diff options
| author | Kirill A. Shutemov <kirill.shutemov@linux.intel.com> | 2016-01-15 19:52:07 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2016-01-15 20:56:32 -0500 |
| commit | 1c290f642101e64f379e38ea0361d097c08e824d (patch) | |
| tree | 14667c7c813fa14f6ce63e3fe7f5d14322fff0a6 /mm/page_alloc.c | |
| parent | 822cdd1152265d87fcfc974e06c3b68f762987fd (diff) | |
mm: sanitize page->mapping for tail pages
We don't define meaning of page->mapping for tail pages. Currently it's
always NULL, which can be inconsistent with head page and potentially
lead to problems.
Let's poison the pointer to catch all illigal uses.
page_rmapping(), page_mapping() and page_anon_vma() are changed to look
on head page.
The only illegal use I've caught so far is __GPF_COMP pages from sound
subsystem, mapped with PTEs. do_shared_fault() is changed to use
page_rmapping() instead of direct access to fault_page->mapping.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Jérôme Glisse <jglisse@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Rik van Riel <riel@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Christoph Lameter <cl@linux.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Steve Capper <steve.capper@linaro.org>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm/page_alloc.c')
| -rw-r--r-- | mm/page_alloc.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/mm/page_alloc.c b/mm/page_alloc.c index ce63d603820f..d02d6436add0 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c | |||
| @@ -466,6 +466,7 @@ void prep_compound_page(struct page *page, unsigned int order) | |||
| 466 | for (i = 1; i < nr_pages; i++) { | 466 | for (i = 1; i < nr_pages; i++) { |
| 467 | struct page *p = page + i; | 467 | struct page *p = page + i; |
| 468 | set_page_count(p, 0); | 468 | set_page_count(p, 0); |
| 469 | p->mapping = TAIL_MAPPING; | ||
| 469 | set_compound_head(p, page); | 470 | set_compound_head(p, page); |
| 470 | } | 471 | } |
| 471 | } | 472 | } |
| @@ -856,6 +857,10 @@ static int free_tail_pages_check(struct page *head_page, struct page *page) | |||
| 856 | ret = 0; | 857 | ret = 0; |
| 857 | goto out; | 858 | goto out; |
| 858 | } | 859 | } |
| 860 | if (page->mapping != TAIL_MAPPING) { | ||
| 861 | bad_page(page, "corrupted mapping in tail page", 0); | ||
| 862 | goto out; | ||
| 863 | } | ||
| 859 | if (unlikely(!PageTail(page))) { | 864 | if (unlikely(!PageTail(page))) { |
| 860 | bad_page(page, "PageTail not set", 0); | 865 | bad_page(page, "PageTail not set", 0); |
| 861 | goto out; | 866 | goto out; |
| @@ -866,6 +871,7 @@ static int free_tail_pages_check(struct page *head_page, struct page *page) | |||
| 866 | } | 871 | } |
| 867 | ret = 0; | 872 | ret = 0; |
| 868 | out: | 873 | out: |
| 874 | page->mapping = NULL; | ||
| 869 | clear_compound_head(page); | 875 | clear_compound_head(page); |
| 870 | return ret; | 876 | return ret; |
| 871 | } | 877 | } |