lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0f6afef57196cb308aa90be5b06a64793aa24682.camel@gmail.com>
Date: Mon, 23 Sep 2024 14:56:01 -0700
From: Eduard Zingerman <eddyz87@...il.com>
To: Manu Bretelle <chantr4@...il.com>, dhowells@...hat.com
Cc: asmadeus@...ewreck.org, ceph-devel@...r.kernel.org,
 christian@...uner.io,  ericvh@...nel.org, hsiangkao@...ux.alibaba.com,
 idryomov@...il.com,  jlayton@...nel.org, linux-afs@...ts.infradead.org,
 linux-cifs@...r.kernel.org,  linux-erofs@...ts.ozlabs.org,
 linux-fsdevel@...r.kernel.org,  linux-kernel@...r.kernel.org,
 linux-mm@...ck.org, linux-nfs@...r.kernel.org,  marc.dionne@...istor.com,
 netdev@...r.kernel.org, netfs@...ts.linux.dev,  pc@...guebit.com,
 smfrench@...il.com, sprasad@...rosoft.com, tom@...pey.com, 
 v9fs@...ts.linux.dev, willy@...radead.org
Subject: Re: [PATCH v2 19/25] netfs: Speed up buffered reading

On Mon, 2024-09-23 at 11:43 -0700, Eduard Zingerman wrote:
> On Mon, 2024-09-23 at 11:34 -0700, Manu Bretelle wrote:
> 
> [...]
> 
> > The qemu command invoked by vmtest is:
> > 
> > qemu-system-x86_64 "-nodefaults" "-display" "none" "-serial" "mon:stdio" \
> >   "-enable-kvm" "-cpu" "host" "-qmp" "unix:/tmp/qmp-971717.sock,server=on,wait=off" \
> >   "-chardev" "socket,path=/tmp/qga-888301.sock,server=on,wait=off,id=qga0" \
> >   "-device" "virtio-serial" \
> >   "-device" "virtserialport,chardev=qga0,name=org.qemu.guest_agent.0" \
> >   "--device" "virtio-serial" \
> >   "-chardev" "socket,path=/tmp/cmdout-508724.sock,server=on,wait=off,id=cmdout" \
> >   "--device" "virtserialport,chardev=cmdout,name=org.qemu.virtio_serial.0" \
> >   "-virtfs" "local,id=root,path=/,mount_tag=/dev/root,security_model=none,multidevs=remap" \
> >   "-kernel" "/data/users/chantra/linux/arch/x86/boot/bzImage" \
> >   "-no-reboot" "-append" "rootfstype=9p rootflags=trans=virtio,cache=mmap,msize=1048576 rw earlyprintk=serial,0,115200 printk.devkmsg=on console=0,115200 loglevel=7 raid=noautodetect init=/tmp/vmtest-init4PdCA.sh panic=-1" \
> >   "-virtfs" "local,id=shared,path=/data/users/chantra/linux,mount_tag=vmtest-shared,security_model=none,multidevs=remap" \
> >   "-smp" "2" "-m" "4G"
> 
> fwiw: removing "cache=mmap" from "rootflags" allows VM to boot and run tests.
> 

A few more details:
- error could be reproduced with KASAN enabled, log after
  scripts/decode_stacktrace.sh post-processing is in [1];
  (KASAN reports use-after-free followed by null-ptr-deref);
- null-ptr-deref is triggered by access to page->pcp_list.next
  when list_del() is called from page_alloc.c:__rmqueue_pcplist(),
  e.g. the following warning is triggered if added:

  --- a/mm/page_alloc.c
  +++ b/mm/page_alloc.c
  @@ -2990,6 +2990,7 @@ struct page *__rmqueue_pcplist(struct zone *zone, unsigned int order,
                  }
 
                  page = list_first_entry(list, struct page, pcp_list);
  +               WARN_ONCE(!page->pcp_list.next, "!!!!! page->pcp_list.next is NULL\n");
                  list_del(&page->pcp_list);
                  pcp->count -= 1 << order;
          } while (check_new_pages(page, order));
- config used for testing is [2];
- kernel used for testing is [3];

[1] https://gist.github.com/eddyz87/e638d67454558508451331754f946f41
[2] https://gist.github.com/eddyz87/f2c9c267db20ee53a6eb350aba0d2182
[3] de5cb0dcb74c ("Merge branch 'address-masking'")
    https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ