From: Jerome Glisse <j.glisse@gmail.com>
To: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Andrea Arcangeli <aarcange@redhat.com>,
Hugh Dickins <hughd@google.com>,
Dave Hansen <dave.hansen@intel.com>, Mel Gorman <mgorman@suse.de>,
Rik van Riel <riel@redhat.com>, Vlastimil Babka <vbabka@suse.cz>,
Christoph Lameter <cl@gentwo.org>,
Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>,
Steve Capper <steve.capper@linaro.org>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Michal Hocko <mhocko@suse.cz>,
Jerome Marchand <jmarchan@redhat.com>,
Sasha Levin <sasha.levin@oracle.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH 16/16] mm: sanitize page->mapping for tail pages
Date: Thu, 24 Sep 2015 22:20:38 -0400 [thread overview]
Message-ID: <20150925022034.GA31309@gmail.com> (raw)
In-Reply-To: <1443106264-78075-17-git-send-email-kirill.shutemov@linux.intel.com>
On Thu, Sep 24, 2015 at 05:51:04PM +0300, Kirill A. Shutemov wrote:
> We don't define meaning of page->mapping for tail pages. Currently it's
> always NULL, which can be inconsistent with head page and potentially lead
> to problems.
>
> Let's poison the pointer to catch all illigal uses.
>
> page_rmapping(), page_mapping() and page_anon_vma() are changed to look on
> head page.
>
> The only illegal use I've caught so far is __GPF_COMP pages from sound
> subsystem, mapped with PTEs. do_shared_fault() is changed to use
> page_rmapping() instead of direct access to fault_page->mapping.
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Just a nitpick but page_rmapping() is already using compound_head() and
thus commit message is missleading. I was expecting to see some changes
to page_rmapping(). Anyway:
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
> ---
> include/linux/poison.h | 4 ++++
> mm/huge_memory.c | 2 +-
> mm/memory.c | 2 +-
> mm/page_alloc.c | 6 ++++++
> mm/util.c | 10 ++++++----
> 5 files changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/poison.h b/include/linux/poison.h
> index 317e16de09e5..76c3b6c38c16 100644
> --- a/include/linux/poison.h
> +++ b/include/linux/poison.h
> @@ -32,6 +32,10 @@
> /********** mm/debug-pagealloc.c **********/
> #define PAGE_POISON 0xaa
>
> +/********** mm/page_alloc.c ************/
> +
> +#define TAIL_MAPPING ((void *) 0x01014A11 + POISON_POINTER_DELTA)
> +
> /********** mm/slab.c **********/
> /*
> * Magic nums for obj red zoning.
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 244c852d565c..65ab7858bbcc 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -1836,7 +1836,7 @@ static void __split_huge_page_refcount(struct page *page,
> */
> page_tail->_mapcount = page->_mapcount;
>
> - BUG_ON(page_tail->mapping);
> + BUG_ON(page_tail->mapping != TAIL_MAPPING);
> page_tail->mapping = page->mapping;
>
> page_tail->index = page->index + i;
> diff --git a/mm/memory.c b/mm/memory.c
> index caecc64301e9..3bd465a6fa0d 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -3087,7 +3087,7 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma,
> * pinned by vma->vm_file's reference. We rely on unlock_page()'s
> * release semantics to prevent the compiler from undoing this copying.
> */
> - mapping = fault_page->mapping;
> + mapping = page_rmapping(fault_page);
> unlock_page(fault_page);
> if ((dirtied || vma->vm_ops->page_mkwrite) && mapping) {
> /*
> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> index 321a91747949..9bcfd70b1eb8 100644
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c
> @@ -473,6 +473,7 @@ void prep_compound_page(struct page *page, unsigned int order)
> for (i = 1; i < nr_pages; i++) {
> struct page *p = page + i;
> set_page_count(p, 0);
> + p->mapping = TAIL_MAPPING;
> set_compound_head(p, page);
> }
> }
> @@ -864,6 +865,10 @@ static int free_tail_pages_check(struct page *head_page, struct page *page)
> ret = 0;
> goto out;
> }
> + if (page->mapping != TAIL_MAPPING) {
> + bad_page(page, "corrupted mapping in tail page", 0);
> + goto out;
> + }
> if (unlikely(!PageTail(page))) {
> bad_page(page, "PageTail not set", 0);
> goto out;
> @@ -874,6 +879,7 @@ static int free_tail_pages_check(struct page *head_page, struct page *page)
> }
> ret = 0;
> out:
> + page->mapping = NULL;
> clear_compound_head(page);
> return ret;
> }
> diff --git a/mm/util.c b/mm/util.c
> index 9af1c12b310c..902b65a43899 100644
> --- a/mm/util.c
> +++ b/mm/util.c
> @@ -355,7 +355,9 @@ struct anon_vma *page_anon_vma(struct page *page)
>
> struct address_space *page_mapping(struct page *page)
> {
> - unsigned long mapping;
> + struct address_space *mapping;
> +
> + page = compound_head(page);
>
> /* This happens if someone calls flush_dcache_page on slab page */
> if (unlikely(PageSlab(page)))
> @@ -368,10 +370,10 @@ struct address_space *page_mapping(struct page *page)
> return swap_address_space(entry);
> }
>
> - mapping = (unsigned long)page->mapping;
> - if (mapping & PAGE_MAPPING_FLAGS)
> + mapping = page->mapping;
> + if ((unsigned long)mapping & PAGE_MAPPING_FLAGS)
> return NULL;
> - return page->mapping;
> + return mapping;
> }
>
> int overcommit_ratio_handler(struct ctl_table *table, int write,
> --
> 2.5.1
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Jerome Glisse <j.glisse@gmail.com>
To: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Andrea Arcangeli <aarcange@redhat.com>,
Hugh Dickins <hughd@google.com>,
Dave Hansen <dave.hansen@intel.com>, Mel Gorman <mgorman@suse.de>,
Rik van Riel <riel@redhat.com>, Vlastimil Babka <vbabka@suse.cz>,
Christoph Lameter <cl@gentwo.org>,
Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>,
Steve Capper <steve.capper@linaro.org>,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Michal Hocko <mhocko@suse.cz>,
Jerome Marchand <jmarchan@redhat.com>,
Sasha Levin <sasha.levin@oracle.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH 16/16] mm: sanitize page->mapping for tail pages
Date: Thu, 24 Sep 2015 22:20:38 -0400 [thread overview]
Message-ID: <20150925022034.GA31309@gmail.com> (raw)
In-Reply-To: <1443106264-78075-17-git-send-email-kirill.shutemov@linux.intel.com>
On Thu, Sep 24, 2015 at 05:51:04PM +0300, Kirill A. Shutemov wrote:
> We don't define meaning of page->mapping for tail pages. Currently it's
> always NULL, which can be inconsistent with head page and potentially lead
> to problems.
>
> Let's poison the pointer to catch all illigal uses.
>
> page_rmapping(), page_mapping() and page_anon_vma() are changed to look on
> head page.
>
> The only illegal use I've caught so far is __GPF_COMP pages from sound
> subsystem, mapped with PTEs. do_shared_fault() is changed to use
> page_rmapping() instead of direct access to fault_page->mapping.
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Just a nitpick but page_rmapping() is already using compound_head() and
thus commit message is missleading. I was expecting to see some changes
to page_rmapping(). Anyway:
Reviewed-by: Jérôme Glisse <jglisse@redhat.com>
> ---
> include/linux/poison.h | 4 ++++
> mm/huge_memory.c | 2 +-
> mm/memory.c | 2 +-
> mm/page_alloc.c | 6 ++++++
> mm/util.c | 10 ++++++----
> 5 files changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/poison.h b/include/linux/poison.h
> index 317e16de09e5..76c3b6c38c16 100644
> --- a/include/linux/poison.h
> +++ b/include/linux/poison.h
> @@ -32,6 +32,10 @@
> /********** mm/debug-pagealloc.c **********/
> #define PAGE_POISON 0xaa
>
> +/********** mm/page_alloc.c ************/
> +
> +#define TAIL_MAPPING ((void *) 0x01014A11 + POISON_POINTER_DELTA)
> +
> /********** mm/slab.c **********/
> /*
> * Magic nums for obj red zoning.
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 244c852d565c..65ab7858bbcc 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -1836,7 +1836,7 @@ static void __split_huge_page_refcount(struct page *page,
> */
> page_tail->_mapcount = page->_mapcount;
>
> - BUG_ON(page_tail->mapping);
> + BUG_ON(page_tail->mapping != TAIL_MAPPING);
> page_tail->mapping = page->mapping;
>
> page_tail->index = page->index + i;
> diff --git a/mm/memory.c b/mm/memory.c
> index caecc64301e9..3bd465a6fa0d 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -3087,7 +3087,7 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma,
> * pinned by vma->vm_file's reference. We rely on unlock_page()'s
> * release semantics to prevent the compiler from undoing this copying.
> */
> - mapping = fault_page->mapping;
> + mapping = page_rmapping(fault_page);
> unlock_page(fault_page);
> if ((dirtied || vma->vm_ops->page_mkwrite) && mapping) {
> /*
> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> index 321a91747949..9bcfd70b1eb8 100644
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c
> @@ -473,6 +473,7 @@ void prep_compound_page(struct page *page, unsigned int order)
> for (i = 1; i < nr_pages; i++) {
> struct page *p = page + i;
> set_page_count(p, 0);
> + p->mapping = TAIL_MAPPING;
> set_compound_head(p, page);
> }
> }
> @@ -864,6 +865,10 @@ static int free_tail_pages_check(struct page *head_page, struct page *page)
> ret = 0;
> goto out;
> }
> + if (page->mapping != TAIL_MAPPING) {
> + bad_page(page, "corrupted mapping in tail page", 0);
> + goto out;
> + }
> if (unlikely(!PageTail(page))) {
> bad_page(page, "PageTail not set", 0);
> goto out;
> @@ -874,6 +879,7 @@ static int free_tail_pages_check(struct page *head_page, struct page *page)
> }
> ret = 0;
> out:
> + page->mapping = NULL;
> clear_compound_head(page);
> return ret;
> }
> diff --git a/mm/util.c b/mm/util.c
> index 9af1c12b310c..902b65a43899 100644
> --- a/mm/util.c
> +++ b/mm/util.c
> @@ -355,7 +355,9 @@ struct anon_vma *page_anon_vma(struct page *page)
>
> struct address_space *page_mapping(struct page *page)
> {
> - unsigned long mapping;
> + struct address_space *mapping;
> +
> + page = compound_head(page);
>
> /* This happens if someone calls flush_dcache_page on slab page */
> if (unlikely(PageSlab(page)))
> @@ -368,10 +370,10 @@ struct address_space *page_mapping(struct page *page)
> return swap_address_space(entry);
> }
>
> - mapping = (unsigned long)page->mapping;
> - if (mapping & PAGE_MAPPING_FLAGS)
> + mapping = page->mapping;
> + if ((unsigned long)mapping & PAGE_MAPPING_FLAGS)
> return NULL;
> - return page->mapping;
> + return mapping;
> }
>
> int overcommit_ratio_handler(struct ctl_table *table, int write,
> --
> 2.5.1
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-09-25 2:21 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-19 17:12 [PATCH 0/3] fix allmodconfig failure of avr32 Sudip Mukherjee
2015-09-19 17:12 ` [PATCH 1/3] avr32: fix build failure Sudip Mukherjee
2015-09-21 6:09 ` Hans-Christian Egtvedt
2015-09-21 6:39 ` Sudip Mukherjee
2015-09-21 7:33 ` Hans-Christian Egtvedt
2015-09-21 8:01 ` Sudip Mukherjee
2015-09-23 15:56 ` Sudip Mukherjee
2015-09-23 17:15 ` Hans-Christian Egtvedt
2015-09-24 10:23 ` Sudip Mukherjee
2015-09-19 17:12 ` [PATCH 2/3] usb: gadget: at91_udc: mention proper dependency Sudip Mukherjee
2015-09-20 16:15 ` Felipe Balbi
2015-09-21 11:10 ` Sudip Mukherjee
2015-09-23 15:52 ` Sudip Mukherjee
2015-09-30 16:04 ` Felipe Balbi
2015-09-30 16:24 ` Sudip Mukherjee
2015-09-30 16:34 ` Nicolas Ferre
2015-09-30 16:53 ` Sudip Mukherjee
2015-09-30 17:12 ` Nicolas Ferre
2015-10-01 12:56 ` Sudip Mukherjee
2015-10-01 16:12 ` Sudip Mukherjee
2015-09-19 17:12 ` [PATCH 3/3] page-flags: rectify forward declaration Sudip Mukherjee
2015-09-21 22:35 ` Andrew Morton
2015-09-22 8:56 ` Sudip Mukherjee
2015-09-24 15:27 ` Sudip Mukherjee
2015-09-24 14:50 ` [PATCH 00/16] Refreshed page-flags patchset Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 01/16] page-flags: trivial cleanup for PageTrans* helpers Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 15:44 ` Christoph Lameter
2015-09-24 15:44 ` Christoph Lameter
2015-09-24 14:50 ` [PATCH 02/16] page-flags: move code around Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 03/16] page-flags: introduce page flags policies wrt compound pages Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-25 12:29 ` Konstantin Khlebnikov
2015-09-25 12:29 ` Konstantin Khlebnikov
2015-09-25 19:13 ` Kirill A. Shutemov
2015-09-25 19:13 ` Kirill A. Shutemov
2015-09-28 10:02 ` Konstantin Khlebnikov
2015-09-28 11:03 ` Kirill A. Shutemov
2015-09-28 11:03 ` Kirill A. Shutemov
2015-09-28 11:48 ` Konstantin Khlebnikov
2015-09-28 11:48 ` Konstantin Khlebnikov
2015-09-28 17:51 ` Kirill A. Shutemov
2015-09-28 17:51 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 04/16] page-flags: define PG_locked behavior on " Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 16:08 ` Christoph Lameter
2015-09-24 16:08 ` Christoph Lameter
2015-09-24 20:26 ` Kirill A. Shutemov
2015-09-24 20:26 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 05/16] page-flags: define behavior of FS/IO-related flags " Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 06/16] page-flags: define behavior of LRU-related " Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 07/16] page-flags: define behavior SL*B-related " Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 08/16] page-flags: define behavior of Xen-related " Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 09/16] page-flags: define PG_reserved behavior " Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 10/16] page-flags: define PG_swapbacked " Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 14:50 ` [PATCH 11/16] page-flags: define PG_swapcache " Kirill A. Shutemov
2015-09-24 14:50 ` Kirill A. Shutemov
2015-09-24 14:51 ` [PATCH 12/16] page-flags: define PG_mlocked " Kirill A. Shutemov
2015-09-24 14:51 ` Kirill A. Shutemov
2016-04-18 19:44 ` Sasha Levin
2016-04-18 19:44 ` Sasha Levin
2016-05-18 14:02 ` Kirill A. Shutemov
2016-05-18 14:02 ` Kirill A. Shutemov
2015-09-24 14:51 ` [PATCH 13/16] page-flags: define PG_uncached " Kirill A. Shutemov
2015-09-24 14:51 ` Kirill A. Shutemov
2015-09-24 14:51 ` [PATCH 14/16] page-flags: define PG_uptodate " Kirill A. Shutemov
2015-09-24 14:51 ` Kirill A. Shutemov
2015-09-24 14:51 ` [PATCH 15/16] page-flags: look at head page if the flag is encoded in page->mapping Kirill A. Shutemov
2015-09-24 14:51 ` Kirill A. Shutemov
2015-09-24 14:51 ` [PATCH 16/16] mm: sanitize page->mapping for tail pages Kirill A. Shutemov
2015-09-24 14:51 ` Kirill A. Shutemov
2015-09-25 2:20 ` Jerome Glisse [this message]
2015-09-25 2:20 ` Jerome Glisse
2015-09-24 16:13 ` [PATCH 00/16] Refreshed page-flags patchset Christoph Lameter
2015-09-24 16:13 ` Christoph Lameter
2015-09-24 20:25 ` Kirill A. Shutemov
2015-09-24 20:25 ` Kirill A. Shutemov
-- strict thread matches above, loose matches on Subject: below --
2015-03-19 17:08 [PATCH 00/16] Sanitize usage of ->flags and ->mapping for tail pages Kirill A. Shutemov
2015-03-19 17:08 ` [PATCH 16/16] mm: sanitize page->mapping " Kirill A. Shutemov
2015-03-19 17:08 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150925022034.GA31309@gmail.com \
--to=j.glisse@gmail.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=cl@gentwo.org \
--cc=dave.hansen@intel.com \
--cc=hannes@cmpxchg.org \
--cc=hughd@google.com \
--cc=jmarchan@redhat.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mgorman@suse.de \
--cc=mhocko@suse.cz \
--cc=n-horiguchi@ah.jp.nec.com \
--cc=riel@redhat.com \
--cc=sasha.levin@oracle.com \
--cc=steve.capper@linaro.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.