summaryrefslogtreecommitdiffstats
path: root/mm
diff options
context:
space:
mode:
authorKirill A. Shutemov <kirill.shutemov@linux.intel.com>2016-01-15 19:52:07 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2016-01-15 20:56:32 -0500
commit1c290f642101e64f379e38ea0361d097c08e824d (patch)
tree14667c7c813fa14f6ce63e3fe7f5d14322fff0a6 /mm
parent822cdd1152265d87fcfc974e06c3b68f762987fd (diff)
mm: sanitize page->mapping for tail pages
We don't define meaning of page->mapping for tail pages. Currently it's always NULL, which can be inconsistent with head page and potentially lead to problems. Let's poison the pointer to catch all illigal uses. page_rmapping(), page_mapping() and page_anon_vma() are changed to look on head page. The only illegal use I've caught so far is __GPF_COMP pages from sound subsystem, mapped with PTEs. do_shared_fault() is changed to use page_rmapping() instead of direct access to fault_page->mapping. Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reviewed-by: Jérôme Glisse <jglisse@redhat.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Hugh Dickins <hughd@google.com> Cc: Dave Hansen <dave.hansen@intel.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Rik van Riel <riel@redhat.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Christoph Lameter <cl@linux.com> Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Cc: Steve Capper <steve.capper@linaro.org> Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Michal Hocko <mhocko@suse.cz> Cc: Jerome Marchand <jmarchan@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm')
-rw-r--r--mm/huge_memory.c2
-rw-r--r--mm/memory.c2
-rw-r--r--mm/page_alloc.c6
-rw-r--r--mm/util.c10
4 files changed, 14 insertions, 6 deletions
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index f952f055fdcf..370d44a5e25b 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1805,7 +1805,7 @@ static void __split_huge_page_refcount(struct page *page,
1805 */ 1805 */
1806 page_tail->_mapcount = page->_mapcount; 1806 page_tail->_mapcount = page->_mapcount;
1807 1807
1808 BUG_ON(page_tail->mapping); 1808 BUG_ON(page_tail->mapping != TAIL_MAPPING);
1809 page_tail->mapping = page->mapping; 1809 page_tail->mapping = page->mapping;
1810 1810
1811 page_tail->index = page->index + i; 1811 page_tail->index = page->index + i;
diff --git a/mm/memory.c b/mm/memory.c
index d4e4d37c1989..f9360dde6967 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3096,7 +3096,7 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma,
3096 * pinned by vma->vm_file's reference. We rely on unlock_page()'s 3096 * pinned by vma->vm_file's reference. We rely on unlock_page()'s
3097 * release semantics to prevent the compiler from undoing this copying. 3097 * release semantics to prevent the compiler from undoing this copying.
3098 */ 3098 */
3099 mapping = fault_page->mapping; 3099 mapping = page_rmapping(fault_page);
3100 unlock_page(fault_page); 3100 unlock_page(fault_page);
3101 if ((dirtied || vma->vm_ops->page_mkwrite) && mapping) { 3101 if ((dirtied || vma->vm_ops->page_mkwrite) && mapping) {
3102 /* 3102 /*
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index ce63d603820f..d02d6436add0 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -466,6 +466,7 @@ void prep_compound_page(struct page *page, unsigned int order)
466 for (i = 1; i < nr_pages; i++) { 466 for (i = 1; i < nr_pages; i++) {
467 struct page *p = page + i; 467 struct page *p = page + i;
468 set_page_count(p, 0); 468 set_page_count(p, 0);
469 p->mapping = TAIL_MAPPING;
469 set_compound_head(p, page); 470 set_compound_head(p, page);
470 } 471 }
471} 472}
@@ -856,6 +857,10 @@ static int free_tail_pages_check(struct page *head_page, struct page *page)
856 ret = 0; 857 ret = 0;
857 goto out; 858 goto out;
858 } 859 }
860 if (page->mapping != TAIL_MAPPING) {
861 bad_page(page, "corrupted mapping in tail page", 0);
862 goto out;
863 }
859 if (unlikely(!PageTail(page))) { 864 if (unlikely(!PageTail(page))) {
860 bad_page(page, "PageTail not set", 0); 865 bad_page(page, "PageTail not set", 0);
861 goto out; 866 goto out;
@@ -866,6 +871,7 @@ static int free_tail_pages_check(struct page *head_page, struct page *page)
866 } 871 }
867 ret = 0; 872 ret = 0;
868out: 873out:
874 page->mapping = NULL;
869 clear_compound_head(page); 875 clear_compound_head(page);
870 return ret; 876 return ret;
871} 877}
diff --git a/mm/util.c b/mm/util.c
index 2d28f7930043..8acb936a52c8 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -386,7 +386,9 @@ struct anon_vma *page_anon_vma(struct page *page)
386 386
387struct address_space *page_mapping(struct page *page) 387struct address_space *page_mapping(struct page *page)
388{ 388{
389 unsigned long mapping; 389 struct address_space *mapping;
390
391 page = compound_head(page);
390 392
391 /* This happens if someone calls flush_dcache_page on slab page */ 393 /* This happens if someone calls flush_dcache_page on slab page */
392 if (unlikely(PageSlab(page))) 394 if (unlikely(PageSlab(page)))
@@ -399,10 +401,10 @@ struct address_space *page_mapping(struct page *page)
399 return swap_address_space(entry); 401 return swap_address_space(entry);
400 } 402 }
401 403
402 mapping = (unsigned long)page->mapping; 404 mapping = page->mapping;
403 if (mapping & PAGE_MAPPING_FLAGS) 405 if ((unsigned long)mapping & PAGE_MAPPING_FLAGS)
404 return NULL; 406 return NULL;
405 return page->mapping; 407 return mapping;
406} 408}
407 409
408int overcommit_ratio_handler(struct ctl_table *table, int write, 410int overcommit_ratio_handler(struct ctl_table *table, int write,
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-10 13:54:04 -0500