All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] zsmalloc: calling zs_map_object() from irq is a bug
@ 2017-09-20  6:39 Sergey Senozhatsky
  2017-09-20  6:47 ` Minchan Kim
  0 siblings, 1 reply; 6+ messages in thread
From: Sergey Senozhatsky @ 2017-09-20  6:39 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Minchan Kim, linux-kernel, Sergey Senozhatsky, Sergey Senozhatsky

Use BUG_ON(in_interrupt()) in zs_map_object(). Calling this
function from IRQ is a bug, because we use per-CPU mappings
and interrupt may corrupt those buffers.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
---
 mm/zsmalloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
index 7c38e850a8fc..685049a9048d 100644
--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -1349,7 +1349,7 @@ void *zs_map_object(struct zs_pool *pool, unsigned long handle,
 	 * pools/users, we can't allow mapping in interrupt context
 	 * because it can corrupt another users mappings.
 	 */
-	WARN_ON_ONCE(in_interrupt());
+	BUG_ON(in_interrupt());
 
 	/* From now on, migration cannot move the object */
 	pin_tag(handle);
-- 
2.14.1

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] zsmalloc: calling zs_map_object() from irq is a bug
  2017-09-20  6:39 [PATCH] zsmalloc: calling zs_map_object() from irq is a bug Sergey Senozhatsky
@ 2017-09-20  6:47 ` Minchan Kim
  2017-09-20  6:48   ` Sergey Senozhatsky
  2017-09-27  0:26   ` Andrew Morton
  0 siblings, 2 replies; 6+ messages in thread
From: Minchan Kim @ 2017-09-20  6:47 UTC (permalink / raw)
  To: Sergey Senozhatsky; +Cc: Andrew Morton, linux-kernel, Sergey Senozhatsky

On Wed, Sep 20, 2017 at 03:39:41PM +0900, Sergey Senozhatsky wrote:
> Use BUG_ON(in_interrupt()) in zs_map_object(). Calling this
> function from IRQ is a bug, because we use per-CPU mappings
> and interrupt may corrupt those buffers.
> 
> Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

IMHO, corruption the buffer would be not enough to be a BUG_ON
which stop the system fully so user loses any chances to shut
down smooth/hunt it down.

More serious thing of our case is that it can leak other user's
data by overwriting, which is more concern I am thinking now.

So,

Acked-by: Minchan Kim <minchan@kernel.org>

Thanks!

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] zsmalloc: calling zs_map_object() from irq is a bug
  2017-09-20  6:47 ` Minchan Kim
@ 2017-09-20  6:48   ` Sergey Senozhatsky
  2017-09-27  0:26   ` Andrew Morton
  1 sibling, 0 replies; 6+ messages in thread
From: Sergey Senozhatsky @ 2017-09-20  6:48 UTC (permalink / raw)
  To: Minchan Kim
  Cc: Sergey Senozhatsky, Andrew Morton, linux-kernel, Sergey Senozhatsky

On (09/20/17 15:47), Minchan Kim wrote:
> On Wed, Sep 20, 2017 at 03:39:41PM +0900, Sergey Senozhatsky wrote:
> > Use BUG_ON(in_interrupt()) in zs_map_object(). Calling this
> > function from IRQ is a bug, because we use per-CPU mappings
> > and interrupt may corrupt those buffers.
> > 
> > Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
> 
> IMHO, corruption the buffer would be not enough to be a BUG_ON
> which stop the system fully so user loses any chances to shut
> down smooth/hunt it down.
> 
> More serious thing of our case is that it can leak other user's
> data by overwriting, which is more concern I am thinking now.
> 
> So,
> 
> Acked-by: Minchan Kim <minchan@kernel.org>

thanks.

	-ss

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] zsmalloc: calling zs_map_object() from irq is a bug
  2017-09-20  6:47 ` Minchan Kim
  2017-09-20  6:48   ` Sergey Senozhatsky
@ 2017-09-27  0:26   ` Andrew Morton
  2017-09-28  0:41     ` Sergey Senozhatsky
  1 sibling, 1 reply; 6+ messages in thread
From: Andrew Morton @ 2017-09-27  0:26 UTC (permalink / raw)
  To: Minchan Kim; +Cc: Sergey Senozhatsky, linux-kernel, Sergey Senozhatsky

On Wed, 20 Sep 2017 15:47:39 +0900 Minchan Kim <minchan@kernel.org> wrote:

> On Wed, Sep 20, 2017 at 03:39:41PM +0900, Sergey Senozhatsky wrote:
> > Use BUG_ON(in_interrupt()) in zs_map_object(). Calling this
> > function from IRQ is a bug, because we use per-CPU mappings
> > and interrupt may corrupt those buffers.
> > 
> > Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
> 
> IMHO, corruption the buffer would be not enough to be a BUG_ON
> which stop the system fully so user loses any chances to shut
> down smooth/hunt it down.
> 
> More serious thing of our case is that it can leak other user's
> data by overwriting, which is more concern I am thinking now.
> 

In an off-list email Linus has basically stated that all new uses of
BUG_ON should include words in the changelog or code comments
explaining why it is justifiable to kill the machine when the condition
triggers.

So can we please have a v2 with the appropriate comment?

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] zsmalloc: calling zs_map_object() from irq is a bug
  2017-09-27  0:26   ` Andrew Morton
@ 2017-09-28  0:41     ` Sergey Senozhatsky
  0 siblings, 0 replies; 6+ messages in thread
From: Sergey Senozhatsky @ 2017-09-28  0:41 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Minchan Kim, Sergey Senozhatsky, linux-kernel, Sergey Senozhatsky

On (09/26/17 17:26), Andrew Morton wrote:
> > On Wed, Sep 20, 2017 at 03:39:41PM +0900, Sergey Senozhatsky wrote:
> > > Use BUG_ON(in_interrupt()) in zs_map_object(). Calling this
> > > function from IRQ is a bug, because we use per-CPU mappings
> > > and interrupt may corrupt those buffers.
> > > 
> > > Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
> > 
> > IMHO, corruption the buffer would be not enough to be a BUG_ON
> > which stop the system fully so user loses any chances to shut
> > down smooth/hunt it down.
> > 
> > More serious thing of our case is that it can leak other user's
> > data by overwriting, which is more concern I am thinking now.
> > 
> 
> In an off-list email Linus has basically stated that all new uses of
> BUG_ON should include words in the changelog or code comments
> explaining why it is justifiable to kill the machine when the condition
> triggers.
> 
> So can we please have a v2 with the appropriate comment?

ah, OK. will follow up.

	-ss

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH] zsmalloc: calling zs_map_object() from irq is a bug
@ 2017-09-29  4:51 Sergey Senozhatsky
  0 siblings, 0 replies; 6+ messages in thread
From: Sergey Senozhatsky @ 2017-09-29  4:51 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Minchan Kim, linux-kernel, Sergey Senozhatsky, Sergey Senozhatsky

Use BUG_ON(in_interrupt()) in zs_map_object(). This is not a
new BUG_ON(), it's always been there, but was recently changed
to VM_BUG_ON(). There are several problems there. First, we use
use per-CPU mappings both in zsmalloc and in zram, and interrupt
may easily corrupt those buffers. Second, and more importantly,
we believe it's possible to start leaking sensitive information.
Consider the following case:

-> process P
	swap out
	 zram
	  per-cpu mapping CPU1
	   compress page A
-> IRQ

	swap out
	 zram
	  per-cpu mapping CPU1
	   compress page B
	    write page from per-cpu mapping CPU1 to zsmalloc pool
	iret

-> process P
	    write page from per-cpu mapping CPU1 to zsmalloc pool  [*]
	return

* so we store overwritten data that actually belongs to another
  page (task) and potentially contains sensitive data. And when
  process P will page fault it's going to read (swap in) that
  other task's data.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Acked-by: Minchan Kim <minchan@kernel.org>
---
 mm/zsmalloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
index 7c38e850a8fc..685049a9048d 100644
--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -1349,7 +1349,7 @@ void *zs_map_object(struct zs_pool *pool, unsigned long handle,
 	 * pools/users, we can't allow mapping in interrupt context
 	 * because it can corrupt another users mappings.
 	 */
-	WARN_ON_ONCE(in_interrupt());
+	BUG_ON(in_interrupt());
 
 	/* From now on, migration cannot move the object */
 	pin_tag(handle);
-- 
2.14.2

^ permalink raw reply related	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-09-29  4:51 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-20  6:39 [PATCH] zsmalloc: calling zs_map_object() from irq is a bug Sergey Senozhatsky
2017-09-20  6:47 ` Minchan Kim
2017-09-20  6:48   ` Sergey Senozhatsky
2017-09-27  0:26   ` Andrew Morton
2017-09-28  0:41     ` Sergey Senozhatsky
2017-09-29  4:51 Sergey Senozhatsky

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.