diff options
| author | Andrew Morton <akpm@linux-foundation.org> | 2024-04-12 15:10:07 -0700 |
|---|---|---|
| committer | Andrew Morton <akpm@linux-foundation.org> | 2024-04-12 15:10:07 -0700 |
| commit | a5d45d7f51e63a9633752b7a41caa677954da195 (patch) | |
| tree | 90a4f7282a441b6d4c740826781f045dab80c26e | |
| parent | 5ec378d0a6b0dd33e92369c51fffae60be328b6b (diff) | |
| download | 25-new-a5d45d7f51e63a9633752b7a41caa677954da195.tar.gz | |
foo
11 files changed, 144 insertions, 10 deletions
diff --git a/patches/bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.patch b/patches/bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.patch new file mode 100644 index 000000000..2f1949ccd --- /dev/null +++ b/patches/bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.patch @@ -0,0 +1,79 @@ +From: Qiang Zhang <qiang4.zhang@intel.com> +Subject: bootconfig: use memblock_free_late to free xbc memory to buddy +Date: Fri, 12 Apr 2024 10:41:04 +0800 + +At the time to free xbc memory, memblock has handed over memory to buddy +allocator. So it doesn't make sense to free memory back to memblock. +memblock_free() called by xbc_exit() even causes UAF bugs on architectures +with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. Following KASAN logs +shows this case. + +[ 9.410890] ================================================================== +[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260 +[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1 + +[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5 +[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023 +[ 9.460789] Call Trace: +[ 9.463518] <TASK> +[ 9.465859] dump_stack_lvl+0x53/0x70 +[ 9.469949] print_report+0xce/0x610 +[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0 +[ 9.478619] ? memblock_isolate_range+0x12d/0x260 +[ 9.483877] kasan_report+0xc6/0x100 +[ 9.487870] ? memblock_isolate_range+0x12d/0x260 +[ 9.493125] memblock_isolate_range+0x12d/0x260 +[ 9.498187] memblock_phys_free+0xb4/0x160 +[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10 +[ 9.508021] ? mutex_unlock+0x7e/0xd0 +[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10 +[ 9.516786] ? kernel_init_freeable+0x2d4/0x430 +[ 9.521850] ? __pfx_kernel_init+0x10/0x10 +[ 9.526426] xbc_exit+0x17/0x70 +[ 9.529935] kernel_init+0x38/0x1e0 +[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30 +[ 9.538601] ret_from_fork+0x2c/0x50 +[ 9.542596] ? __pfx_kernel_init+0x10/0x10 +[ 9.547170] ret_from_fork_asm+0x1a/0x30 +[ 9.551552] </TASK> + +[ 9.555649] The buggy address belongs to the physical page: +[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30 +[ 9.570821] flags: 0x200000000000000(node=0|zone=2) +[ 9.576271] page_type: 0xffffffff() +[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000 +[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 +[ 9.597476] page dumped because: kasan: bad access detected + +[ 9.605362] Memory state around the buggy address: +[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 9.634930] ^ +[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 9.654675] ================================================================== + +Link: https://lkml.kernel.org/r/20240412024103.3078378-1-qiang4.zhang@linux.intel.com +Signed-off-by: Qiang Zhang <qiang4.zhang@intel.com> +Cc: Masami Hiramatsu <mhiramat@kernel.org> +Cc: Mike Rapoport <rppt@linux.ibm.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +--- + + lib/bootconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/bootconfig.c~bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy ++++ a/lib/bootconfig.c +@@ -63,7 +63,7 @@ static inline void * __init xbc_alloc_me + + static inline void __init xbc_free_mem(void *addr, size_t size) + { +- memblock_free(addr, size); ++ memblock_free_late(__pa(addr), size); + } + + #else /* !__KERNEL__ */ +_ diff --git a/patches/mm-arm64-override-mkold_clean_ptes-batch-helper.patch b/patches/old/mm-arm64-override-mkold_clean_ptes-batch-helper.patch index 0cbb2e1d3..0cbb2e1d3 100644 --- a/patches/mm-arm64-override-mkold_clean_ptes-batch-helper.patch +++ b/patches/old/mm-arm64-override-mkold_clean_ptes-batch-helper.patch diff --git a/patches/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.patch b/patches/old/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.patch index 36061e228..36061e228 100644 --- a/patches/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.patch +++ b/patches/old/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.patch diff --git a/pc/bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.pc b/pc/bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.pc new file mode 100644 index 000000000..de7c0321c --- /dev/null +++ b/pc/bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.pc @@ -0,0 +1 @@ +lib/bootconfig.c diff --git a/pc/devel-series b/pc/devel-series index a7e5c906c..2c1ddbe36 100644 --- a/pc/devel-series +++ b/pc/devel-series @@ -99,6 +99,8 @@ fork-defer-linking-file-vma-until-vma-is-fully-initialized.patch # selftests-harness-remove-use-of-line_max.patch # +bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.patch +# ### hfe # #ENDBRANCH mm-hotfixes-unstable @@ -556,10 +558,6 @@ mm-debug-print-only-page-mapcount-excluding-folio-entire-mapcount-in-__dump_foli documentation-admin-guide-cgroup-v1-memoryrst-dont-reference-page_mapcount.patch # # -#mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.patch: usual async concerns TBU https://lkml.kernel.org/r/8d674b15-ef74-4d96-bc27-8794f744517c@arm.com -mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.patch -#mm-arm64-override-mkold_clean_ptes-batch-helper.patch: https://lkml.kernel.org/r/3cd1036d-3814-4a10-b6d2-099937ceabc8@arm.com -mm-arm64-override-mkold_clean_ptes-batch-helper.patch # arm64-mm-drop-vm_fault_badmap-vm_fault_badaccess.patch arm-mm-drop-vm_fault_badmap-vm_fault_badaccess.patch diff --git a/pc/mm-arm64-override-mkold_clean_ptes-batch-helper.pc b/pc/mm-arm64-override-mkold_clean_ptes-batch-helper.pc deleted file mode 100644 index ba3c28b5d..000000000 --- a/pc/mm-arm64-override-mkold_clean_ptes-batch-helper.pc +++ /dev/null @@ -1,2 +0,0 @@ -arch/arm64/include/asm/pgtable.h -arch/arm64/mm/contpte.c diff --git a/pc/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.pc b/pc/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.pc deleted file mode 100644 index ac995ae95..000000000 --- a/pc/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.pc +++ /dev/null @@ -1,4 +0,0 @@ -include/linux/pgtable.h -mm/internal.h -mm/madvise.c -mm/memory.c diff --git a/txt/bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.txt b/txt/bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.txt new file mode 100644 index 000000000..0c0c9ad0d --- /dev/null +++ b/txt/bootconfig-use-memblock_free_late-to-free-xbc-memory-to-buddy.txt @@ -0,0 +1,61 @@ +From: Qiang Zhang <qiang4.zhang@intel.com> +Subject: bootconfig: use memblock_free_late to free xbc memory to buddy +Date: Fri, 12 Apr 2024 10:41:04 +0800 + +At the time to free xbc memory, memblock has handed over memory to buddy +allocator. So it doesn't make sense to free memory back to memblock. +memblock_free() called by xbc_exit() even causes UAF bugs on architectures +with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. Following KASAN logs +shows this case. + +[ 9.410890] ================================================================== +[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260 +[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1 + +[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5 +[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023 +[ 9.460789] Call Trace: +[ 9.463518] <TASK> +[ 9.465859] dump_stack_lvl+0x53/0x70 +[ 9.469949] print_report+0xce/0x610 +[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0 +[ 9.478619] ? memblock_isolate_range+0x12d/0x260 +[ 9.483877] kasan_report+0xc6/0x100 +[ 9.487870] ? memblock_isolate_range+0x12d/0x260 +[ 9.493125] memblock_isolate_range+0x12d/0x260 +[ 9.498187] memblock_phys_free+0xb4/0x160 +[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10 +[ 9.508021] ? mutex_unlock+0x7e/0xd0 +[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10 +[ 9.516786] ? kernel_init_freeable+0x2d4/0x430 +[ 9.521850] ? __pfx_kernel_init+0x10/0x10 +[ 9.526426] xbc_exit+0x17/0x70 +[ 9.529935] kernel_init+0x38/0x1e0 +[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30 +[ 9.538601] ret_from_fork+0x2c/0x50 +[ 9.542596] ? __pfx_kernel_init+0x10/0x10 +[ 9.547170] ret_from_fork_asm+0x1a/0x30 +[ 9.551552] </TASK> + +[ 9.555649] The buggy address belongs to the physical page: +[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30 +[ 9.570821] flags: 0x200000000000000(node=0|zone=2) +[ 9.576271] page_type: 0xffffffff() +[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000 +[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 +[ 9.597476] page dumped because: kasan: bad access detected + +[ 9.605362] Memory state around the buggy address: +[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 9.634930] ^ +[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 9.654675] ================================================================== + +Link: https://lkml.kernel.org/r/20240412024103.3078378-1-qiang4.zhang@linux.intel.com +Signed-off-by: Qiang Zhang <qiang4.zhang@intel.com> +Cc: Masami Hiramatsu <mhiramat@kernel.org> +Cc: Mike Rapoport <rppt@linux.ibm.com> +Cc: <stable@vger.kernel.org> diff --git a/txt/mm-hugetlb-convert-dissolve_free_huge_pages-to-folios.txt b/txt/mm-hugetlb-convert-dissolve_free_huge_pages-to-folios.txt index 87b440018..eee0562a9 100644 --- a/txt/mm-hugetlb-convert-dissolve_free_huge_pages-to-folios.txt +++ b/txt/mm-hugetlb-convert-dissolve_free_huge_pages-to-folios.txt @@ -8,6 +8,7 @@ directly and use page_folio() to convert the caller in mm/memory-failure. Link: https://lkml.kernel.org/r/20240411164756.261178-1-sidhartha.kumar@oracle.com Signed-off-by: Sidhartha Kumar <sidhartha.kumar@oracle.com> +Reviewed-by: Oscar Salvador <osalvador@suse.de> Cc: Jane Chu <jane.chu@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Miaohe Lin <linmiaohe@huawei.com> diff --git a/txt/mm-arm64-override-mkold_clean_ptes-batch-helper.txt b/txt/old/mm-arm64-override-mkold_clean_ptes-batch-helper.txt index e03ee0ed8..e03ee0ed8 100644 --- a/txt/mm-arm64-override-mkold_clean_ptes-batch-helper.txt +++ b/txt/old/mm-arm64-override-mkold_clean_ptes-batch-helper.txt diff --git a/txt/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.txt b/txt/old/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.txt index 91cd9dcda..91cd9dcda 100644 --- a/txt/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.txt +++ b/txt/old/mm-madvise-optimize-lazyfreeing-with-mthp-in-madvise_free.txt |