| Message ID | f08cca5c46d67399c53262eca48e015dcf1841f9.1663695394.git.christophe.leroy@csgroup.eu (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | powerpc/highmem: Properly handle fragmented memory | expand |
| Context | Check | Description |
|---|---|---|
| snowpatch_ozlabs/github-powerpc_selftests | success | Successfully ran 10 jobs. |
| snowpatch_ozlabs/github-powerpc_ppctests | success | Successfully ran 10 jobs. |
| snowpatch_ozlabs/github-powerpc_sparse | success | Successfully ran 4 jobs. |
| snowpatch_ozlabs/github-powerpc_clang | success | Successfully ran 6 jobs. |
| snowpatch_ozlabs/github-powerpc_kernel_qemu | success | Successfully ran 23 jobs. |
On Tuesday 20 September 2022 19:36:42 Christophe Leroy wrote: > In addition to checking whether a page is reserved before allocating > it to highmem, verify that it is valid memory. > > Otherwise the kernel Oopses as below: > > [ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off > [ 0.000000] Kernel attempted to read user page (7df58) - exploit attempt? (uid: 0) > [ 0.000000] BUG: Unable to handle kernel data access on read at 0x0007df58 > [ 0.000000] Faulting instruction address: 0xc01c8348 > [ 0.000000] Oops: Kernel access of bad area, sig: 11 [#1] > [ 0.000000] BE PAGE_SIZE=4K SMP NR_CPUS=2 P2020RDB-PC > [ 0.000000] Modules linked in: > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc2-0caacb197b677410bdac81bc34f05235+ #121 > [ 0.000000] NIP: c01c8348 LR: c01cb2bc CTR: 0000000a > [ 0.000000] REGS: c10d7e20 TRAP: 0300 Not tainted (6.0.0-rc2-0caacb197b677410bdac81bc34f05235+) > [ 0.000000] MSR: 00021000 <CE,ME> CR: 48044224 XER: 00000000 > [ 0.000000] DEAR: 0007df58 ESR: 00000000 > [ 0.000000] GPR00: c01cb294 c10d7f10 c1045340 00000001 00000004 c112bcc0 00000015 eedf1000 > [ 0.000000] GPR08: 00000003 0007df58 00000000 f0000000 28044228 00000200 00000000 00000000 > [ 0.000000] GPR16: 00000000 00000000 00000000 0275cb7a c0000000 00000001 0000075f 00000000 > [ 0.000000] GPR24: c1031004 00000000 00000000 00000001 c10f0000 eedf1000 00080000 00080000 > [ 0.000000] NIP [c01c8348] free_unref_page_prepare.part.93+0x48/0x60 > [ 0.000000] LR [c01cb2bc] free_unref_page+0x84/0x4b8 > [ 0.000000] Call Trace: > [ 0.000000] [c10d7f10] [eedf1000] 0xeedf1000 (unreliable) > [ 0.000000] [c10d7f20] [c01cb294] free_unref_page+0x5c/0x4b8 > [ 0.000000] [c10d7f70] [c1007644] mem_init+0xd0/0x194 > [ 0.000000] [c10d7fa0] [c1000e4c] start_kernel+0x4c0/0x6d0 > [ 0.000000] [c10d7ff0] [c00003e0] set_ivor+0x13c/0x178 > [ 0.000000] Instruction dump: > [ 0.000000] 552817be 5509103a 7d294214 55293830 7d4a4a14 812a003c 814a0038 5529002a > [ 0.000000] 7c892050 5484c23a 5489eafa 548406fe <7d2a482e> 7d242430 5484077e 90870010 > [ 0.000000] ---[ end trace 0000000000000000 ]--- > > Reported-by: Pali Rohár <pali@kernel.org> > Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Hello and thank you for care about this issue! I have already tested this change, it fixes crash, so add my: Tested-by: Pali Rohár <pali@kernel.org> Anyway, should there be some Fixes: tag? E.g. Fixes: b0e0d68b1c52 ("powerpc/32: Allow fragmented physical memory") (which enabled support for fragmented memory and therefore kernel started crashing?) Link: https://lore.kernel.org/linuxppc-dev/20220908201701.sd3zqn5hfixmjvhh@pali/ > --- > arch/powerpc/mm/mem.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c > index 01772e79fd93..6ddbd6cb3a2a 100644 > --- a/arch/powerpc/mm/mem.c > +++ b/arch/powerpc/mm/mem.c > @@ -302,7 +302,7 @@ void __init mem_init(void) > for (pfn = highmem_mapnr; pfn < max_mapnr; ++pfn) { > phys_addr_t paddr = (phys_addr_t)pfn << PAGE_SHIFT; > struct page *page = pfn_to_page(pfn); > - if (!memblock_is_reserved(paddr)) > + if (memblock_is_memory(paddr) && !memblock_is_reserved(paddr)) > free_highmem_page(page); > } > } > -- > 2.37.1 >
On Tue, 20 Sep 2022 19:36:42 +0200, Christophe Leroy wrote: > In addition to checking whether a page is reserved before allocating > it to highmem, verify that it is valid memory. > > Otherwise the kernel Oopses as below: > > [ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off > [ 0.000000] Kernel attempted to read user page (7df58) - exploit attempt? (uid: 0) > [ 0.000000] BUG: Unable to handle kernel data access on read at 0x0007df58 > [ 0.000000] Faulting instruction address: 0xc01c8348 > [ 0.000000] Oops: Kernel access of bad area, sig: 11 [#1] > [ 0.000000] BE PAGE_SIZE=4K SMP NR_CPUS=2 P2020RDB-PC > [ 0.000000] Modules linked in: > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc2-0caacb197b677410bdac81bc34f05235+ #121 > [ 0.000000] NIP: c01c8348 LR: c01cb2bc CTR: 0000000a > [ 0.000000] REGS: c10d7e20 TRAP: 0300 Not tainted (6.0.0-rc2-0caacb197b677410bdac81bc34f05235+) > [ 0.000000] MSR: 00021000 <CE,ME> CR: 48044224 XER: 00000000 > [ 0.000000] DEAR: 0007df58 ESR: 00000000 > [ 0.000000] GPR00: c01cb294 c10d7f10 c1045340 00000001 00000004 c112bcc0 00000015 eedf1000 > [ 0.000000] GPR08: 00000003 0007df58 00000000 f0000000 28044228 00000200 00000000 00000000 > [ 0.000000] GPR16: 00000000 00000000 00000000 0275cb7a c0000000 00000001 0000075f 00000000 > [ 0.000000] GPR24: c1031004 00000000 00000000 00000001 c10f0000 eedf1000 00080000 00080000 > [ 0.000000] NIP [c01c8348] free_unref_page_prepare.part.93+0x48/0x60 > [ 0.000000] LR [c01cb2bc] free_unref_page+0x84/0x4b8 > [ 0.000000] Call Trace: > [ 0.000000] [c10d7f10] [eedf1000] 0xeedf1000 (unreliable) > [ 0.000000] [c10d7f20] [c01cb294] free_unref_page+0x5c/0x4b8 > [ 0.000000] [c10d7f70] [c1007644] mem_init+0xd0/0x194 > [ 0.000000] [c10d7fa0] [c1000e4c] start_kernel+0x4c0/0x6d0 > [ 0.000000] [c10d7ff0] [c00003e0] set_ivor+0x13c/0x178 > [ 0.000000] Instruction dump: > [ 0.000000] 552817be 5509103a 7d294214 55293830 7d4a4a14 812a003c 814a0038 5529002a > [ 0.000000] 7c892050 5484c23a 5489eafa 548406fe <7d2a482e> 7d242430 5484077e 90870010 > [ 0.000000] ---[ end trace 0000000000000000 ]--- > > [...] Applied to powerpc/next. [1/1] powerpc/highmem: Properly handle fragmented memory https://git.kernel.org/powerpc/c/2fc1c63d2763ad7562ea7d241da79b42538a557b cheers
diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c index 01772e79fd93..6ddbd6cb3a2a 100644 --- a/arch/powerpc/mm/mem.c +++ b/arch/powerpc/mm/mem.c @@ -302,7 +302,7 @@ void __init mem_init(void) for (pfn = highmem_mapnr; pfn < max_mapnr; ++pfn) { phys_addr_t paddr = (phys_addr_t)pfn << PAGE_SHIFT; struct page *page = pfn_to_page(pfn); - if (!memblock_is_reserved(paddr)) + if (memblock_is_memory(paddr) && !memblock_is_reserved(paddr)) free_highmem_page(page); } }
In addition to checking whether a page is reserved before allocating it to highmem, verify that it is valid memory. Otherwise the kernel Oopses as below: [ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off [ 0.000000] Kernel attempted to read user page (7df58) - exploit attempt? (uid: 0) [ 0.000000] BUG: Unable to handle kernel data access on read at 0x0007df58 [ 0.000000] Faulting instruction address: 0xc01c8348 [ 0.000000] Oops: Kernel access of bad area, sig: 11 [#1] [ 0.000000] BE PAGE_SIZE=4K SMP NR_CPUS=2 P2020RDB-PC [ 0.000000] Modules linked in: [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc2-0caacb197b677410bdac81bc34f05235+ #121 [ 0.000000] NIP: c01c8348 LR: c01cb2bc CTR: 0000000a [ 0.000000] REGS: c10d7e20 TRAP: 0300 Not tainted (6.0.0-rc2-0caacb197b677410bdac81bc34f05235+) [ 0.000000] MSR: 00021000 <CE,ME> CR: 48044224 XER: 00000000 [ 0.000000] DEAR: 0007df58 ESR: 00000000 [ 0.000000] GPR00: c01cb294 c10d7f10 c1045340 00000001 00000004 c112bcc0 00000015 eedf1000 [ 0.000000] GPR08: 00000003 0007df58 00000000 f0000000 28044228 00000200 00000000 00000000 [ 0.000000] GPR16: 00000000 00000000 00000000 0275cb7a c0000000 00000001 0000075f 00000000 [ 0.000000] GPR24: c1031004 00000000 00000000 00000001 c10f0000 eedf1000 00080000 00080000 [ 0.000000] NIP [c01c8348] free_unref_page_prepare.part.93+0x48/0x60 [ 0.000000] LR [c01cb2bc] free_unref_page+0x84/0x4b8 [ 0.000000] Call Trace: [ 0.000000] [c10d7f10] [eedf1000] 0xeedf1000 (unreliable) [ 0.000000] [c10d7f20] [c01cb294] free_unref_page+0x5c/0x4b8 [ 0.000000] [c10d7f70] [c1007644] mem_init+0xd0/0x194 [ 0.000000] [c10d7fa0] [c1000e4c] start_kernel+0x4c0/0x6d0 [ 0.000000] [c10d7ff0] [c00003e0] set_ivor+0x13c/0x178 [ 0.000000] Instruction dump: [ 0.000000] 552817be 5509103a 7d294214 55293830 7d4a4a14 812a003c 814a0038 5529002a [ 0.000000] 7c892050 5484c23a 5489eafa 548406fe <7d2a482e> 7d242430 5484077e 90870010 [ 0.000000] ---[ end trace 0000000000000000 ]--- Reported-by: Pali Rohár <pali@kernel.org> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> --- arch/powerpc/mm/mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)