From patchwork Fri Jul 28 10:55:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Rapoport X-Patchwork-Id: 13331702 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53920C0015E for ; Fri, 28 Jul 2023 10:55:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D67996B0074; Fri, 28 Jul 2023 06:55:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CF2366B0075; Fri, 28 Jul 2023 06:55:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B91E48D0002; Fri, 28 Jul 2023 06:55:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id A2AD36B0074 for ; Fri, 28 Jul 2023 06:55:28 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 63ECBC11AF for ; Fri, 28 Jul 2023 10:55:28 +0000 (UTC) X-FDA: 81060714336.27.6D3784F Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf24.hostedemail.com (Postfix) with ESMTP id CA202180010 for ; Fri, 28 Jul 2023 10:55:26 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=iGq+jEyk; spf=pass (imf24.hostedemail.com: domain of rppt@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=rppt@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1690541726; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=+ucQ86GE7o3yyI/Eawm3/k00s0lUz/yHu0Y/Nwqx4BU=; b=4q67HWWIVQ3lkEq3I+RtrKNk8O0B0cOgYJ0+IO1/0scTEIMJQO0qdNLmLdWSHGtsEfxPcy 0wAP5/8D9OfCL0J+7eBsPPi34PbMCZGkjX+qeOiROQEEE3Yt1R2pm3JsPBNajv1Vp5kWDG bhhrmLOcWlMBYyDoBPvcDmwI2iS/mu8= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1690541726; a=rsa-sha256; cv=none; b=xRLqra3//jqBu0QvYUyBq3hVEkAZqEFEGteOavy8maff6u+xUsPkAo+WCH+aG1o66ghn4W huteJbx1UOxCte5k04mwUjvgIcxN1VYKYhVXgm/9vfeWiNkz2ddesm1fteBpfP/oEcjept UNnACIS4KbOmMuo75Vj1vGPbxIK5NtY= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=iGq+jEyk; spf=pass (imf24.hostedemail.com: domain of rppt@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=rppt@kernel.org; dmarc=pass (policy=none) header.from=kernel.org Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B2733620DA; Fri, 28 Jul 2023 10:55:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 34CC4C433C7; Fri, 28 Jul 2023 10:55:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690541725; bh=KiJekQvrYKFV+Wo4fuymS0vHZbJ6vimMcoU3XpuBEPc=; h=From:To:Cc:Subject:Date:From; b=iGq+jEykNKtWVUol0RQTBkbIWYLn8/FBSfap1epA8o9SY3qb/5N3iGUDWf825Abav JEkTq72fJEq04tlkQxBvomBVqIdYCNkS6tAZ4La1fO0OejVen4VwVXIWs/14R8qsAc Lptjb5BYmOUtn4nb1WfBgvCvs8Cadv7bs7g7jZs18LOwt3TyJdEZijYh6cLvhdd/TW fPKuwexfJuc15t4AFHSfr5Nx71yz4sWiY12i6TkU26F7ea3lZShUf/S9apGqtK3iPP +SDL0W7L1lbDg7aLxZ2jDjyji3aOdbNFdU8jB54uvl5lNv52XgaEExmkzt8I/GDpdJ iqcP3WJIs85+A== From: Mike Rapoport To: Linus Torvalds Cc: Andrew Morton , Mike Rapoport , Rik van Riel , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel test robot Subject: [PATCH] Revert "mm,memblock: reset memblock.reserved to system init state to prevent UAF" Date: Fri, 28 Jul 2023 13:55:12 +0300 Message-Id: <20230728105512.2258393-1-rppt@kernel.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Rspamd-Queue-Id: CA202180010 X-Rspam-User: X-Stat-Signature: sp8is3zxutpy4d4hpm9m9dzjkz1fezzz X-Rspamd-Server: rspam03 X-HE-Tag: 1690541726-5946 X-HE-Meta: U2FsdGVkX184ypwChVJQghO8C2khxKybrC287QH9rQnuFKxS2dYCrWCN8XONcbwcx/g2vEUXreXYa8YwwONnjpbq7m4Ws/aVxgLc90oHk5q+nRdWz+/Y/T7K34FBF9U65rvjS55AVymYH2ssOLBAbKscs/m3Vn1dds2aLjAgZysVZMtr2g8gRHSKX2G58rHgQUJD3tGIOGftFRtwFjx/c1xbW5EwTHwFoIYPsQ65S//QJyydrHIxC0cKmuDY9r58m2xJ3glwkzylmLzVb31alJepRoUP0GEvVMlCRz+xT/hhLMJYa3BAXmwRLQl5GzVfepBYw8+5pI2b75qel+Yve0rMHf4oQfnBHB/KJrwUcYcPzWVF3bC92aTTYxhZJQXof0+f0YVfoEzLEDT04mAflMZbL1kJRknU3wQF3djuWC87UMC37WcMYTbBcyiv4v2PeMdqzyiT2+bFC5DKf0HHOusFXj8vIyB8SXwcfEVgWgTIZoTmgBKj4MhAB5x7v/ue/UQ9n3Im6De64/ezTdtvDbO/ugFuXlTCJliY8lbYL7i5w7yce1LTZ/9POZGJvcYVHIqECZIt9bVEaGb5M2DmbM5AXuWA3SqaTf/FCJqFjX4+xAidekr2bAit7ds1v/PvE1wYEbc1RY14QBDuA9xrNUauWx7EAKufMsQtdgZt2jihSxBIzpAmsCRGYAqHKJiYXO7J1D/rQ4nkrD+4mTp0CzeuS0FlW7fBBqH7Ocf6QLMIHETwGZZ6s+BdVyIWgx1MIyYzuIs4ksBvwKKSyDVV3EUJc7j9UWTpkTKws03ZIpi7GxiFFqU6UwJgNHjbs5CYVzRSi5ucAz+GrwXBl/4rYLyWH8gBZCBXCBsaq9Z/ZiIYg8CYyr3178gJ9x7a9XDVtWqS/mMUb6INLxMp/K6BcpTwxRZ0IrJ0XLKKrTQiyxLa1rS+j6k0G4m6h3GnvfnJ/JC0F8e3GsZhJfP0f2A KrH/xX9I N3Ergu84/Ht0lP1x6PXqvDu1N+l1+jaFVgbV7cjt0JL/8p9tDXstpb44dyI1ZBIIggCHGnRGPZWiWGEdiB7ZgKwGB6ztt3HbdsDAODyf6ZzReBaxlCOE7FNUI2pHDdyuY5fLALuTSqlvTUIfZDctnnGoj71D/3lEhc8oSo0D+rBdspG6YtoJwPM9yjwSLNEi/yd/Wau5S+uy/4DtdLtIloXw4AznZjVd3bNSdQUANyyPJKTNmOzLaNySR7G5K6BTL0QgkjRhUh2CcVY/J+CkfgyZ4IGBi0Nbk5VGXhFyaDmiugLHM5fdrc5RtBO1+BflJT/ZiJ7570Nd9kMD4ZO6wBBaa+UHXaDRAGfV2M70Mm66zlgM= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: "Mike Rapoport (IBM)" This reverts commit 9e46e4dcd9d6cd88342b028dbfa5f4fb7483d39c. kbuild reports a warning in memblock_remove_region() because of a false positive caused by partial reset of the memblock state. Doing the full reset will remove the false positives, but will allow late use of memblock_free() to go unnoticed, so it is better to revert the offending commit. WARNING: CPU: 0 PID: 1 at mm/memblock.c:352 memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1)) Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.5.0-rc3-00001-g9e46e4dcd9d6 #2 RIP: 0010:memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1)) Code: 00 00 48 8b 43 18 48 c7 40 08 00 00 00 00 48 8b 43 18 c7 40 10 00 00 00 00 48 8b 43 18 c7 40 14 00 04 00 00 5b c3 cc cc cc cc <0f> 0b eb c2 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 RSP: 0000:ffa0000000077e78 EFLAGS: 00010206 RAX: ffffffff82f4bc40 RBX: ffffffff82f4bc18 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff82f4bc58 RDI: ffffffff82f4bc40 RBP: 0000000000000000 R08: ff1100207ffd4d00 R09: 0000000000000002 R10: ffd4000081ff9d00 R11: ff1100207ffd4000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ff1100103f200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ff1100207fc00000 CR3: 000000207ea18001 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1)) ? __warn (kbuild/src/x86_64/kernel/panic.c:673) ? memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1)) ? report_bug (kbuild/src/x86_64/lib/bug.c:180 kbuild/src/x86_64/lib/bug.c:219) ? handle_bug (kbuild/src/x86_64/arch/x86/kernel/traps.c:324) ? exc_invalid_op (kbuild/src/x86_64/arch/x86/kernel/traps.c:345 (discriminator 1)) ? asm_exc_invalid_op (kbuild/src/x86_64/arch/x86/include/asm/idtentry.h:568) ? memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:352 (discriminator 1)) ? memblock_remove_region (kbuild/src/x86_64/mm/memblock.c:348) memblock_discard (kbuild/src/x86_64/mm/memblock.c:383) page_alloc_init_late (kbuild/src/x86_64/include/linux/find.h:208 kbuild/src/x86_64/include/linux/nodemask.h:266 kbuild/src/x86_64/mm/mm_init.c:2405) kernel_init_freeable (kbuild/src/x86_64/init/main.c:1325 kbuild/src/x86_64/init/main.c:1546) ? __pfx_kernel_init (kbuild/src/x86_64/init/main.c:1429) kernel_init (kbuild/src/x86_64/init/main.c:1439) ret_from_fork (kbuild/src/x86_64/arch/x86/kernel/process.c:145) ? __pfx_kernel_init (kbuild/src/x86_64/init/main.c:1429) ret_from_fork_asm (kbuild/src/x86_64/arch/x86/entry/entry_64.S:298) RIP: 0000:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202307271656.447aa17e-oliver.sang@intel.com Signed-off-by: Mike Rapoport (IBM) --- Hi, Looks like I didn't wait enough for kbuild :( Linus, do you prefer a pull request or to pick it right away? mm/memblock.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/mm/memblock.c b/mm/memblock.c index c39b36378f5d..f9e61e565a53 100644 --- a/mm/memblock.c +++ b/mm/memblock.c @@ -374,10 +374,6 @@ void __init memblock_discard(void) kfree(memblock.reserved.regions); else memblock_free_late(addr, size); - /* Reset to prevent UAF from stray frees. */ - memblock.reserved.regions = memblock_reserved_init_regions; - memblock.reserved.cnt = 1; - memblock_remove_region(&memblock.reserved, 0); } if (memblock.memory.regions != memblock_memory_init_regions) {