| Message ID | 20180702152745.27596-1-pasha.tatashin@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon 02-07-18 11:27:45, Pavel Tatashin wrote: > If struct page is poisoned, and uninitialized access is detected via > PF_POISONED_CHECK(page) dump_page() is called to output the page. But, > the dump_page() itself accesses struct page to determine how to print > it, and therefore gets into a recursive loop. > > For example: > dump_page() > __dump_page() > PageSlab(page) > PF_POISONED_CHECK(page) > VM_BUG_ON_PGFLAGS(PagePoisoned(page), page) > dump_page() recursion loop. This deserves a big fat comment in __dump_page. Basically no Page$FOO can be used on an HWPoison page. > Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking") > Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com> Acked-by: Michal Hocko <mhocko@suse.com> > --- > mm/debug.c | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/mm/debug.c b/mm/debug.c > index 56e2d9125ea5..469b526e6abc 100644 > --- a/mm/debug.c > +++ b/mm/debug.c > @@ -43,12 +43,20 @@ const struct trace_print_flags vmaflag_names[] = { > > void __dump_page(struct page *page, const char *reason) > { > + bool page_poisoned = PagePoisoned(page); > + int mapcount; > + > + if (page_poisoned) { > + pr_emerg("page:%px is uninitialized and poisoned", page); > + goto hex_only; > + } > + > /* > * Avoid VM_BUG_ON() in page_mapcount(). > * page->_mapcount space in struct page is used by sl[aou]b pages to > * encode own info. > */ > - int mapcount = PageSlab(page) ? 0 : page_mapcount(page); > + mapcount = PageSlab(page) ? 0 : page_mapcount(page); > > pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx", > page, page_ref_count(page), mapcount, > @@ -60,6 +68,7 @@ void __dump_page(struct page *page, const char *reason) > > pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags); > > +hex_only: > print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32, > sizeof(unsigned long), page, > sizeof(struct page), false); > @@ -68,7 +77,7 @@ void __dump_page(struct page *page, const char *reason) > pr_alert("page dumped because: %s\n", reason); > > #ifdef CONFIG_MEMCG > - if (page->mem_cgroup) > + if (!page_poisoned && page->mem_cgroup) > pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup); > #endif > } > -- > 2.18.0 >
On Mon, Jul 2, 2018 at 11:59 AM Michal Hocko <mhocko@kernel.org> wrote: > > On Mon 02-07-18 11:27:45, Pavel Tatashin wrote: > > If struct page is poisoned, and uninitialized access is detected via > > PF_POISONED_CHECK(page) dump_page() is called to output the page. But, > > the dump_page() itself accesses struct page to determine how to print > > it, and therefore gets into a recursive loop. > > > > For example: > > dump_page() > > __dump_page() > > PageSlab(page) > > PF_POISONED_CHECK(page) > > VM_BUG_ON_PGFLAGS(PagePoisoned(page), page) > > dump_page() recursion loop. > > This deserves a big fat comment in __dump_page. Basically no Page$FOO > can be used on an HWPoison page. > > > Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking") > > Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com> > > Acked-by: Michal Hocko <mhocko@suse.com> Thank you, I will send out an updated version with a comment. Pavel > > > --- > > mm/debug.c | 13 +++++++++++-- > > 1 file changed, 11 insertions(+), 2 deletions(-) > > > > diff --git a/mm/debug.c b/mm/debug.c > > index 56e2d9125ea5..469b526e6abc 100644 > > --- a/mm/debug.c > > +++ b/mm/debug.c > > @@ -43,12 +43,20 @@ const struct trace_print_flags vmaflag_names[] = { > > > > void __dump_page(struct page *page, const char *reason) > > { > > + bool page_poisoned = PagePoisoned(page); > > + int mapcount; > > + > > + if (page_poisoned) { > > + pr_emerg("page:%px is uninitialized and poisoned", page); > > + goto hex_only; > > + } > > + > > /* > > * Avoid VM_BUG_ON() in page_mapcount(). > > * page->_mapcount space in struct page is used by sl[aou]b pages to > > * encode own info. > > */ > > - int mapcount = PageSlab(page) ? 0 : page_mapcount(page); > > + mapcount = PageSlab(page) ? 0 : page_mapcount(page); > > > > pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx", > > page, page_ref_count(page), mapcount, > > @@ -60,6 +68,7 @@ void __dump_page(struct page *page, const char *reason) > > > > pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags); > > > > +hex_only: > > print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32, > > sizeof(unsigned long), page, > > sizeof(struct page), false); > > @@ -68,7 +77,7 @@ void __dump_page(struct page *page, const char *reason) > > pr_alert("page dumped because: %s\n", reason); > > > > #ifdef CONFIG_MEMCG > > - if (page->mem_cgroup) > > + if (!page_poisoned && page->mem_cgroup) > > pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup); > > #endif > > } > > -- > > 2.18.0 > > > > -- > Michal Hocko > SUSE Labs >
diff --git a/mm/debug.c b/mm/debug.c index 56e2d9125ea5..469b526e6abc 100644 --- a/mm/debug.c +++ b/mm/debug.c @@ -43,12 +43,20 @@ const struct trace_print_flags vmaflag_names[] = { void __dump_page(struct page *page, const char *reason) { + bool page_poisoned = PagePoisoned(page); + int mapcount; + + if (page_poisoned) { + pr_emerg("page:%px is uninitialized and poisoned", page); + goto hex_only; + } + /* * Avoid VM_BUG_ON() in page_mapcount(). * page->_mapcount space in struct page is used by sl[aou]b pages to * encode own info. */ - int mapcount = PageSlab(page) ? 0 : page_mapcount(page); + mapcount = PageSlab(page) ? 0 : page_mapcount(page); pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx", page, page_ref_count(page), mapcount, @@ -60,6 +68,7 @@ void __dump_page(struct page *page, const char *reason) pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags); +hex_only: print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32, sizeof(unsigned long), page, sizeof(struct page), false); @@ -68,7 +77,7 @@ void __dump_page(struct page *page, const char *reason) pr_alert("page dumped because: %s\n", reason); #ifdef CONFIG_MEMCG - if (page->mem_cgroup) + if (!page_poisoned && page->mem_cgroup) pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup); #endif }
If struct page is poisoned, and uninitialized access is detected via PF_POISONED_CHECK(page) dump_page() is called to output the page. But, the dump_page() itself accesses struct page to determine how to print it, and therefore gets into a recursive loop. For example: dump_page() __dump_page() PageSlab(page) PF_POISONED_CHECK(page) VM_BUG_ON_PGFLAGS(PagePoisoned(page), page) dump_page() recursion loop. Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking") Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com> --- mm/debug.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)