| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZqpTaKHdrYt61HYy@localhost.localdomain>
Date: Wed, 31 Jul 2024 17:08:24 +0200
From: Oscar Salvador <osalvador@...e.de>
To: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, Peter Xu <peterx@...hat.com>,
Muchun Song <muchun.song@...ux.dev>,
David Hildenbrand <david@...hat.com>,
Donet Tom <donettom@...ux.ibm.com>,
Matthew Wilcox <willy@...radead.org>,
Vlastimil Babka <vbabka@...e.cz>, Michal Hocko <mhocko@...e.com>
Subject: Re: [PATCH v2 6/9] mm: Make hugetlb mappings go through
mm_get_unmapped_area_vmflags
On Wed, Jul 31, 2024 at 12:02:47PM +0100, Lorenzo Stoakes wrote:
> On Mon, Jul 29, 2024 at 11:10:15AM GMT, Oscar Salvador wrote:
> > * Someone wants to read @bytes from a HWPOISON hugetlb @page from @offset.
> > @@ -1300,7 +1307,6 @@ static const struct file_operations hugetlbfs_file_operations = {
> > .read_iter = hugetlbfs_read_iter,
> > .mmap = hugetlbfs_file_mmap,
> > .fsync = noop_fsync,
> > - .get_unmapped_area = hugetlb_get_unmapped_area,
>
> This is causing a NULL pointer deref error in the mm self-tests,
> specifically hugepage-shm.
>
> This is because in __get_unmapped_area(), you check to see if the file has
> an f_ops->get_unampped_area() however ('wonderfully'...) the shm stuff
> wraps it, so this will be shm_get_unmapped_area() which then accesses the
> underlying hugetlb file and _unconditionally_ calls
> f_op->get_unmapped_area(), which you just made NULL and... kaboom :)
>
> You can't even add null check in to this wrapper as at this point
> everything assumes that you _can_ get an unmapped area. So yeah, it's kinda
> broken.
>
> This makes me think the whole thing is super-delicate and you probably need
> to rethink this approach carefully, or least _very carefully_ audit users
> of this operation.
Thanks for reporting this Lorenzo, highly appreciated.
I will check, but..
> By doing this you are causing an compilation error (at least on my compiler
> with an x86-64 defconfig-based build):
>
> arch/x86/mm/hugetlbpage.c:84:1: error: no previous prototype for
> ‘hugetlb_get_unmapped_area’ [-Werror=missing-prototypes]
> 84 | hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
> | ^~~~~~~~~~~~~~~~~~~~~~~~~
Something is off here.
git grep hugetlb_get_unmapped_area
returns nothing.
After this, arch/x86/mm/hugetlbpage.c should only contain:
#ifdef CONFIG_X86_64
bool __init arch_hugetlb_valid_size(unsigned long size)
{
if (size == PMD_SIZE)
return true;
else if (size == PUD_SIZE && boot_cpu_has(X86_FEATURE_GBPAGES))
return true;
else
return false;
}
#ifdef CONFIG_CONTIG_ALLOC
static __init int gigantic_pages_init(void)
{
/* With compaction or CMA we can allocate gigantic pages at runtime */
if (boot_cpu_has(X86_FEATURE_GBPAGES))
hugetlb_add_hstate(PUD_SHIFT - PAGE_SHIFT);
return 0;
}
arch_initcall(gigantic_pages_init);
#endif
#endif
so what is going here?
Maybe the series was not properly applied to mm-unstable?
I will have a look.
--
Oscar Salvador
SUSE Labs
Powered by blists - more mailing lists