Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:27 +0100
committerJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:42 +0100
commit1d51dc815aef20659ac6f0e8fe3f21a7d5d508ae (patch)
treeb31fc60a5971b4fa0fa2b6c2069ae7a9f1011ad9
parentb09a66797fab11f8e98c5bcb1e2e20cde397e86c (diff)
mm: page_mapped: don't assume compound page is huge or THP
-rw-r--r--patches.kernel.org/4.20.3-053-mm-page_mapped-don-t-assume-compound-page-is-h.patch81
-rw-r--r--series.conf1
2 files changed, 82 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.3-053-mm-page_mapped-don-t-assume-compound-page-is-h.patch b/patches.kernel.org/4.20.3-053-mm-page_mapped-don-t-assume-compound-page-is-h.patch
new file mode 100644
index 0000000000..ed776ba6cc
--- /dev/null
+++ b/patches.kernel.org/4.20.3-053-mm-page_mapped-don-t-assume-compound-page-is-h.patch
@@ -0,0 +1,81 @@
+From: Jan Stancek <jstancek@redhat.com>
+Date: Tue, 8 Jan 2019 15:23:28 -0800
+Subject: [PATCH] mm: page_mapped: don't assume compound page is huge or THP
+References: bnc#1012628
+Patch-mainline: 4.20.3
+Git-commit: 8ab88c7169b7fba98812ead6524b9d05bc76cf00
+
+commit 8ab88c7169b7fba98812ead6524b9d05bc76cf00 upstream.
+
+LTP proc01 testcase has been observed to rarely trigger crashes
+on arm64:
+ page_mapped+0x78/0xb4
+ stable_page_flags+0x27c/0x338
+ kpageflags_read+0xfc/0x164
+ proc_reg_read+0x7c/0xb8
+ __vfs_read+0x58/0x178
+ vfs_read+0x90/0x14c
+ SyS_read+0x60/0xc0
+
+The issue is that page_mapped() assumes that if compound page is not
+huge, then it must be THP. But if this is 'normal' compound page
+(COMPOUND_PAGE_DTOR), then following loop can keep running (for
+HPAGE_PMD_NR iterations) until it tries to read from memory that isn't
+mapped and triggers a panic:
+
+ for (i = 0; i < hpage_nr_pages(page); i++) {
+ if (atomic_read(&page[i]._mapcount) >= 0)
+ return true;
+ }
+
+I could replicate this on x86 (v4.20-rc4-98-g60b548237fed) only
+with a custom kernel module [1] which:
+ - allocates compound page (PAGEC) of order 1
+ - allocates 2 normal pages (COPY), which are initialized to 0xff (to
+ satisfy _mapcount >= 0)
+ - 2 PAGEC page structs are copied to address of first COPY page
+ - second page of COPY is marked as not present
+ - call to page_mapped(COPY) now triggers fault on access to 2nd COPY
+ page at offset 0x30 (_mapcount)
+
+[1] https://github.com/jstancek/reproducers/blob/master/kernel/page_mapped_crash/repro.c
+
+Fix the loop to iterate for "1 << compound_order" pages.
+
+Kirrill said "IIRC, sound subsystem can producuce custom mapped compound
+pages".
+
+Link: http://lkml.kernel.org/r/c440d69879e34209feba21e12d236d06bc0a25db.1543577156.git.jstancek@redhat.com
+Fixes: e1534ae95004 ("mm: differentiate page_mapped() from page_mapcount() for compound pages")
+Signed-off-by: Jan Stancek <jstancek@redhat.com>
+Debugged-by: Laszlo Ersek <lersek@redhat.com>
+Suggested-by: "Kirill A. Shutemov" <kirill@shutemov.name>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ mm/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/util.c b/mm/util.c
+index 8bf08b5b5760..5c9c7359ee8a 100644
+--- a/mm/util.c
++++ b/mm/util.c
+@@ -478,7 +478,7 @@ bool page_mapped(struct page *page)
+ return true;
+ if (PageHuge(page))
+ return false;
+- for (i = 0; i < hpage_nr_pages(page); i++) {
++ for (i = 0; i < (1 << compound_order(page)); i++) {
+ if (atomic_read(&page[i]._mapcount) >= 0)
+ return true;
+ }
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index a980e7ebeb..44134da2f9 100644
--- a/series.conf
+++ b/series.conf
@@ -290,6 +290,7 @@
patches.kernel.org/4.20.3-050-ext4-use-ext4_write_inode-when-fsyncing-w-o-a-.patch
patches.kernel.org/4.20.3-051-ext4-track-writeback-errors-using-the-generic-.patch
patches.kernel.org/4.20.3-052-ext4-fix-special-inode-number-checks-in-__ext4.patch
+ patches.kernel.org/4.20.3-053-mm-page_mapped-don-t-assume-compound-page-is-h.patch
########################################################
# Build fixes that apply to the vanilla kernel too.