* [PATCH] powerpc: Fix size check for hugetlbfs @ 2007-08-08 5:44 Benjamin Herrenschmidt 2007-08-13 23:26 ` patch powerpc-fix-size-check-for-hugetlbfs.patch queued to -stable tree gregkh 0 siblings, 1 reply; 5+ messages in thread From: Benjamin Herrenschmidt @ 2007-08-08 5:44 UTC (permalink / raw) To: linuxppc-dev list; +Cc: Paul Mackerras, stable My "slices" address space management code that was added in 2.6.22 implementation of get_unmapped_area() doesn't properly check that the size is a multiple of the requested page size. This allows userland to create VMAs that aren't a multiple of the huge page size with hugetlbfs (since hugetlbfs entirely relies on get_unmapped_area() to do that checking) which leads to a kernel BUG() when such areas are torn down. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> --- This should go to 2.6.22.x stable in addition to current 2.6.23-* Index: linux-work/arch/powerpc/mm/slice.c =================================================================== --- linux-work.orig/arch/powerpc/mm/slice.c 2007-08-08 15:16:06.000000000 +1000 +++ linux-work/arch/powerpc/mm/slice.c 2007-08-08 15:16:41.000000000 +1000 @@ -405,6 +405,8 @@ unsigned long slice_get_unmapped_area(un if (len > mm->task_size) return -ENOMEM; + if (len & ((1ul << pshift) - 1)) + return -EINVAL; if (fixed && (addr & ((1ul << pshift) - 1))) return -EINVAL; if (fixed && addr > (mm->task_size - len)) ^ permalink raw reply [flat|nested] 5+ messages in thread
* patch powerpc-fix-size-check-for-hugetlbfs.patch queued to -stable tree 2007-08-08 5:44 [PATCH] powerpc: Fix size check for hugetlbfs Benjamin Herrenschmidt @ 2007-08-13 23:26 ` gregkh 2007-08-14 6:45 ` David Gibson 0 siblings, 1 reply; 5+ messages in thread From: gregkh @ 2007-08-13 23:26 UTC (permalink / raw) To: benh, gregkh, linuxppc-dev, paulus; +Cc: stable-commits This is a note to let you know that we have just queued up the patch titled Subject: powerpc: Fix size check for hugetlbfs to the 2.6.22-stable tree. Its filename is powerpc-fix-size-check-for-hugetlbfs.patch A git repo of this tree can be found at http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary >From benh@kernel.crashing.org Mon Aug 13 16:17:09 2007 From: Benjamin Herrenschmidt <benh@kernel.crashing.org> Date: Wed, 08 Aug 2007 15:44:15 +1000 Subject: powerpc: Fix size check for hugetlbfs To: linuxppc-dev list <linuxppc-dev@ozlabs.org> Cc: Paul Mackerras <paulus@samba.org>, stable@kernel.org Message-ID: <1186551855.938.164.camel@localhost.localdomain> From: Benjamin Herrenschmidt <benh@kernel.crashing.org> My "slices" address space management code that was added in 2.6.22 implementation of get_unmapped_area() doesn't properly check that the size is a multiple of the requested page size. This allows userland to create VMAs that aren't a multiple of the huge page size with hugetlbfs (since hugetlbfs entirely relies on get_unmapped_area() to do that checking) which leads to a kernel BUG() when such areas are torn down. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Paul Mackerras <paulus@samba.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- linux-work.orig/arch/powerpc/mm/slice.c 2007-08-08 15:16:06.000000000 +1000 +++ linux-work/arch/powerpc/mm/slice.c 2007-08-08 15:16:41.000000000 +1000 @@ -405,6 +405,8 @@ unsigned long slice_get_unmapped_area(un if (len > mm->task_size) return -ENOMEM; + if (len & ((1ul << pshift) - 1)) + return -EINVAL; if (fixed && (addr & ((1ul << pshift) - 1))) return -EINVAL; if (fixed && addr > (mm->task_size - len)) _______________________________________________ stable mailing list stable@linux.kernel.org http://linux.kernel.org/mailman/listinfo/stable Patches currently in stable-queue which might be from benh@kernel.crashing.org are queue-2.6.22/ppc-revert-don-t-complain-if-size-cells-0-in-prom_parse.patch queue-2.6.22/ppc-revert-add-mdio-to-bus-scan-id-list-for-platforms-with-qe-uec.patch queue-2.6.22/powerpc-fix-size-check-for-hugetlbfs.patch ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: patch powerpc-fix-size-check-for-hugetlbfs.patch queued to -stable tree 2007-08-13 23:26 ` patch powerpc-fix-size-check-for-hugetlbfs.patch queued to -stable tree gregkh @ 2007-08-14 6:45 ` David Gibson 2007-08-14 7:48 ` David Gibson 0 siblings, 1 reply; 5+ messages in thread From: David Gibson @ 2007-08-14 6:45 UTC (permalink / raw) To: gregkh; +Cc: stable-commits, paulus, linuxppc-dev On Mon, Aug 13, 2007 at 04:26:27PM -0700, gregkh@suse.de wrote: > > This is a note to let you know that we have just queued up the patch titled > > Subject: powerpc: Fix size check for hugetlbfs > > to the 2.6.22-stable tree. Its filename is > > powerpc-fix-size-check-for-hugetlbfs.patch > > A git repo of this tree can be found at > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > > >From benh@kernel.crashing.org Mon Aug 13 16:17:09 2007 > From: Benjamin Herrenschmidt <benh@kernel.crashing.org> > Date: Wed, 08 Aug 2007 15:44:15 +1000 > Subject: powerpc: Fix size check for hugetlbfs > To: linuxppc-dev list <linuxppc-dev@ozlabs.org> > Cc: Paul Mackerras <paulus@samba.org>, stable@kernel.org > Message-ID: <1186551855.938.164.camel@localhost.localdomain> > > From: Benjamin Herrenschmidt <benh@kernel.crashing.org> > > My "slices" address space management code that was added in 2.6.22 > implementation of get_unmapped_area() doesn't properly check that the > size is a multiple of the requested page size. This allows userland to > create VMAs that aren't a multiple of the huge page size with hugetlbfs > (since hugetlbfs entirely relies on get_unmapped_area() to do that > checking) which leads to a kernel BUG() when such areas are torn down. Ok, I said I was going to look into a libhugetlbfs testcase for this. Doesn't appear there's specifically a testcase for misaligned size - I'll add one. However, it seems the current kernel, on ppc64, gives a testcase failure on 'misaligned_offset', because it's not failing a mapping with a non-hugepage aligned file offset. I'm not sure (yet) if this failure is also caused by the new slice code, but it seems a likely candidate. Still investigating... -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: patch powerpc-fix-size-check-for-hugetlbfs.patch queued to -stable tree 2007-08-14 6:45 ` David Gibson @ 2007-08-14 7:48 ` David Gibson 2007-08-16 3:53 ` David Gibson 0 siblings, 1 reply; 5+ messages in thread From: David Gibson @ 2007-08-14 7:48 UTC (permalink / raw) To: gregkh, benh, linuxppc-dev, paulus, stable-commits On Tue, Aug 14, 2007 at 04:45:34PM +1000, David Gibson wrote: > On Mon, Aug 13, 2007 at 04:26:27PM -0700, gregkh@suse.de wrote: > > > > This is a note to let you know that we have just queued up the patch titled > > > > Subject: powerpc: Fix size check for hugetlbfs > > > > to the 2.6.22-stable tree. Its filename is > > > > powerpc-fix-size-check-for-hugetlbfs.patch > > > > A git repo of this tree can be found at > > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > > > > > >From benh@kernel.crashing.org Mon Aug 13 16:17:09 2007 > > From: Benjamin Herrenschmidt <benh@kernel.crashing.org> > > Date: Wed, 08 Aug 2007 15:44:15 +1000 > > Subject: powerpc: Fix size check for hugetlbfs > > To: linuxppc-dev list <linuxppc-dev@ozlabs.org> > > Cc: Paul Mackerras <paulus@samba.org>, stable@kernel.org > > Message-ID: <1186551855.938.164.camel@localhost.localdomain> > > > > From: Benjamin Herrenschmidt <benh@kernel.crashing.org> > > > > My "slices" address space management code that was added in 2.6.22 > > implementation of get_unmapped_area() doesn't properly check that the > > size is a multiple of the requested page size. This allows userland to > > create VMAs that aren't a multiple of the huge page size with hugetlbfs > > (since hugetlbfs entirely relies on get_unmapped_area() to do that > > checking) which leads to a kernel BUG() when such areas are torn down. > > Ok, I said I was going to look into a libhugetlbfs testcase for this. > Doesn't appear there's specifically a testcase for misaligned size - > I'll add one. > > However, it seems the current kernel, on ppc64, gives a testcase > failure on 'misaligned_offset', because it's not failing a mapping > with a non-hugepage aligned file offset. I'm not sure (yet) if this > failure is also caused by the new slice code, but it seems a likely > candidate. I have written a new test for the handling of misaligned addresses, lengths and offsets for libhugetlbfs. With it I've verified that this patch does correct a serious problem with length handling - without the patch this new testcase causes an oops for me. It's simpler than the 'misaligned_offset' testcase in which the misaligned mapping was just a step to triggering a different and much more subtle kernel bug (where the misaligned mapping failed, but corrupted some pagetables in the process). But the testcase still fails because a mapping with misaligned offset still succeeds. Still don't know if this is related to the same slice changes or not. Need to do a bisect, but I'm putting it off because I have some other bugs to chase. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: patch powerpc-fix-size-check-for-hugetlbfs.patch queued to -stable tree 2007-08-14 7:48 ` David Gibson @ 2007-08-16 3:53 ` David Gibson 0 siblings, 0 replies; 5+ messages in thread From: David Gibson @ 2007-08-16 3:53 UTC (permalink / raw) To: gregkh, benh, linuxppc-dev, paulus, stable-commits [snip] > I have written a new test for the handling of misaligned addresses, > lengths and offsets for libhugetlbfs. With it I've verified that this > patch does correct a serious problem with length handling - without > the patch this new testcase causes an oops for me. It's simpler than > the 'misaligned_offset' testcase in which the misaligned mapping was > just a step to triggering a different and much more subtle kernel bug > (where the misaligned mapping failed, but corrupted some pagetables in > the process). > > But the testcase still fails because a mapping with misaligned offset > still succeeds. Still don't know if this is related to the same slice > changes or not. Need to do a bisect, but I'm putting it off because I > have some other bugs to chase. Ok, I've identified the cause of the problems with misaligned offset. It's not with the slice code per se, but it did come in with BenH's series of get_unmapped_area() reworks leading up to commit 4b1d89290b62bb2db476c94c82cf7442aab440c8. Prior to that, checking that the pgoff was hugepage aligned was the responsibility of prepare_hugepage_range(). But after that batch of patches, prepare_hugepage_range() is only called for non-MAP_FIXED mappings, hence the bug. I'm not immediately sure how best to fix this: - Replace the prepare_hugepage_range() call for non-FIXED mappings. That will mean two different paths making calls to prepare_hugepage_range(), which is a bit ugly. Especially since the call for the non-FIXED case will be for an area that is already hugepage prepared (on powerpc, the only arch with non-trivial "preparation" necessary) so we'll just be relying on the fact that prepare_hugepage_range() is idempotent. - Remove the test from prepare_hugepage_range() and instead put it in each of the hugepage get_unmapped_area() variants. Removes the ugliness above, traps the problem reasonably early, keeps the test for pgoff alignment close to the test for address and length alignment, but means making the check in each of a half-dozen or so arch versions of hugetlb_get_unmapped_area() - Remove the test from prepare_hugepage_range() and instead but it in the hugetlbfs ->mmap() callback. Means the fix goes in one place only, but it's far removed from the similar tests for address and length alignment. Also, the mmap() gets quite a long way in before we catch the misalignment, and we have to roll-back creating the vma and so forth. Thoughts? -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-08-16 3:53 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-08-08 5:44 [PATCH] powerpc: Fix size check for hugetlbfs Benjamin Herrenschmidt 2007-08-13 23:26 ` patch powerpc-fix-size-check-for-hugetlbfs.patch queued to -stable tree gregkh 2007-08-14 6:45 ` David Gibson 2007-08-14 7:48 ` David Gibson 2007-08-16 3:53 ` David Gibson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).