)]}' { "commit": "3010f876500f9ba921afaeccec30c45ca6584dc8", "tree": "61f656b6b3f56459f27cb11944102bf3dfcc162b", "parents": [ "768dc4e48420955518974d8486c1b00ec05e7274" ], "author": { "name": "Pavel Tatashin", "email": "pasha.tatashin@oracle.com", "time": "Fri Aug 18 15:16:05 2017 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Aug 18 15:32:01 2017 -0700" }, "message": "mm: discard memblock data later\n\nThere is existing use after free bug when deferred struct pages are\nenabled:\n\nThe memblock_add() allocates memory for the memory array if more than\n128 entries are needed. See comment in e820__memblock_setup():\n\n * The bootstrap memblock region count maximum is 128 entries\n * (INIT_MEMBLOCK_REGIONS), but EFI might pass us more E820 entries\n * than that - so allow memblock resizing.\n\nThis memblock memory is freed here:\n free_low_memory_core_early()\n\nWe access the freed memblock.memory later in boot when deferred pages\nare initialized in this path:\n\n deferred_init_memmap()\n for_each_mem_pfn_range()\n __next_mem_pfn_range()\n type \u003d \u0026memblock.memory;\n\nOne possible explanation for why this use-after-free hasn\u0027t been hit\nbefore is that the limit of INIT_MEMBLOCK_REGIONS has never been\nexceeded at least on systems where deferred struct pages were enabled.\n\nTested by reducing INIT_MEMBLOCK_REGIONS down to 4 from the current 128,\nand verifying in qemu that this code is getting excuted and that the\nfreed pages are sane.\n\nLink: http://lkml.kernel.org/r/1502485554-318703-2-git-send-email-pasha.tatashin@oracle.com\nFixes: 7e18adb4f80b (\"mm: meminit: initialise remaining struct pages in parallel with kswapd\")\nSigned-off-by: Pavel Tatashin \u003cpasha.tatashin@oracle.com\u003e\nReviewed-by: Steven Sistare \u003csteven.sistare@oracle.com\u003e\nReviewed-by: Daniel Jordan \u003cdaniel.m.jordan@oracle.com\u003e\nReviewed-by: Bob Picco \u003cbob.picco@oracle.com\u003e\nAcked-by: Michal Hocko \u003cmhocko@suse.com\u003e\nCc: Mel Gorman \u003cmgorman@techsingularity.net\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "77d427974f575699d181265a9eb4c8d1cdd4dad5", "old_mode": 33188, "old_path": "include/linux/memblock.h", "new_id": "bae11c7e7bf31920fcf0b928b31dc29ad70f6f8b", "new_mode": 33188, "new_path": "include/linux/memblock.h" }, { "type": "modify", "old_id": "2cb25fe4452c279c5ff6ff74cbbfee64128d820e", "old_mode": 33188, "old_path": "mm/memblock.c", "new_id": "bf14aea6ab709dc61666c1994718d9d244291e22", "new_mode": 33188, "new_path": "mm/memblock.c" }, { "type": "modify", "old_id": "36454d0f96ee6b91383554c83015a2b47e66f038", "old_mode": 33188, "old_path": "mm/nobootmem.c", "new_id": "3637809a18d04f9c20d1b00d70687ae1eb00b282", "new_mode": 33188, "new_path": "mm/nobootmem.c" }, { "type": "modify", "old_id": "6d00f746c2fd96452661fde3f704289eed7f1f70", "old_mode": 33188, "old_path": "mm/page_alloc.c", "new_id": "1bad301820c7a2e2729fc2f7c04e4b3694131576", "new_mode": 33188, "new_path": "mm/page_alloc.c" } ] }