From: Greg Kroah-Hartman Date: Wed, 22 Nov 2017 13:58:28 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.84~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8b1b5e884f37eabdf21dafe3acd8dc3e204e4a42;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: mm-check-the-return-value-of-lookup_page_ext-for-all-call-sites.patch mm-page_ext.c-check-if-page_ext-is-not-prepared.patch --- diff --git a/queue-4.4/mm-check-the-return-value-of-lookup_page_ext-for-all-call-sites.patch b/queue-4.4/mm-check-the-return-value-of-lookup_page_ext-for-all-call-sites.patch new file mode 100644 index 00000000000..a5f5e68dc7b --- /dev/null +++ b/queue-4.4/mm-check-the-return-value-of-lookup_page_ext-for-all-call-sites.patch @@ -0,0 +1,231 @@ +From f86e4271978bd93db466d6a95dad4b0fdcdb04f6 Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Fri, 3 Jun 2016 14:55:38 -0700 +Subject: mm: check the return value of lookup_page_ext for all call sites + +From: Yang Shi + +commit f86e4271978bd93db466d6a95dad4b0fdcdb04f6 upstream. + +Per the discussion with Joonsoo Kim [1], we need check the return value +of lookup_page_ext() for all call sites since it might return NULL in +some cases, although it is unlikely, i.e. memory hotplug. + +Tested with ltp with "page_owner=0". + +[1] http://lkml.kernel.org/r/20160519002809.GA10245@js1304-P5Q-DELUXE + +[akpm@linux-foundation.org: fix build-breaking typos] +[arnd@arndb.de: fix build problems from lookup_page_ext] + Link: http://lkml.kernel.org/r/6285269.2CksypHdYp@wuerfel +[akpm@linux-foundation.org: coding-style fixes] +Link: http://lkml.kernel.org/r/1464023768-31025-1-git-send-email-yang.shi@linaro.org +Signed-off-by: Yang Shi +Signed-off-by: Arnd Bergmann +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Michal Hocko +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/page_idle.h | 43 ++++++++++++++++++++++++++++++++++++------- + mm/debug-pagealloc.c | 6 ++++++ + mm/page_alloc.c | 6 ++++++ + mm/page_owner.c | 16 ++++++++++++++++ + mm/vmstat.c | 2 ++ + 5 files changed, 66 insertions(+), 7 deletions(-) + +--- a/include/linux/page_idle.h ++++ b/include/linux/page_idle.h +@@ -46,33 +46,62 @@ extern struct page_ext_operations page_i + + static inline bool page_is_young(struct page *page) + { +- return test_bit(PAGE_EXT_YOUNG, &lookup_page_ext(page)->flags); ++ struct page_ext *page_ext = lookup_page_ext(page); ++ ++ if (unlikely(!page_ext)) ++ return false; ++ ++ return test_bit(PAGE_EXT_YOUNG, &page_ext->flags); + } + + static inline void set_page_young(struct page *page) + { +- set_bit(PAGE_EXT_YOUNG, &lookup_page_ext(page)->flags); ++ struct page_ext *page_ext = lookup_page_ext(page); ++ ++ if (unlikely(!page_ext)) ++ return; ++ ++ set_bit(PAGE_EXT_YOUNG, &page_ext->flags); + } + + static inline bool test_and_clear_page_young(struct page *page) + { +- return test_and_clear_bit(PAGE_EXT_YOUNG, +- &lookup_page_ext(page)->flags); ++ struct page_ext *page_ext = lookup_page_ext(page); ++ ++ if (unlikely(!page_ext)) ++ return false; ++ ++ return test_and_clear_bit(PAGE_EXT_YOUNG, &page_ext->flags); + } + + static inline bool page_is_idle(struct page *page) + { +- return test_bit(PAGE_EXT_IDLE, &lookup_page_ext(page)->flags); ++ struct page_ext *page_ext = lookup_page_ext(page); ++ ++ if (unlikely(!page_ext)) ++ return false; ++ ++ return test_bit(PAGE_EXT_IDLE, &page_ext->flags); + } + + static inline void set_page_idle(struct page *page) + { +- set_bit(PAGE_EXT_IDLE, &lookup_page_ext(page)->flags); ++ struct page_ext *page_ext = lookup_page_ext(page); ++ ++ if (unlikely(!page_ext)) ++ return; ++ ++ set_bit(PAGE_EXT_IDLE, &page_ext->flags); + } + + static inline void clear_page_idle(struct page *page) + { +- clear_bit(PAGE_EXT_IDLE, &lookup_page_ext(page)->flags); ++ struct page_ext *page_ext = lookup_page_ext(page); ++ ++ if (unlikely(!page_ext)) ++ return; ++ ++ clear_bit(PAGE_EXT_IDLE, &page_ext->flags); + } + #endif /* CONFIG_64BIT */ + +--- a/mm/debug-pagealloc.c ++++ b/mm/debug-pagealloc.c +@@ -34,6 +34,8 @@ static inline void set_page_poison(struc + struct page_ext *page_ext; + + page_ext = lookup_page_ext(page); ++ if (page_ext) ++ return; + __set_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags); + } + +@@ -42,6 +44,8 @@ static inline void clear_page_poison(str + struct page_ext *page_ext; + + page_ext = lookup_page_ext(page); ++ if (page_ext) ++ return; + __clear_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags); + } + +@@ -50,6 +54,8 @@ static inline bool page_poison(struct pa + struct page_ext *page_ext; + + page_ext = lookup_page_ext(page); ++ if (page_ext) ++ return false; + return test_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags); + } + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -569,6 +569,9 @@ static inline void set_page_guard(struct + return; + + page_ext = lookup_page_ext(page); ++ if (unlikely(!page_ext)) ++ return; ++ + __set_bit(PAGE_EXT_DEBUG_GUARD, &page_ext->flags); + + INIT_LIST_HEAD(&page->lru); +@@ -586,6 +589,9 @@ static inline void clear_page_guard(stru + return; + + page_ext = lookup_page_ext(page); ++ if (unlikely(!page_ext)) ++ return; ++ + __clear_bit(PAGE_EXT_DEBUG_GUARD, &page_ext->flags); + + set_page_private(page, 0); +--- a/mm/page_owner.c ++++ b/mm/page_owner.c +@@ -53,6 +53,8 @@ void __reset_page_owner(struct page *pag + + for (i = 0; i < (1 << order); i++) { + page_ext = lookup_page_ext(page + i); ++ if (unlikely(!page_ext)) ++ continue; + __clear_bit(PAGE_EXT_OWNER, &page_ext->flags); + } + } +@@ -60,6 +62,7 @@ void __reset_page_owner(struct page *pag + void __set_page_owner(struct page *page, unsigned int order, gfp_t gfp_mask) + { + struct page_ext *page_ext = lookup_page_ext(page); ++ + struct stack_trace trace = { + .nr_entries = 0, + .max_entries = ARRAY_SIZE(page_ext->trace_entries), +@@ -67,6 +70,9 @@ void __set_page_owner(struct page *page, + .skip = 3, + }; + ++ if (unlikely(!page_ext)) ++ return; ++ + save_stack_trace(&trace); + + page_ext->order = order; +@@ -79,6 +85,12 @@ void __set_page_owner(struct page *page, + gfp_t __get_page_owner_gfp(struct page *page) + { + struct page_ext *page_ext = lookup_page_ext(page); ++ if (unlikely(!page_ext)) ++ /* ++ * The caller just returns 0 if no valid gfp ++ * So return 0 here too. ++ */ ++ return 0; + + return page_ext->gfp_mask; + } +@@ -194,6 +206,8 @@ read_page_owner(struct file *file, char + } + + page_ext = lookup_page_ext(page); ++ if (unlikely(!page_ext)) ++ continue; + + /* + * Some pages could be missed by concurrent allocation or free, +@@ -257,6 +271,8 @@ static void init_pages_in_zone(pg_data_t + continue; + + page_ext = lookup_page_ext(page); ++ if (unlikely(!page_ext)) ++ continue; + + /* Maybe overraping zone */ + if (test_bit(PAGE_EXT_OWNER, &page_ext->flags)) +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1091,6 +1091,8 @@ static void pagetypeinfo_showmixedcount_ + continue; + + page_ext = lookup_page_ext(page); ++ if (unlikely(!page_ext)) ++ continue; + + if (!test_bit(PAGE_EXT_OWNER, &page_ext->flags)) + continue; diff --git a/queue-4.4/mm-page_ext.c-check-if-page_ext-is-not-prepared.patch b/queue-4.4/mm-page_ext.c-check-if-page_ext-is-not-prepared.patch new file mode 100644 index 00000000000..725a1f3b818 --- /dev/null +++ b/queue-4.4/mm-page_ext.c-check-if-page_ext-is-not-prepared.patch @@ -0,0 +1,95 @@ +From e492080e640c2d1235ddf3441cae634cfffef7e1 Mon Sep 17 00:00:00 2001 +From: Jaewon Kim +Date: Wed, 15 Nov 2017 17:39:07 -0800 +Subject: mm/page_ext.c: check if page_ext is not prepared + +From: Jaewon Kim + +commit e492080e640c2d1235ddf3441cae634cfffef7e1 upstream. + +online_page_ext() and page_ext_init() allocate page_ext for each +section, but they do not allocate if the first PFN is !pfn_present(pfn) +or !pfn_valid(pfn). Then section->page_ext remains as NULL. +lookup_page_ext checks NULL only if CONFIG_DEBUG_VM is enabled. For a +valid PFN, __set_page_owner will try to get page_ext through +lookup_page_ext. Without CONFIG_DEBUG_VM lookup_page_ext will misuse +NULL pointer as value 0. This incurrs invalid address access. + +This is the panic example when PFN 0x100000 is not valid but PFN +0x13FC00 is being used for page_ext. section->page_ext is NULL, +get_entry returned invalid page_ext address as 0x1DFA000 for a PFN +0x13FC00. + +To avoid this panic, CONFIG_DEBUG_VM should be removed so that page_ext +will be checked at all times. + + Unable to handle kernel paging request at virtual address 01dfa014 + ------------[ cut here ]------------ + Kernel BUG at ffffff80082371e0 [verbose debug info unavailable] + Internal error: Oops: 96000045 [#1] PREEMPT SMP + Modules linked in: + PC is at __set_page_owner+0x48/0x78 + LR is at __set_page_owner+0x44/0x78 + __set_page_owner+0x48/0x78 + get_page_from_freelist+0x880/0x8e8 + __alloc_pages_nodemask+0x14c/0xc48 + __do_page_cache_readahead+0xdc/0x264 + filemap_fault+0x2ac/0x550 + ext4_filemap_fault+0x3c/0x58 + __do_fault+0x80/0x120 + handle_mm_fault+0x704/0xbb0 + do_page_fault+0x2e8/0x394 + do_mem_abort+0x88/0x124 + +Pre-4.7 kernels also need commit f86e4271978b ("mm: check the return +value of lookup_page_ext for all call sites"). + +Link: http://lkml.kernel.org/r/20171107094131.14621-1-jaewon31.kim@samsung.com +Fixes: eefa864b701d ("mm/page_ext: resurrect struct page extending code for debugging") +Signed-off-by: Jaewon Kim +Acked-by: Michal Hocko +Cc: Vlastimil Babka +Cc: Minchan Kim +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Michal Hocko +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_ext.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/mm/page_ext.c ++++ b/mm/page_ext.c +@@ -106,7 +106,6 @@ struct page_ext *lookup_page_ext(struct + struct page_ext *base; + + base = NODE_DATA(page_to_nid(page))->node_page_ext; +-#ifdef CONFIG_DEBUG_VM + /* + * The sanity checks the page allocator does upon freeing a + * page can reach here before the page_ext arrays are +@@ -115,7 +114,6 @@ struct page_ext *lookup_page_ext(struct + */ + if (unlikely(!base)) + return NULL; +-#endif + offset = pfn - round_down(node_start_pfn(page_to_nid(page)), + MAX_ORDER_NR_PAGES); + return base + offset; +@@ -180,7 +178,6 @@ struct page_ext *lookup_page_ext(struct + { + unsigned long pfn = page_to_pfn(page); + struct mem_section *section = __pfn_to_section(pfn); +-#ifdef CONFIG_DEBUG_VM + /* + * The sanity checks the page allocator does upon freeing a + * page can reach here before the page_ext arrays are +@@ -189,7 +186,6 @@ struct page_ext *lookup_page_ext(struct + */ + if (!section->page_ext) + return NULL; +-#endif + return section->page_ext + pfn; + } + diff --git a/queue-4.4/series b/queue-4.4/series index ba9a72c0bee..f71071a6f0e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -14,3 +14,5 @@ ocfs2-should-wait-dio-before-inode-lock-in-ocfs2_setattr.patch ipmi-fix-unsigned-long-underflow.patch mm-page_alloc.c-broken-deferred-calculation.patch coda-fix-kernel-memory-exposure-attempt-in-fsync.patch +mm-check-the-return-value-of-lookup_page_ext-for-all-call-sites.patch +mm-page_ext.c-check-if-page_ext-is-not-prepared.patch