* [patch 038/147] mm/memory_hotplug: use "unsigned long" for PFN in zone_for_pfn_range()
[not found] <20210907195226.14b1d22a07c085b22968b933@linux-foundation.org>
@ 2021-09-08 2:54 ` Andrew Morton
[not found] ` <20210908030026.2dLZCmkE4%akpm@linux-foundation.org>
1 sibling, 0 replies; 3+ messages in thread
From: Andrew Morton @ 2021-09-08 2:54 UTC (permalink / raw)
To: akpm, aneesh.kumar, anshuman.khandual, anton, ardb, bauerman,
benh, bhe, borntraeger, bp, catalin.marinas, cheloha,
christophe.leroy, dalias, dan.j.williams, dave.hansen,
dave.jiang, david, gor, hca, hpa, jasowang, joe, justin.he,
ldufour, lenb, linux-mm, luto, mhocko, michel, mingo, mm-commits,
mpe, mst, nathanl, npiggin, osalvador, pankaj.gupta.linux,
pankaj.gupta, pasha.tatashin, paulus, peterz, pmorel,
rafael.j.wysocki, richard.weiyang, rjw, rppt, slyfox, songmuchun,
stable, tglx, torvalds, vbabka, vishal.l.verma, vkuznets,
wangkefeng.wang, will, ysato
From: David Hildenbrand <david@redhat.com>
Subject: mm/memory_hotplug: use "unsigned long" for PFN in zone_for_pfn_range()
Patch series "mm/memory_hotplug: preparatory patches for new online policy and memory"
These are all cleanups and one fix previously sent as part of [1]:
[PATCH v1 00/12] mm/memory_hotplug: "auto-movable" online policy and memory
groups.
These patches make sense even without the other series, therefore I pulled
them out to make the other series easier to digest.
[1] https://lkml.kernel.org/r/20210607195430.48228-1-david@redhat.com
This patch (of 4):
Checkpatch complained on a follow-up patch that we are using "unsigned"
here, which defaults to "unsigned int" and checkpatch is correct.
As we will search for a fitting zone using the wrong pfn, we might end
up onlining memory to one of the special kernel zones, such as ZONE_DMA,
which can end badly as the onlined memory does not satisfy properties of
these zones.
Use "unsigned long" instead, just as we do in other places when handling
PFNs. This can bite us once we have physical addresses in the range of
multiple TB.
Link: https://lkml.kernel.org/r/20210712124052.26491-2-david@redhat.com
Fixes: e5e689302633 ("mm, memory_hotplug: display allowed zones in the preferred ordering")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Pankaj Gupta <pankaj.gupta@ionos.com>
Reviewed-by: Muchun Song <songmuchun@bytedance.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: David Hildenbrand <david@redhat.com>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Pankaj Gupta <pankaj.gupta.linux@gmail.com>
Cc: Wei Yang <richard.weiyang@linux.alibaba.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Len Brown <lenb@kernel.org>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: virtualization@lists.linux-foundation.org
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
Cc: Anton Blanchard <anton@ozlabs.org>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Baoquan He <bhe@redhat.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Christophe Leroy <christophe.leroy@c-s.fr>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jia He <justin.he@arm.com>
Cc: Joe Perches <joe@perches.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Laurent Dufour <ldufour@linux.ibm.com>
Cc: Michel Lespinasse <michel@lespinasse.org>
Cc: Nathan Lynch <nathanl@linux.ibm.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Pierre Morel <pmorel@linux.ibm.com>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Cc: Rich Felker <dalias@libc.org>
Cc: Scott Cheloha <cheloha@linux.ibm.com>
Cc: Sergei Trofimovich <slyfox@gentoo.org>
Cc: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: Will Deacon <will@kernel.org>
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
include/linux/memory_hotplug.h | 4 ++--
mm/memory_hotplug.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/include/linux/memory_hotplug.h~mm-memory_hotplug-use-unsigned-long-for-pfn-in-zone_for_pfn_range
+++ a/include/linux/memory_hotplug.h
@@ -339,8 +339,8 @@ extern void sparse_remove_section(struct
unsigned long map_offset, struct vmem_altmap *altmap);
extern struct page *sparse_decode_mem_map(unsigned long coded_mem_map,
unsigned long pnum);
-extern struct zone *zone_for_pfn_range(int online_type, int nid, unsigned start_pfn,
- unsigned long nr_pages);
+extern struct zone *zone_for_pfn_range(int online_type, int nid,
+ unsigned long start_pfn, unsigned long nr_pages);
extern int arch_create_linear_mapping(int nid, u64 start, u64 size,
struct mhp_params *params);
void arch_remove_linear_mapping(u64 start, u64 size);
--- a/mm/memory_hotplug.c~mm-memory_hotplug-use-unsigned-long-for-pfn-in-zone_for_pfn_range
+++ a/mm/memory_hotplug.c
@@ -708,8 +708,8 @@ static inline struct zone *default_zone_
return movable_node_enabled ? movable_zone : kernel_zone;
}
-struct zone *zone_for_pfn_range(int online_type, int nid, unsigned start_pfn,
- unsigned long nr_pages)
+struct zone *zone_for_pfn_range(int online_type, int nid,
+ unsigned long start_pfn, unsigned long nr_pages)
{
if (online_type == MMOP_ONLINE_KERNEL)
return default_kernel_zone_for_pfn(nid, start_pfn, nr_pages);
_
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch 136/147] nilfs2: use refcount_dec_and_lock() to fix potential UAF
[not found] ` <20210908030026.2dLZCmkE4%akpm@linux-foundation.org>
@ 2021-09-24 10:35 ` Pavel Machek
2021-09-24 11:09 ` Ryusuke Konishi
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Machek @ 2021-09-24 10:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, konishi.ryusuke, linux-mm, mm-commits, thunder.leizhen, torvalds
[-- Attachment #1: Type: text/plain, Size: 2087 bytes --]
Hi!
> From: Zhen Lei <thunder.leizhen@huawei.com>
> Subject: nilfs2: use refcount_dec_and_lock() to fix potential UAF
>
> When the refcount is decreased to 0, the resource reclamation branch is
> entered. Before CPU0 reaches the race point (1), CPU1 may obtain the
> spinlock and traverse the rbtree to find 'root', see nilfs_lookup_root().
> Although CPU1 will call refcount_inc() to increase the refcount, it is
> obviously too late. CPU0 will release 'root' directly, CPU1 then accesses
> 'root' and triggers UAF.
>
> Use refcount_dec_and_lock() to ensure that both the operations of decrease
> refcount to 0 and link deletion are lock protected eliminates this risk.
>
> CPU0 CPU1
> nilfs_put_root():
> <-------- (1)
> spin_lock(&nilfs->ns_cptree_lock);
> rb_erase(&root->rb_node, &nilfs->ns_cptree);
> spin_unlock(&nilfs->ns_cptree_lock);
>
> kfree(root);
> <-------- use-after-free
> There is no reproduction program, and the above is only theoretical
> analysis.
Ok, so we have a theoretical bug, and fix already on its way to
stable. But ... is it correct?
> +++ a/fs/nilfs2/the_nilfs.c
> @@ -792,14 +792,13 @@ nilfs_find_or_create_root(struct the_nil
>
> void nilfs_put_root(struct nilfs_root *root)
> {
> - if (refcount_dec_and_test(&root->count)) {
> - struct the_nilfs *nilfs = root->nilfs;
> + struct the_nilfs *nilfs = root->nilfs;
>
> - nilfs_sysfs_delete_snapshot_group(root);
> -
> - spin_lock(&nilfs->ns_cptree_lock);
> + if (refcount_dec_and_lock(&root->count, &nilfs->ns_cptree_lock)) {
> rb_erase(&root->rb_node, &nilfs->ns_cptree);
> spin_unlock(&nilfs->ns_cptree_lock);
> +
> + nilfs_sysfs_delete_snapshot_group(root);
> iput(root->ifile);
>
> kfree(root);
spin_lock() is deleted, but spin_unlock() is not affected. This means
unbalanced locking, right?
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch 136/147] nilfs2: use refcount_dec_and_lock() to fix potential UAF
2021-09-24 10:35 ` [patch 136/147] nilfs2: use refcount_dec_and_lock() to fix potential UAF Pavel Machek
@ 2021-09-24 11:09 ` Ryusuke Konishi
0 siblings, 0 replies; 3+ messages in thread
From: Ryusuke Konishi @ 2021-09-24 11:09 UTC (permalink / raw)
To: Pavel Machek
Cc: LKML, stable, Andrew Morton, linux-mm, mm-commits, Zhen Lei,
Linus Torvalds
Hi,
On Fri, Sep 24, 2021 at 7:35 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > From: Zhen Lei <thunder.leizhen@huawei.com>
> > Subject: nilfs2: use refcount_dec_and_lock() to fix potential UAF
> >
> > When the refcount is decreased to 0, the resource reclamation branch is
> > entered. Before CPU0 reaches the race point (1), CPU1 may obtain the
> > spinlock and traverse the rbtree to find 'root', see nilfs_lookup_root().
> > Although CPU1 will call refcount_inc() to increase the refcount, it is
> > obviously too late. CPU0 will release 'root' directly, CPU1 then accesses
> > 'root' and triggers UAF.
> >
> > Use refcount_dec_and_lock() to ensure that both the operations of decrease
> > refcount to 0 and link deletion are lock protected eliminates this risk.
> >
> > CPU0 CPU1
> > nilfs_put_root():
> > <-------- (1)
> > spin_lock(&nilfs->ns_cptree_lock);
> > rb_erase(&root->rb_node, &nilfs->ns_cptree);
> > spin_unlock(&nilfs->ns_cptree_lock);
> >
> > kfree(root);
> > <-------- use-after-free
>
> > There is no reproduction program, and the above is only theoretical
> > analysis.
>
> Ok, so we have a theoretical bug, and fix already on its way to
> stable. But ... is it correct?
>
> > +++ a/fs/nilfs2/the_nilfs.c
> > @@ -792,14 +792,13 @@ nilfs_find_or_create_root(struct the_nil
> >
> > void nilfs_put_root(struct nilfs_root *root)
> > {
> > - if (refcount_dec_and_test(&root->count)) {
> > - struct the_nilfs *nilfs = root->nilfs;
> > + struct the_nilfs *nilfs = root->nilfs;
> >
> > - nilfs_sysfs_delete_snapshot_group(root);
> > -
> > - spin_lock(&nilfs->ns_cptree_lock);
> > + if (refcount_dec_and_lock(&root->count, &nilfs->ns_cptree_lock)) {
> > rb_erase(&root->rb_node, &nilfs->ns_cptree);
> > spin_unlock(&nilfs->ns_cptree_lock);
> > +
> > + nilfs_sysfs_delete_snapshot_group(root);
> > iput(root->ifile);
> >
> > kfree(root);
>
> spin_lock() is deleted, but spin_unlock() is not affected. This means
> unbalanced locking, right?
It's okay. spin_lock() is integrated into refcount_dec_and_lock(), which was
originally refcount_dec_and_test().
Thanks,
Ryusuke Konishi
>
> Best regards,
> Pavel
> --
> DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-24 11:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20210907195226.14b1d22a07c085b22968b933@linux-foundation.org>
2021-09-08 2:54 ` [patch 038/147] mm/memory_hotplug: use "unsigned long" for PFN in zone_for_pfn_range() Andrew Morton
[not found] ` <20210908030026.2dLZCmkE4%akpm@linux-foundation.org>
2021-09-24 10:35 ` [patch 136/147] nilfs2: use refcount_dec_and_lock() to fix potential UAF Pavel Machek
2021-09-24 11:09 ` Ryusuke Konishi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).