diff options
| author | 2017-08-18 15:16:05 -0700 | |
|---|---|---|
| committer | 2017-08-18 15:32:01 -0700 | |
| commit | 3010f876500f9ba921afaeccec30c45ca6584dc8 (patch) | |
| tree | 61f656b6b3f56459f27cb11944102bf3dfcc162b /lib/debugobjects.c | |
| parent | test_kmod: fix description for -s -and -c parameters (diff) | |
| download | wireguard-linux-3010f876500f9ba921afaeccec30c45ca6584dc8.tar.xz wireguard-linux-3010f876500f9ba921afaeccec30c45ca6584dc8.zip | |
mm: discard memblock data later
There is existing use after free bug when deferred struct pages are
enabled:
The memblock_add() allocates memory for the memory array if more than
128 entries are needed.  See comment in e820__memblock_setup():
  * The bootstrap memblock region count maximum is 128 entries
  * (INIT_MEMBLOCK_REGIONS), but EFI might pass us more E820 entries
  * than that - so allow memblock resizing.
This memblock memory is freed here:
        free_low_memory_core_early()
We access the freed memblock.memory later in boot when deferred pages
are initialized in this path:
        deferred_init_memmap()
                for_each_mem_pfn_range()
                  __next_mem_pfn_range()
                    type = &memblock.memory;
One possible explanation for why this use-after-free hasn't been hit
before is that the limit of INIT_MEMBLOCK_REGIONS has never been
exceeded at least on systems where deferred struct pages were enabled.
Tested by reducing INIT_MEMBLOCK_REGIONS down to 4 from the current 128,
and verifying in qemu that this code is getting excuted and that the
freed pages are sane.
Link: http://lkml.kernel.org/r/1502485554-318703-2-git-send-email-pasha.tatashin@oracle.com
Fixes: 7e18adb4f80b ("mm: meminit: initialise remaining struct pages in parallel with kswapd")
Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Reviewed-by: Bob Picco <bob.picco@oracle.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'lib/debugobjects.c')
0 files changed, 0 insertions, 0 deletions
