KASan: out of bounds access in isolate_migratepages_range
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Gavin Guo | ||
Trusty |
Fix Released
|
Medium
|
Gavin Guo |
Bug Description
[Impact]
In the v3.13.0-76 kernel with KASan backported.
The following error message could be observed during the kernel
building stress test of the command[1]: "./parallel-
That means building 40 kernels in the same time with 2 rounds.
Bad access happens when we read page->mapping-
page->mapping is a pointer to anon_vma which is already freed
in the do_exit path.
=======
BUG: KASan: out of bounds access in isolate_
Read of size 8 by task cc1/27473
=======
BUG anon_vma (Not tainted): kasan: bad access detected
-------
Disabling lock debugging due to kernel taint
INFO: Allocated in anon_vma_
INFO: Freed in __put_anon_
INFO: Slab 0xffffea0009e73100 objects=43 used=30 fp=0xffff880279
INFO: Object 0xffff880279cc7658 @offset=13912 fp=0xffff880279
Bytes b4 ffff880279cc7648: 10 00 00 00 5b 17 00 00 ef 25 6b 03 01 00 00 00 ....[....%k.....
Object ffff880279cc7658: 58 76 cc 79 02 88 ff ff 00 00 00 00 00 00 00 00 Xv.y............
Object ffff880279cc7668: 00 00 00 00 5a 5a 5a 5a 70 76 cc 79 02 88 ff ff ....ZZZZpv.y....
Object ffff880279cc7678: 70 76 cc 79 02 88 ff ff 01 00 00 00 03 00 00 00 pv.y............
Object ffff880279cc7688: 58 76 cc 79 02 88 ff ff b8 2a 20 31 02 88 ff ff Xv.y.....* 1....
CPU: 8 PID: 27473 Comm: cc1 Tainted: G B 3.13.0-76-generic #120hf00073670v
Hardware name: Cisco Systems Inc UCSC-C220-
ffffea0009e73100 ffff880736bbf750 ffffffff81a6e195 ffff8804e881b840
ffff880736bbf780 ffffffff81244c1d ffff8804e881b840 ffffea0009e73100
ffff880279cc7658 ffffea001aa99c98 ffff880736bbf7a8 ffffffff8124ad66
Call Trace:
[<ffffffff81a6
[<ffffffff8124
[<ffffffff8124
[<ffffffff8124
[<ffffffff8125
[<ffffffff8122
[<ffffffff8124
[<ffffffff8120
[<ffffffff8124
[<ffffffff8120
[<ffffffff811d
[<ffffffff8120
[<ffffffff8120
[<ffffffff8120
[<ffffffff811e
[<ffffffff811e
[<ffffffff8123
[<ffffffff8125
[<ffffffff8120
[<ffffffff8121
[<ffffffff81a7
[<ffffffff8121
[<ffffffff811f
[<ffffffff81a7
[<ffffffff81a7
Memory state around the buggy address:
ffff880279cc7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880279cc7600: fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00
>ffff880279cc7680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880279cc7700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880279cc7780: fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00 00
=======
gavin@rotom:
constant_test_bit
/home/gavin/
mapping_balloon
/home/gavin/
__is_movable_
/home/gavin/
balloon_
/home/gavin/
isolate_
/home/gavin/
>8-----
/home/gavin/
310 static __always_inline int constant_
311 {
312 return ((1UL << (nr & (BITS_PER_LONG-1))) &
313 (addr[nr >> _BITOPS_
314 }
>8-----
Related upstream mailing list discussion:
- mm: compaction: buffer overflow in isolate_
https:/
- [PATCH v3 1/4] mm/balloon_
http://
[Fix]
- The first patach is the solution commit which moves the PageBalloon
check to page->_mapcount.
d6d86c0a7f8d ("mm/balloon_
- The second one is the patch to remove the isolation check when the
CONFIG_
4d88e6f7d5ff ("mm/balloon_
[Test Case]
Running the following command on the Trusty
kernel(
messages cannot be observed in the dmesg.
"./parallel-
That means building 40 kernels in the same time with 2 rounds.
Reference:
[1]. http://
description: | updated |
Changed in linux (Ubuntu): | |
assignee: | nobody → Gavin Guo (mimi0213kimo) |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
The following 2 patches are the solution to the bug:
4d88e6f7d5ff mm/balloon_ compaction: fix deflation when compaction is disabled compaction: redesign ballooned pages management
d6d86c0a7f8d mm/balloon_
Related upstream mailing list discussion: migratepages_ range /lkml.org/ lkml/2014/ 8/9/162 compaction: redesign ballooned pages management www.spinics. net/lists/ linux-mm/ msg79249. html
- mm: compaction: buffer overflow in isolate_
https:/
- [PATCH v3 1/4] mm/balloon_
http://