[PATCH v2 1/2] powerpc/fadump: handle crash memory ranges array index overflow
Mahesh Jagannath Salgaonkar
mahesh at linux.vnet.ibm.com
Wed Aug 8 19:04:37 AEST 2018
On 08/07/2018 02:12 AM, Hari Bathini wrote:
> Crash memory ranges is an array of memory ranges of the crashing kernel
> to be exported as a dump via /proc/vmcore file. The size of the array
> is set based on INIT_MEMBLOCK_REGIONS, which works alright in most cases
> where memblock memory regions count is less than INIT_MEMBLOCK_REGIONS
> value. But this count can grow beyond INIT_MEMBLOCK_REGIONS value since
> commit 142b45a72e22 ("memblock: Add array resizing support").
>
> On large memory systems with a few DLPAR operations, the memblock memory
> regions count could be larger than INIT_MEMBLOCK_REGIONS value. On such
> systems, registering fadump results in crash or other system failures
> like below:
>
> task: c00007f39a290010 ti: c00000000b738000 task.ti: c00000000b738000
> NIP: c000000000047df4 LR: c0000000000f9e58 CTR: c00000000010f180
> REGS: c00000000b73b570 TRAP: 0300 Tainted: G L X (4.4.140+)
> MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 22004484 XER: 20000000
> CFAR: c000000000008500 DAR: 000007a450000000 DSISR: 40000000 SOFTE: 0
> GPR00: c0000000000f9e58 c00000000b73b7f0 c000000000f09a00 000000000000001a
> GPR04: c00007f3bf774c90 0000000000000004 c000000000eb9a00 0000000000000800
> GPR08: 0000000000000804 000007a450000000 c000000000fa9a00 c00007ffb169ca20
> GPR12: 0000000022004482 c00000000fa12c00 c00007f3a0ea97a8 0000000000000000
> GPR16: c00007f3a0ea9a50 c00000000b73bd60 0000000000000118 000000000001fe80
> GPR20: 0000000000000118 0000000000000000 c000000000b8c980 00000000000000d0
> GPR24: 000007ffb0b10000 c00007ffb169c980 0000000000000000 c000000000b8c980
> GPR28: 0000000000000004 c00007ffb169c980 000000000000001a c00007ffb169c980
> NIP [c000000000047df4] smp_send_reschedule+0x24/0x80
> LR [c0000000000f9e58] resched_curr+0x138/0x160
> Call Trace:
> [c00000000b73b7f0] [c0000000000f9e58] resched_curr+0x138/0x160 (unreliable)
> [c00000000b73b820] [c0000000000fb538] check_preempt_curr+0xc8/0xf0
> [c00000000b73b850] [c0000000000fb598] ttwu_do_wakeup+0x38/0x150
> [c00000000b73b890] [c0000000000fc9c4] try_to_wake_up+0x224/0x4d0
> [c00000000b73b900] [c00000000011ef34] __wake_up_common+0x94/0x100
> [c00000000b73b960] [c00000000034a78c] ep_poll_callback+0xac/0x1c0
> [c00000000b73b9b0] [c00000000011ef34] __wake_up_common+0x94/0x100
> [c00000000b73ba10] [c00000000011f810] __wake_up_sync_key+0x70/0xa0
> [c00000000b73ba60] [c00000000067c3e8] sock_def_readable+0x58/0xa0
> [c00000000b73ba90] [c0000000007848ac] unix_stream_sendmsg+0x2dc/0x4c0
> [c00000000b73bb70] [c000000000675a38] sock_sendmsg+0x68/0xa0
> [c00000000b73bba0] [c00000000067673c] ___sys_sendmsg+0x2cc/0x2e0
> [c00000000b73bd30] [c000000000677dbc] __sys_sendmsg+0x5c/0xc0
> [c00000000b73bdd0] [c0000000006789bc] SyS_socketcall+0x36c/0x3f0
> [c00000000b73be30] [c000000000009488] system_call+0x3c/0x100
> Instruction dump:
> 4e800020 60000000 60420000 3c4c00ec 38421c30 7c0802a6 f8010010 60000000
> 3d42000a e92ab420 2fa90000 4dde0020 <e9290000> 2fa90000 419e0044 7c0802a6
> ---[ end trace a6d1dd4bab5f8253 ]---
>
> as array index overflow is not checked for while setting up crash memory
> ranges causing memory corruption. To resolve this issue, dynamically
> allocate memory for crash memory ranges and resize it incrementally,
> in units of pagesize, on hitting array size limit.
>
> Fixes: 2df173d9e85d ("fadump: Initialize elfcore header and add PT_LOAD program headers.")
> Cc: stable at vger.kernel.org
> Cc: Mahesh Salgaonkar <mahesh at linux.vnet.ibm.com>
> Signed-off-by: Hari Bathini <hbathini at linux.ibm.com>
Looks ok to me.
Reviewed-by: Mahesh Salgaonkar <mahesh at linux.vnet.ibm.com>
Thanks,
-Mahesh.
> ---
>
> Changes in v2:
> * Allocating memory for crash ranges in pagesize unit.
> * freeing memory allocated while cleaning up.
> * Moved the changes to coalesce memory ranges into patch 2/2.
>
>
> arch/powerpc/include/asm/fadump.h | 4 +-
> arch/powerpc/kernel/fadump.c | 91 +++++++++++++++++++++++++++++++------
> 2 files changed, 79 insertions(+), 16 deletions(-)
>
> diff --git a/arch/powerpc/include/asm/fadump.h b/arch/powerpc/include/asm/fadump.h
> index 5a23010..3abc738 100644
> --- a/arch/powerpc/include/asm/fadump.h
> +++ b/arch/powerpc/include/asm/fadump.h
> @@ -195,8 +195,8 @@ struct fadump_crash_info_header {
> struct cpumask online_mask;
> };
>
> -/* Crash memory ranges */
> -#define INIT_CRASHMEM_RANGES (INIT_MEMBLOCK_REGIONS + 2)
> +/* Crash memory ranges size unit (pagesize) */
> +#define CRASHMEM_RANGES_ALLOC_SIZE PAGE_SIZE
>
> struct fad_crash_memory_ranges {
> unsigned long long base;
> diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
> index 07e8396..2ec5704 100644
> --- a/arch/powerpc/kernel/fadump.c
> +++ b/arch/powerpc/kernel/fadump.c
> @@ -47,8 +47,10 @@ static struct fadump_mem_struct fdm;
> static const struct fadump_mem_struct *fdm_active;
>
> static DEFINE_MUTEX(fadump_mutex);
> -struct fad_crash_memory_ranges crash_memory_ranges[INIT_CRASHMEM_RANGES];
> +struct fad_crash_memory_ranges *crash_memory_ranges;
> +int crash_memory_ranges_size;
> int crash_mem_ranges;
> +int max_crash_mem_ranges;
>
> /* Scan the Firmware Assisted dump configuration details. */
> int __init early_init_dt_scan_fw_dump(unsigned long node,
> @@ -868,22 +870,67 @@ static int __init process_fadump(const struct fadump_mem_struct *fdm_active)
> return 0;
> }
>
> -static inline void fadump_add_crash_memory(unsigned long long base,
> - unsigned long long end)
> +static void free_crash_memory_ranges(void)
> +{
> + kfree(crash_memory_ranges);
> + crash_memory_ranges = NULL;
> + crash_memory_ranges_size = 0;
> + max_crash_mem_ranges = 0;
> +}
> +
> +/*
> + * Allocate or reallocate crash memory ranges array in incremental units
> + * of CRASHMEM_RANGES_ALLOC_SIZE.
> + */
> +static int allocate_crash_memory_ranges(void)
> +{
> + u64 new_size;
> + struct fad_crash_memory_ranges *new_array;
> +
> + new_size = crash_memory_ranges_size + CRASHMEM_RANGES_ALLOC_SIZE;
> + pr_debug("Allocating %llu bytes of memory for crash memory ranges\n",
> + new_size);
> +
> + new_array = krealloc(crash_memory_ranges, new_size, GFP_KERNEL);
> + if (new_array == NULL) {
> + pr_err("Insufficient memory for setting up crash memory ranges\n");
> + free_crash_memory_ranges();
> + return -ENOMEM;
> + }
> +
> + crash_memory_ranges = new_array;
> + crash_memory_ranges_size = new_size;
> + max_crash_mem_ranges = (new_size /
> + sizeof(struct fad_crash_memory_ranges));
> + return 0;
> +}
> +
> +static inline int fadump_add_crash_memory(unsigned long long base,
> + unsigned long long end)
> {
> if (base == end)
> - return;
> + return 0;
> +
> + if (crash_mem_ranges == max_crash_mem_ranges) {
> + int ret;
> +
> + ret = allocate_crash_memory_ranges();
> + if (ret)
> + return ret;
> + }
>
> pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n",
> crash_mem_ranges, base, end - 1, (end - base));
> crash_memory_ranges[crash_mem_ranges].base = base;
> crash_memory_ranges[crash_mem_ranges].size = end - base;
> crash_mem_ranges++;
> + return 0;
> }
>
> -static void fadump_exclude_reserved_area(unsigned long long start,
> +static int fadump_exclude_reserved_area(unsigned long long start,
> unsigned long long end)
> {
> + int ret = 0;
> unsigned long long ra_start, ra_end;
>
> ra_start = fw_dump.reserve_dump_area_start;
> @@ -891,15 +938,20 @@ static void fadump_exclude_reserved_area(unsigned long long start,
>
> if ((ra_start < end) && (ra_end > start)) {
> if ((start < ra_start) && (end > ra_end)) {
> - fadump_add_crash_memory(start, ra_start);
> - fadump_add_crash_memory(ra_end, end);
> + ret = fadump_add_crash_memory(start, ra_start);
> + if (ret)
> + return ret;
> +
> + ret = fadump_add_crash_memory(ra_end, end);
> } else if (start < ra_start) {
> - fadump_add_crash_memory(start, ra_start);
> + ret = fadump_add_crash_memory(start, ra_start);
> } else if (ra_end < end) {
> - fadump_add_crash_memory(ra_end, end);
> + ret = fadump_add_crash_memory(ra_end, end);
> }
> } else
> - fadump_add_crash_memory(start, end);
> + ret = fadump_add_crash_memory(start, end);
> +
> + return ret;
> }
>
> static int fadump_init_elfcore_header(char *bufp)
> @@ -939,8 +991,9 @@ static int fadump_init_elfcore_header(char *bufp)
> * Traverse through memblock structure and setup crash memory ranges. These
> * ranges will be used create PT_LOAD program headers in elfcore header.
> */
> -static void fadump_setup_crash_memory_ranges(void)
> +static int fadump_setup_crash_memory_ranges(void)
> {
> + int ret;
> struct memblock_region *reg;
> unsigned long long start, end;
>
> @@ -953,7 +1006,9 @@ static void fadump_setup_crash_memory_ranges(void)
> * specified during fadump registration. We need to create a separate
> * program header for this chunk with the correct offset.
> */
> - fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
> + ret = fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
> + if (ret)
> + return ret;
>
> for_each_memblock(memory, reg) {
> start = (unsigned long long)reg->base;
> @@ -973,8 +1028,12 @@ static void fadump_setup_crash_memory_ranges(void)
> }
>
> /* add this range excluding the reserved dump area. */
> - fadump_exclude_reserved_area(start, end);
> + ret = fadump_exclude_reserved_area(start, end);
> + if (ret)
> + return ret;
> }
> +
> + return 0;
> }
>
> /*
> @@ -1095,6 +1154,7 @@ static unsigned long init_fadump_header(unsigned long addr)
>
> static int register_fadump(void)
> {
> + int ret;
> unsigned long addr;
> void *vaddr;
>
> @@ -1105,7 +1165,9 @@ static int register_fadump(void)
> if (!fw_dump.reserve_dump_area_size)
> return -ENODEV;
>
> - fadump_setup_crash_memory_ranges();
> + ret = fadump_setup_crash_memory_ranges();
> + if (ret)
> + return ret;
>
> addr = be64_to_cpu(fdm.rmr_region.destination_address) + be64_to_cpu(fdm.rmr_region.source_len);
> /* Initialize fadump crash info header. */
> @@ -1183,6 +1245,7 @@ void fadump_cleanup(void)
> } else if (fw_dump.dump_registered) {
> /* Un-register Firmware-assisted dump if it was registered. */
> fadump_unregister_dump(&fdm);
> + free_crash_memory_ranges();
> }
> }
>
>
More information about the Linuxppc-dev
mailing list