lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 13 Jan 2023 19:04:14 +0000
From:   Lorenzo Stoakes <lstoakes@...il.com>
To:     David Hildenbrand <david@...hat.com>
Cc:     Marek Szyprowski <m.szyprowski@...sung.com>,
        Kefeng Wang <wangkefeng.wang@...wei.com>,
        akpm@...ux-foundation.org, willy@...radead.org, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH -next 5/7] mm: memory: convert wp_page_copy() to use
 folios

On Fri, Jan 13, 2023 at 02:08:36PM +0100, David Hildenbrand wrote:
> On 13.01.23 14:01, Marek Szyprowski wrote:
> > Hi
> >
> > On 12.01.2023 09:30, Kefeng Wang wrote:
> > > The old_page/new_page are converted to old_folio/new_folio in
> > > wp_page_copy(), then replaced related page functions to folio
> > > functions.
> > >
> > > Signed-off-by: Kefeng Wang <wangkefeng.wang@...wei.com>
> >
> > This patch, merged into today's linux-next as commit 9ebae00c8e30 ("mm:
> > memory: convert wp_page_copy() to use folios"), causes serious stability
> > issues on my ARM based test boards. Here is the example of such crash:
>
> syzbot is also not happy:
>
> https://lkml.kernel.org/r/000000000000807c7805f2205df1@google.com
>
> --
> Thanks,
>
> David / dhildenb
>

This also completely broke my qemu environment.

In that thread Willy points out that the issue stems from blindly assigning
page_folio(old_page) to old_folio without checking whether it is NULL first,
therefore triggering a NULL pointer deref.

A quick fix would be to put in a check (as shown below) which fixes the issue,
but as Willy said, I think we should drop this until it can be fixed in a
respin.

--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3044,7 +3044,7 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
        struct vm_area_struct *vma = vmf->vma;
        struct mm_struct *mm = vma->vm_mm;
        struct page *old_page = vmf->page;
-       struct folio *old_folio = page_folio(old_page);
+       struct folio *old_folio = old_page ? page_folio(old_page) : NULL;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ