From: Rafael Aquini <aquini@redhat.com> To: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Konstantin Khlebnikov <koct9i@gmail.com>, Sasha Levin <sasha.levin@oracle.com>, Andrew Morton <akpm@linux-foundation.org>, Vlastimil Babka <vbabka@suse.cz>, David Rientjes <rientjes@google.com>, Mel Gorman <mgorman@suse.de>, Joonsoo Kim <iamjoonsoo.kim@lge.com>, Dave Jones <davej@redhat.com>, "linux-mm@kvack.org" <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, Andrey Ryabinin <a.ryabinin@samsung.com> Subject: Re: mm: compaction: buffer overflow in isolate_migratepages_range Date: Thu, 14 Aug 2014 15:54:21 -0300 [thread overview] Message-ID: <20140814185420.GA26367@optiplex.redhat.com> (raw) In-Reply-To: <CAPAsAGwk7kF6XtJNz6Y41zn0SHHzEt1Nwi_wC0gWgt0fpdp-ZQ@mail.gmail.com> On Thu, Aug 14, 2014 at 10:07:40PM +0400, Andrey Ryabinin wrote: > 2014-08-14 19:13 GMT+04:00 Rafael Aquini <aquini@redhat.com>: > > It still a harmless condition as before, but considering what goes above > > I'm now convinced & confident the patch proposed by Andrey is the real fix > > for such occurrences. > > > > I don't think that it's harmless, because we could cross page boundary here and > try to read from a memory hole. > I think isolate_migratepages_range() skips over holes, doesn't it? > And this code has more potential problems like use after free. Since > we don't hold locks properly here, > page->mapping could point to freed struct address_space. > Thinking on how things go for isolate_migratepages_range() and balloon pages, I struggle to find a way where that could happen. OTOH, I failed to see things more blatant before, so I won't argue here. Defensive programming is always better than negating possibilities ;) > We discussed this with Konstantin and he suggested a better solution for this. > If I understood him correctly the main idea was to store bit > identifying ballon page > in struct page (special value in _mapcount), so we won't need to check > mapping->flags. > I liked it. Something in the line of PageBuddy()/PAGE_BUDDY_MAPCOUNT_VALUE scheme. This is clearly cleaner than what we have in place today, and I'm ashamed I didn't think of it before. Thanks for pointing that out. Cheers, -- Rafael
WARNING: multiple messages have this Message-ID (diff)
From: Rafael Aquini <aquini@redhat.com> To: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Konstantin Khlebnikov <koct9i@gmail.com>, Sasha Levin <sasha.levin@oracle.com>, Andrew Morton <akpm@linux-foundation.org>, Vlastimil Babka <vbabka@suse.cz>, David Rientjes <rientjes@google.com>, Mel Gorman <mgorman@suse.de>, Joonsoo Kim <iamjoonsoo.kim@lge.com>, Dave Jones <davej@redhat.com>, "linux-mm@kvack.org" <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, Andrey Ryabinin <a.ryabinin@samsung.com> Subject: Re: mm: compaction: buffer overflow in isolate_migratepages_range Date: Thu, 14 Aug 2014 15:54:21 -0300 [thread overview] Message-ID: <20140814185420.GA26367@optiplex.redhat.com> (raw) In-Reply-To: <CAPAsAGwk7kF6XtJNz6Y41zn0SHHzEt1Nwi_wC0gWgt0fpdp-ZQ@mail.gmail.com> On Thu, Aug 14, 2014 at 10:07:40PM +0400, Andrey Ryabinin wrote: > 2014-08-14 19:13 GMT+04:00 Rafael Aquini <aquini@redhat.com>: > > It still a harmless condition as before, but considering what goes above > > I'm now convinced & confident the patch proposed by Andrey is the real fix > > for such occurrences. > > > > I don't think that it's harmless, because we could cross page boundary here and > try to read from a memory hole. > I think isolate_migratepages_range() skips over holes, doesn't it? > And this code has more potential problems like use after free. Since > we don't hold locks properly here, > page->mapping could point to freed struct address_space. > Thinking on how things go for isolate_migratepages_range() and balloon pages, I struggle to find a way where that could happen. OTOH, I failed to see things more blatant before, so I won't argue here. Defensive programming is always better than negating possibilities ;) > We discussed this with Konstantin and he suggested a better solution for this. > If I understood him correctly the main idea was to store bit > identifying ballon page > in struct page (special value in _mapcount), so we won't need to check > mapping->flags. > I liked it. Something in the line of PageBuddy()/PAGE_BUDDY_MAPCOUNT_VALUE scheme. This is clearly cleaner than what we have in place today, and I'm ashamed I didn't think of it before. Thanks for pointing that out. Cheers, -- Rafael -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2014-08-14 18:54 UTC|newest] Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top 2014-08-10 1:45 mm: compaction: buffer overflow in isolate_migratepages_range Sasha Levin 2014-08-10 1:45 ` Sasha Levin 2014-08-10 8:49 ` Andrey Ryabinin 2014-08-10 8:49 ` Andrey Ryabinin 2014-08-13 15:35 ` Rafael Aquini 2014-08-13 15:35 ` Rafael Aquini 2014-08-14 15:13 ` Rafael Aquini 2014-08-14 15:13 ` Rafael Aquini 2014-08-14 18:07 ` Andrey Ryabinin 2014-08-14 18:07 ` Andrey Ryabinin 2014-08-14 18:54 ` Rafael Aquini [this message] 2014-08-14 18:54 ` Rafael Aquini 2014-08-14 21:43 ` Rafael Aquini 2014-08-14 21:43 ` Rafael Aquini 2014-08-14 22:07 ` Rafael Aquini 2014-08-14 22:07 ` Rafael Aquini 2014-08-15 3:36 ` Konstantin Khlebnikov 2014-08-15 3:36 ` Konstantin Khlebnikov 2014-08-15 5:21 ` Rafael Aquini 2014-08-15 5:21 ` Rafael Aquini 2014-08-15 5:11 ` Rafael Aquini 2014-08-15 5:11 ` Rafael Aquini
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20140814185420.GA26367@optiplex.redhat.com \ --to=aquini@redhat.com \ --cc=a.ryabinin@samsung.com \ --cc=akpm@linux-foundation.org \ --cc=davej@redhat.com \ --cc=iamjoonsoo.kim@lge.com \ --cc=koct9i@gmail.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=mgorman@suse.de \ --cc=rientjes@google.com \ --cc=ryabinin.a.a@gmail.com \ --cc=sasha.levin@oracle.com \ --cc=vbabka@suse.cz \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.