From: Mike Rapoport <rppt@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Mike Rapoport <rppt@kernel.org>, Rik van Riel <riel@surriel.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
kernel test robot <oliver.sang@intel.com>
Subject: [PATCH] Revert "mm,memblock: reset memblock.reserved to system init state to prevent UAF"
Date: Fri, 28 Jul 2023 13:55:12 +0300 [thread overview]
Message-ID: <20230728105512.2258393-1-rppt@kernel.org> (raw)
From: "Mike Rapoport (IBM)" <rppt@kernel.org>
This reverts commit 9e46e4dcd9d6cd88342b028dbfa5f4fb7483d39c.
kbuild reports a warning in memblock_remove_region() because of a false
positive caused by partial reset of the memblock state.
Doing the full reset will remove the false positives, but will allow late
use of memblock_free() to go unnoticed, so it is better to revert the
offending commit.
WARNING: CPU: 0 PID: 1 at mm/memblock.c:352 memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1))
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.5.0-rc3-00001-g9e46e4dcd9d6 #2
RIP: 0010:memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1))
Code: 00 00 48 8b 43 18 48 c7 40 08 00 00 00 00 48 8b 43 18 c7 40 10 00 00 00 00 48 8b 43 18 c7 40 14 00 04 00 00 5b c3 cc cc cc cc <0f> 0b eb c2 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00
RSP: 0000:ffa0000000077e78 EFLAGS: 00010206
RAX: ffffffff82f4bc40 RBX: ffffffff82f4bc18 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82f4bc58 RDI: ffffffff82f4bc40
RBP: 0000000000000000 R08: ff1100207ffd4d00 R09: 0000000000000002
R10: ffd4000081ff9d00 R11: ff1100207ffd4000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ff1100103f200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ff1100207fc00000 CR3: 000000207ea18001 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1))
? __warn (kbuild/src/x86_64/kernel/panic.c:673)
? memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1))
? report_bug (kbuild/src/x86_64/lib/bug.c:180 kbuild/src/x86_64/lib/bug.c:219)
? handle_bug (kbuild/src/x86_64/arch/x86/kernel/traps.c:324)
? exc_invalid_op (kbuild/src/x86_64/arch/x86/kernel/traps.c:345 (discriminator 1))
? asm_exc_invalid_op (kbuild/src/x86_64/arch/x86/include/asm/idtentry.h:568)
? memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1))
? memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:348)
memblock_discard (kbuild/src/x86_64/mm/memblock.c:383)
page_alloc_init_late (kbuild/src/x86_64/include/linux/find.h:208 kbuild/src/x86_64/include/linux/nodemask.h:266 kbuild/src/x86_64/mm/mm_init.c:2405)
kernel_init_freeable (kbuild/src/x86_64/init/main.c:1325 kbuild/src/x86_64/init/main.c:1546)
? __pfx_kernel_init (kbuild/src/x86_64/init/main.c:1429)
kernel_init (kbuild/src/x86_64/init/main.c:1439)
ret_from_fork (kbuild/src/x86_64/arch/x86/kernel/process.c:145)
? __pfx_kernel_init (kbuild/src/x86_64/init/main.c:1429)
ret_from_fork_asm (kbuild/src/x86_64/arch/x86/entry/entry_64.S:298)
RIP: 0000:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202307271656.447aa17e-oliver.sang@intel.com
Signed-off-by: Mike Rapoport (IBM) <rppt@kernel.org>
---
Hi,
Looks like I didn't wait enough for kbuild :(
Linus, do you prefer a pull request or to pick it right away?
mm/memblock.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/mm/memblock.c b/mm/memblock.c
index c39b36378f5d..f9e61e565a53 100644
--- a/mm/memblock.c
+++ b/mm/memblock.c
@@ -374,10 +374,6 @@ void __init memblock_discard(void)
kfree(memblock.reserved.regions);
else
memblock_free_late(addr, size);
- /* Reset to prevent UAF from stray frees. */
- memblock.reserved.regions = memblock_reserved_init_regions;
- memblock.reserved.cnt = 1;
- memblock_remove_region(&memblock.reserved, 0);
}
if (memblock.memory.regions != memblock_memory_init_regions) {
--
2.39.2
next reply other threads:[~2023-07-28 10:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 10:55 Mike Rapoport [this message]
2023-07-28 16:47 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230728105512.2258393-1-rppt@kernel.org \
--to=rppt@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=oliver.sang@intel.com \
--cc=riel@surriel.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox