Re: [patch 3/3] IA64: virt_to_page() can be called with NULL arg

From: Kirill Korotaev <dev_at_openvz.org>
Date: 2006-12-20 21:57:51
Jes,

> Well you suggested a patch which just hides the problem. I suggest you
> change it to have the BUG_ON().
IMHO you are wrong.
the suggested patch *fixes* one particular place, which can be triggered on
mainstream IA64 by a standard user and is actually a *SECURITY* bug which
can be potentially exploited (when OOM killer is enabled).
It doesn't hide anything, It just doesn't help to catch other places.

>>>Which callers did you see cause this? If it was a common problem I would
>>>expect a lot of data corruption or crashes on ia64 systems which I
>>>haven't heard of.
>>
>>from the patch:
>>pte_alloc_one() calls pgtable_quicklist_alloc() which can return NULL in
>>case of allocation failure.
>>
>>It was hit on OpenVZ where kernel memory is accounted and limited on
>>per-container basis (it is possible to DoS using page tables allocations).
>>In mainstream the bug can be hit if OOM killer
>>kills the process and __get_free_page() returns NULL which is rare, but still possible.
> 
> 
> I see, since you have it tracked down, it would be good to fix it
> and push a patch upstream. Unless of course Andrew or Linus thinks this
> is the wrong approach.
Maybe the fact that I came without an exploit to crash IA64
makes you think it should not be commited, ok, you can leave it as is then.
NOTE: I don't mind against the debug you proposed. It is quite a good idea.

Thanks,
Kirill

-
To unsubscribe from this list: send the line "unsubscribe linux-ia64" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Received on Wed Dec 20 21:50:13 2006

This archive was generated by hypermail 2.1.8 : 2006-12-20 21:50:28 EST