| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <26991b8a-9fc4-4cf9-99de-048c90e7a683@lucifer.local>
Date: Wed, 2 Oct 2024 13:13:16 +0100
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: Bert Karwatzki <spasswolf@....de>
Cc: "Liam R . Howlett" <Liam.Howlett@...cle.com>,
Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v8 14/21] mm/mmap: Avoid zeroing vma tree in mmap_region()
On Tue, Oct 01, 2024 at 04:34:00AM GMT, Bert Karwatzki wrote:
> I just noticed (via a bisect between v6.11 and v6.12-rc1) that this patch
> (commit f8d112a4e657 in linux-next tree) leads to a severe memory corruption
> error under these (rather rare) circumstances:
> 1. Start a 32bit windows game via steam (which uses proton, steam's version of wine)
> 2. When starting the game you the proton version used has to be updated
>
> The effect is the following: The updating process of proton hangs and the game does
> not start and even after an exit from steam two processes remain, one of them at
> 100% CPU:
> $ ps aux | grep rundll
> bert 222638 1.7 0.1 2054868 87492 ? Ss 23:14 0:01 C:\windows\syswow64\rundll32.exe setupapi,InstallHinfSection Wow64Install 128 \\?\Z:\mnt\data\.steam\debian-installation\steamapps\common\Proton - Experimental\files\share\wine\wine.inf
> bert 222639 99.8 0.0 2054868 2380 ? R 23:14 1:01 C:\windows\syswow64\rundll32.exe setupapi,InstallHinfSection Wow64Install 128 \\?\Z:\mnt\data\.steam\debian-installation\steamapps\common\Proton - Experimental\files\share\wine\wine.inf
>
> When trying to kill those processes with "killall rundll32.exe", these error happen:
[snip]
Starting a new thread because lei is totally breaking with all these dmesg
logs and I'm struggling to be able to reply correctly.
Sorry to make it hard to follow everyone but there we go.
I have tried to recreate the exact series of anon mappings and it is not
triggering for me, so unfortunately I'm going to have to ask you to try
something else.
This does sort of hint at it being maybe an unusual code path with a file
set (possibly...) - could you try the below patch on fresh next 1st oct?
You can grep the dmesg for 'LJS' and just provide that if it triggers,
mostly I want to see if this (unusual) code path triggers. There shouldn't
be any spamming.
Thanks!
----8<----
>From 3218f9fae67b8314434445b4939f1cff964da88b Mon Sep 17 00:00:00 2001
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
Date: Wed, 2 Oct 2024 13:04:55 +0100
Subject: [PATCH] ljs: add hacky log output
---
mm/mmap.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/mm/mmap.c b/mm/mmap.c
index dd4b35a25aeb..f927744e6384 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1464,9 +1464,17 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
*/
if (unlikely(vm_flags != vma->vm_flags && vmg.prev)) {
vmg.flags = vma->vm_flags;
+
+ pr_err("LJS: HIT CASE [%lx, %lx) orig flags=[%lu] flags=[%lu]\n",
+ vma->vm_start, vma->vm_end, vm_flags, vma->vm_flags);
+
/* If this fails, state is reset ready for a reattempt. */
merge = vma_merge_new_range(&vmg);
+ pr_err("LJS: HIT CASE POST MERGE [%lx, %lx) merge=%s\n",
+ vma->vm_start, vma->vm_end,
+ merge == NULL ? "false" : "success");
+
if (merge) {
/*
* ->mmap() can change vma->vm_file and fput
--
2.46.2
Powered by blists - more mailing lists