From: Eric Dumazet <eric.dumazet@gmail.com>
To: Christoph Lameter <cl@linux.com>
Cc: Vegard Nossum <vegardno@ifi.uio.no>,
Pekka Enberg <penberg@cs.helsinki.fi>,
casteyde.christian@free.fr,
Andrew Morton <akpm@linux-foundation.org>,
netdev@vger.kernel.org, bugzilla-daemon@bugzilla.kernel.org,
bugme-daemon@bugzilla.kernel.org
Subject: Re: [Bugme-new] [Bug 33502] New: Caught 64-bit read from uninitialized memory in __alloc_skb
Date: Tue, 10 May 2011 20:05:54 +0200 [thread overview]
Message-ID: <1305050754.2758.12.camel@edumazet-laptop> (raw)
In-Reply-To: <alpine.DEB.2.00.1105101242420.2875@router.home>
Le mardi 10 mai 2011 à 12:43 -0500, Christoph Lameter a écrit :
> Draft for a patch
>
>
> Subject: slub: Make CONFIG_PAGE_ALLOC work with new fastpath
>
> Fastpath can do a speculative access to a page that CONFIG_PAGE_ALLOC may have
> marked as invalid to retrieve the pointer to the next free object.
>
> Probe that address before dereferencing the pointer to the page.
> All of that needs to occur with interrupts disabled since an interrupt
> could cause the page status to change (as pointed out by Eric).
>
> Signed-off-by: Christoph Lameter <cl@linux.com>
> ---
> mm/slub.c | 23 ++++++++++++++++++++++-
> 1 file changed, 22 insertions(+), 1 deletion(-)
>
> Index: linux-2.6/mm/slub.c
> ===================================================================
> --- linux-2.6.orig/mm/slub.c 2011-05-10 12:35:30.000000000 -0500
> +++ linux-2.6/mm/slub.c 2011-05-10 12:38:53.000000000 -0500
> @@ -261,6 +261,27 @@ static inline void *get_freepointer(stru
> return *(void **)(object + s->offset);
> }
>
> +static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
> +{
> + void *p;
> +
> +#ifdef CONFIG_PAGE_ALLOC
> + unsigned long flags;
> +
> + local_irq_save(flags);
> +
> + if (probe_kernel_address(object))
> + p = NULL; /* Invalid */
> + else
> + p = get_freepointer(s, object);
> +
> + local_irq_restore(flags);
> +#else
> + p = get_freepointer(s, object);
> +#endif
> + return p;
> +}
> +
> static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)
> {
> *(void **)(object + s->offset) = fp;
> @@ -1933,7 +1954,7 @@ redo:
> if (unlikely(!irqsafe_cpu_cmpxchg_double(
> s->cpu_slab->freelist, s->cpu_slab->tid,
> object, tid,
> - get_freepointer(s, object), next_tid(tid)))) {
> + get_freepointer_safe(s, object), next_tid(tid)))) {
>
> note_cmpxchg_failure("slab_alloc", s, tid);
> goto redo;
Really this wont work Stephen
You have to disable IRQ _before_ even fetching 'object'
Or else, you can have an IRQ, allocate this object, pass to another cpu.
This other cpu can free the object and unmap page right after you did
the probe_kernel_address(object) (successfully), and before your cpu :
p = get_freepointer(s, object); << BUG >>
I really dont understand your motivation to keep the buggy commit.
next prev parent reply other threads:[~2011-05-10 18:05 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-33502-10286@https.bugzilla.kernel.org/>
2011-04-18 22:38 ` [Bugme-new] [Bug 33502] New: Caught 64-bit read from uninitialized memory in __alloc_skb Andrew Morton
2011-04-19 2:51 ` Eric Dumazet
2011-04-19 3:09 ` Eric Dumazet
2011-04-19 3:20 ` Eric Dumazet
2011-04-19 17:10 ` Christoph Lameter
2011-04-19 20:17 ` Eric Dumazet
2011-04-19 21:18 ` Christoph Lameter
2011-04-20 5:04 ` Eric Dumazet
2011-04-20 14:04 ` Christoph Lameter
2011-04-20 5:56 ` Pekka Enberg
2011-04-20 6:04 ` Eric Dumazet
2011-04-20 7:45 ` casteyde.christian
2011-04-20 7:49 ` Pekka Enberg
2011-04-20 8:09 ` Eric Dumazet
2011-04-20 8:21 ` Pekka Enberg
2011-04-20 9:07 ` Eric Dumazet
2011-04-20 10:02 ` Eric Dumazet
2011-04-20 14:05 ` Christoph Lameter
2011-04-20 14:26 ` Eric Dumazet
2011-04-20 14:42 ` Christoph Lameter
2011-04-20 15:01 ` Eric Dumazet
2011-04-20 15:15 ` Vegard Nossum
2011-04-20 15:34 ` Eric Dumazet
2011-04-20 15:17 ` Christoph Lameter
2011-04-20 15:30 ` Eric Dumazet
2011-04-20 19:36 ` Christian Casteyde
2011-04-20 19:55 ` Eric Dumazet
2011-04-20 20:32 ` Eric Dumazet
2011-05-05 6:18 ` Eric Dumazet
2011-05-05 6:22 ` Pekka Enberg
2011-05-05 6:50 ` Eric Dumazet
2011-05-05 18:40 ` Christoph Lameter
2011-05-05 18:48 ` Eric Dumazet
2011-05-05 19:05 ` Christoph Lameter
2011-05-09 19:44 ` Pekka Enberg
2011-05-09 20:04 ` Christoph Lameter
2011-05-09 20:06 ` Pekka Enberg
2011-05-10 8:43 ` Eric Dumazet
2011-05-10 9:47 ` Pekka Enberg
2011-05-10 10:03 ` Eric Dumazet
2011-05-10 10:10 ` Pekka Enberg
2011-05-10 10:03 ` Pekka Enberg
2011-05-10 10:17 ` Eric Dumazet
2011-05-10 10:19 ` Pekka Enberg
2011-05-10 11:52 ` Eric Dumazet
2011-05-10 12:24 ` Vegard Nossum
2011-05-10 16:39 ` Christoph Lameter
2011-05-10 17:14 ` Eric Dumazet
2011-05-10 17:30 ` Christoph Lameter
2011-05-10 17:43 ` Christoph Lameter
2011-05-10 18:05 ` Eric Dumazet [this message]
2011-05-10 18:28 ` Christoph Lameter
2011-05-10 19:05 ` Christoph Lameter
2011-05-10 19:32 ` Eric Dumazet
2011-05-10 19:38 ` Christoph Lameter
2011-05-10 20:06 ` Eric Dumazet
2011-05-10 20:33 ` Christoph Lameter
2011-05-10 20:45 ` Eric Dumazet
2011-05-10 21:22 ` Christoph Lameter
2011-05-11 3:12 ` Eric Dumazet
2011-05-12 14:36 ` Christoph Lameter
2011-05-13 21:15 ` [PATCH] slub: Make CONFIG_PAGE_ALLOC work with new fastpath Christoph Lameter
2011-05-13 21:26 ` Eric Dumazet
2011-05-10 18:07 ` [Bugme-new] [Bug 33502] New: Caught 64-bit read from uninitialized memory in __alloc_skb Christoph Lameter
2011-05-10 16:33 ` Christoph Lameter
2011-04-19 17:09 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1305050754.2758.12.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=bugme-daemon@bugzilla.kernel.org \
--cc=bugzilla-daemon@bugzilla.kernel.org \
--cc=casteyde.christian@free.fr \
--cc=cl@linux.com \
--cc=netdev@vger.kernel.org \
--cc=penberg@cs.helsinki.fi \
--cc=vegardno@ifi.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox