lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cover.1737754625.git.luizcap@redhat.com>
Date: Fri, 24 Jan 2025 16:37:50 -0500
From: Luiz Capitulino <luizcap@...hat.com>
To: linux-kernel@...r.kernel.org,
	linux-mm@...ck.org,
	david@...hat.com,
	yuzhao@...gle.com
Cc: akpm@...ux-foundation.org,
	hannes@...xchg.org,
	muchun.song@...ux.dev,
	lcapitulino@...il.com,
	luizcap@...hat.com
Subject: [RFC 0/4] mm: page_ext: Fix crash when reserving 1G pages

Hi,

  [ Thanks to David Hildenbrand for identifying the root cause of this
    issue and proving guidance on how to fix it. The new API idea, bugs
    and misconceptions are all mine though ]

Currently, trying to reserve 1G pages with page_owner=on and sparsemem
causes a crash. The reproducer is very simple:

 1. Build the kernel with CONFIG_SPARSEMEM=y and the table extensions
 2. Pass 'default_hugepagesz=1 page_owner=on' in the kernel command-line
 3. Reserve one 1G page at run-time, this should crash (see patch 1 for
    backtrace) 

 [ A crash with page_table_check is also possible, but harder to
   trigger ]

Apparently, starting with commit e98337d11bbd ("mm/contig_alloc: support
__GFP_COMP") we now pass the full allocation order to page extension
clients and the page extension implementation assumes that all PFNs of
an allocation range will be stored in the same memory section (which is
not true for 1G pages).

To fix this, this series introduces a new iteration API for page extension
objects. The API ensures that we always lookup the memory sections for
the next page extension in the iteration.

While this series seems to fix the issue, it's RFC because:

 1. page_ext_iter_next() uses brute-force. David suggested to maintain
    the current API but only do a memory section lookup if the next PFN
    aligns with PAGE_PER_SECTION (ie. it's the first PFN of a section).
    But I couldn't make it work: I was getting random crashes and RCU
    warnings

 2. It's very lightly tested

Luiz Capitulino (4):
  mm: page_ext: add an iteration API for page extensions
  mm: page_owner: use new iteration API
  mm: page_table_check: use new iteration API
  mm: page_ext: drop page_ext_next()

 include/linux/page_ext.h | 15 +++++----
 mm/page_ext.c            | 55 ++++++++++++++++++++++++++++++++
 mm/page_owner.c          | 68 ++++++++++++++++++++++++++--------------
 mm/page_table_check.c    | 21 +++++++------
 4 files changed, 120 insertions(+), 39 deletions(-)

-- 
2.47.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ