[PATCH 4.17 03/56] mm: teach dump_page() to correctly output poisoned struct pages

From: Greg Kroah-Hartman
Date: Tue Jul 10 2018 - 14:34:58 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.17 21/56] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting"
Previous message: Greg Kroah-Hartman: "[PATCH 4.17 20/56] cifs: Fix memory leak in smb2_set_ea()"
In reply to: Greg Kroah-Hartman: "[PATCH 4.17 20/56] cifs: Fix memory leak in smb2_set_ea()"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.17 21/56] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.17-stable review patch. If anyone has any objections, please let me know.

------------------

From: Pavel Tatashin <pasha.tatashin@xxxxxxxxxx>

commit fc36def997cfd6cbff3eda4f82853a5c311c5466 upstream.

If struct page is poisoned, and uninitialized access is detected via
PF_POISONED_CHECK(page) dump_page() is called to output the page. But,
the dump_page() itself accesses struct page to determine how to print
it, and therefore gets into a recursive loop.

For example:

dump_page()
__dump_page()
PageSlab(page)
PF_POISONED_CHECK(page)
VM_BUG_ON_PGFLAGS(PagePoisoned(page), page)
dump_page() recursion loop.

Link: http://lkml.kernel.org/r/20180702180536.2552-1-pasha.tatashin@xxxxxxxxxx
Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking")
Signed-off-by: Pavel Tatashin <pasha.tatashin@xxxxxxxxxx>
Acked-by: Michal Hocko <mhocko@xxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
mm/debug.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)

--- a/mm/debug.c
+++ b/mm/debug.c
@@ -43,12 +43,25 @@ const struct trace_print_flags vmaflag_n

void __dump_page(struct page *page, const char *reason)
{
+ bool page_poisoned = PagePoisoned(page);
+ int mapcount;
+
+ /*
+ * If struct page is poisoned don't access Page*() functions as that
+ * leads to recursive loop. Page*() check for poisoned pages, and calls
+ * dump_page() when detected.
+ */
+ if (page_poisoned) {
+ pr_emerg("page:%px is uninitialized and poisoned", page);
+ goto hex_only;
+ }
+
/*
* Avoid VM_BUG_ON() in page_mapcount().
* page->_mapcount space in struct page is used by sl[aou]b pages to
* encode own info.
*/
- int mapcount = PageSlab(page) ? 0 : page_mapcount(page);
+ mapcount = PageSlab(page) ? 0 : page_mapcount(page);

pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx",
page, page_ref_count(page), mapcount,
@@ -60,6 +73,7 @@ void __dump_page(struct page *page, cons

pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags);

+hex_only:
print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32,
sizeof(unsigned long), page,
sizeof(struct page), false);
@@ -68,7 +82,7 @@ void __dump_page(struct page *page, cons
pr_alert("page dumped because: %s\n", reason);

#ifdef CONFIG_MEMCG
- if (page->mem_cgroup)
+ if (!page_poisoned && page->mem_cgroup)
pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup);
#endif
}

Next message: Greg Kroah-Hartman: "[PATCH 4.17 21/56] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting"
Previous message: Greg Kroah-Hartman: "[PATCH 4.17 20/56] cifs: Fix memory leak in smb2_set_ea()"
In reply to: Greg Kroah-Hartman: "[PATCH 4.17 20/56] cifs: Fix memory leak in smb2_set_ea()"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.17 21/56] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]