833101] hardirqs last enabled at (4183): [<ffffffff8133f028>] __up_console_sem+0x68/0x80
[ 908.844884] hardirqs last disabled at (4194): [<ffffffff8133f00d>] __up_console_sem+0x4d/0x80
[ 908.856622] softirqs last enabled at (4154): [<ffffffff83000430>] __do_softirq+0x430/0x5db
[ 908.868167] softirqs last disabled at (4149): [<ffffffff8125fd89>] irq_exit_rcu+0xe9/0x120
[ 908.879611] ---[ end trace 0000000000000000 ]---
Powered by blists - more mailing lists