lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 21 Aug 2023 14:33:35 -0400
From:   Johannes Weiner <hannes@...xchg.org>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     Vlastimil Babka <vbabka@...e.cz>,
        Mel Gorman <mgorman@...hsingularity.net>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH 3/8] mm: page_alloc: fix highatomic landing on the wrong buddy list

The following triggers from a custom debug check:

[   89.401754] page type is 3, passed migratetype is 1 (nr=8)
[   89.407930] WARNING: CPU: 2 PID: 75 at mm/page_alloc.c:706 __free_one_page+0x5ea/0x6b0
[   89.415847] Modules linked in:
[   89.418902] CPU: 2 PID: 75 Comm: kswapd0 Not tainted 6.5.0-rc1-00013-g42be896e9f77-dirty #233
[   89.427415] Hardware name: Micro-Star International Co., Ltd. MS-7B98/Z390-A PRO (MS-7B98), BIOS 1.80 12/25/2019
[   89.437572] RIP: 0010:__free_one_page+0x5ea/0x6b0
[   89.442271] Code: <snip>
[   89.461003] RSP: 0000:ffffc900001acea8 EFLAGS: 00010092
[   89.466221] RAX: 0000000000000036 RBX: 0000000000000003 RCX: 0000000000000000
[   89.473349] RDX: 0000000000000106 RSI: 0000000000000027 RDI: 00000000ffffffff
[   89.480478] RBP: ffffffff82ca4780 R08: 0000000000000001 R09: 0000000000000000
[   89.487601] R10: ffffffff8285d1e0 R11: ffffffff8285d1e0 R12: 0000000000000000
[   89.494725] R13: 0000000000063448 R14: ffffea00018d1200 R15: 0000000000063401
[   89.501853] FS:  0000000000000000(0000) GS:ffff88806e680000(0000) knlGS:0000000000000000
[   89.509930] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   89.515671] CR2: 00007fc66488b006 CR3: 00000000190b5001 CR4: 00000000003706e0
[   89.522798] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   89.529924] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   89.537048] Call Trace:
[   89.539498]  <IRQ>
[   89.541517]  ? __free_one_page+0x5ea/0x6b0
[   89.545619]  ? __warn+0x7d/0x130
[   89.548852]  ? __free_one_page+0x5ea/0x6b0
[   89.552946]  ? report_bug+0x18d/0x1c0
[   89.556607]  ? handle_bug+0x3a/0x70
[   89.560097]  ? exc_invalid_op+0x13/0x60
[   89.563933]  ? asm_exc_invalid_op+0x16/0x20
[   89.568113]  ? __free_one_page+0x5ea/0x6b0
[   89.572210]  ? __free_one_page+0x5ea/0x6b0
[   89.576306]  ? refill_obj_stock+0xf5/0x1c0
[   89.580399]  free_one_page.constprop.0+0x5c/0xe0

This is a HIGHATOMIC page being freed to the MOVABLE buddy list.

Highatomic pages have their own buddy freelists, but not their own
pcplist. free_one_page() adjusts the migratetype so they can hitchhike
on the MOVABLE pcplist. However, when the pcp trylock then fails,
they're fed directly to the buddy list - with the incorrect type.

Use MIGRATE_MOVABLE only for the pcp, not for the buddy bypass.

Signed-off-by: Johannes Weiner <hannes@...xchg.org>
---
 mm/page_alloc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 20973887999b..a5e36d186893 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2403,7 +2403,7 @@ void free_unref_page(struct page *page, unsigned int order)
 	struct per_cpu_pages *pcp;
 	struct zone *zone;
 	unsigned long pfn = page_to_pfn(page);
-	int migratetype;
+	int migratetype, pcpmigratetype;
 
 	if (!free_pages_prepare(page, order, FPI_NONE))
 		return;
@@ -2415,20 +2415,20 @@ void free_unref_page(struct page *page, unsigned int order)
 	 * areas back if necessary. Otherwise, we may have to free
 	 * excessively into the page allocator
 	 */
-	migratetype = get_pfnblock_migratetype(page, pfn);
+	migratetype = pcpmigratetype = get_pfnblock_migratetype(page, pfn);
 	if (unlikely(migratetype >= MIGRATE_PCPTYPES)) {
 		if (unlikely(is_migrate_isolate(migratetype))) {
 			free_one_page(page_zone(page), page, pfn, order, migratetype, FPI_NONE);
 			return;
 		}
-		migratetype = MIGRATE_MOVABLE;
+		pcpmigratetype = MIGRATE_MOVABLE;
 	}
 
 	zone = page_zone(page);
 	pcp_trylock_prepare(UP_flags);
 	pcp = pcp_spin_trylock(zone->per_cpu_pageset);
 	if (pcp) {
-		free_unref_page_commit(zone, pcp, page, migratetype, order);
+		free_unref_page_commit(zone, pcp, page, pcpmigratetype, order);
 		pcp_spin_unlock(pcp);
 	} else {
 		free_one_page(zone, page, pfn, order, migratetype, FPI_NONE);
-- 
2.41.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ