diff mbox

mm: teach dump_page() to correctly output poisoned struct pages

Message ID 20180702152745.27596-1-pasha.tatashin@oracle.com
State New, archived
Headers show

Commit Message

Pavel Tatashin July 2, 2018, 3:27 p.m. UTC
If struct page is poisoned, and uninitialized access is detected via
PF_POISONED_CHECK(page) dump_page() is called to output the page. But,
the dump_page() itself accesses struct page to determine how to print
it, and therefore gets into a recursive loop.

For example:
dump_page()
 __dump_page()
  PageSlab(page)
   PF_POISONED_CHECK(page)
    VM_BUG_ON_PGFLAGS(PagePoisoned(page), page)
     dump_page() recursion loop.

Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking")

Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
---
 mm/debug.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

Comments

Michal Hocko July 2, 2018, 3:58 p.m. UTC | #1
On Mon 02-07-18 11:27:45, Pavel Tatashin wrote:
> If struct page is poisoned, and uninitialized access is detected via
> PF_POISONED_CHECK(page) dump_page() is called to output the page. But,
> the dump_page() itself accesses struct page to determine how to print
> it, and therefore gets into a recursive loop.
> 
> For example:
> dump_page()
>  __dump_page()
>   PageSlab(page)
>    PF_POISONED_CHECK(page)
>     VM_BUG_ON_PGFLAGS(PagePoisoned(page), page)
>      dump_page() recursion loop.

This deserves a big fat comment in __dump_page. Basically no Page$FOO
can be used on an HWPoison page.
 
> Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking")
> Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>

Acked-by: Michal Hocko <mhocko@suse.com>

> ---
>  mm/debug.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/mm/debug.c b/mm/debug.c
> index 56e2d9125ea5..469b526e6abc 100644
> --- a/mm/debug.c
> +++ b/mm/debug.c
> @@ -43,12 +43,20 @@ const struct trace_print_flags vmaflag_names[] = {
>  
>  void __dump_page(struct page *page, const char *reason)
>  {
> +	bool page_poisoned = PagePoisoned(page);
> +	int mapcount;
> +
> +	if (page_poisoned) {
> +		pr_emerg("page:%px is uninitialized and poisoned", page);
> +		goto hex_only;
> +	}
> +
>  	/*
>  	 * Avoid VM_BUG_ON() in page_mapcount().
>  	 * page->_mapcount space in struct page is used by sl[aou]b pages to
>  	 * encode own info.
>  	 */
> -	int mapcount = PageSlab(page) ? 0 : page_mapcount(page);
> +	mapcount = PageSlab(page) ? 0 : page_mapcount(page);
>  
>  	pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx",
>  		  page, page_ref_count(page), mapcount,
> @@ -60,6 +68,7 @@ void __dump_page(struct page *page, const char *reason)
>  
>  	pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags);
>  
> +hex_only:
>  	print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32,
>  			sizeof(unsigned long), page,
>  			sizeof(struct page), false);
> @@ -68,7 +77,7 @@ void __dump_page(struct page *page, const char *reason)
>  		pr_alert("page dumped because: %s\n", reason);
>  
>  #ifdef CONFIG_MEMCG
> -	if (page->mem_cgroup)
> +	if (!page_poisoned && page->mem_cgroup)
>  		pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup);
>  #endif
>  }
> -- 
> 2.18.0
>
Pavel Tatashin July 2, 2018, 5:54 p.m. UTC | #2
On Mon, Jul 2, 2018 at 11:59 AM Michal Hocko <mhocko@kernel.org> wrote:
>
> On Mon 02-07-18 11:27:45, Pavel Tatashin wrote:
> > If struct page is poisoned, and uninitialized access is detected via
> > PF_POISONED_CHECK(page) dump_page() is called to output the page. But,
> > the dump_page() itself accesses struct page to determine how to print
> > it, and therefore gets into a recursive loop.
> >
> > For example:
> > dump_page()
> >  __dump_page()
> >   PageSlab(page)
> >    PF_POISONED_CHECK(page)
> >     VM_BUG_ON_PGFLAGS(PagePoisoned(page), page)
> >      dump_page() recursion loop.
>
> This deserves a big fat comment in __dump_page. Basically no Page$FOO
> can be used on an HWPoison page.
>
> > Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking")
> > Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
>
> Acked-by: Michal Hocko <mhocko@suse.com>

Thank you, I will send out an updated version with a comment.

Pavel

>
> > ---
> >  mm/debug.c | 13 +++++++++++--
> >  1 file changed, 11 insertions(+), 2 deletions(-)
> >
> > diff --git a/mm/debug.c b/mm/debug.c
> > index 56e2d9125ea5..469b526e6abc 100644
> > --- a/mm/debug.c
> > +++ b/mm/debug.c
> > @@ -43,12 +43,20 @@ const struct trace_print_flags vmaflag_names[] = {
> >
> >  void __dump_page(struct page *page, const char *reason)
> >  {
> > +     bool page_poisoned = PagePoisoned(page);
> > +     int mapcount;
> > +
> > +     if (page_poisoned) {
> > +             pr_emerg("page:%px is uninitialized and poisoned", page);
> > +             goto hex_only;
> > +     }
> > +
> >       /*
> >        * Avoid VM_BUG_ON() in page_mapcount().
> >        * page->_mapcount space in struct page is used by sl[aou]b pages to
> >        * encode own info.
> >        */
> > -     int mapcount = PageSlab(page) ? 0 : page_mapcount(page);
> > +     mapcount = PageSlab(page) ? 0 : page_mapcount(page);
> >
> >       pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx",
> >                 page, page_ref_count(page), mapcount,
> > @@ -60,6 +68,7 @@ void __dump_page(struct page *page, const char *reason)
> >
> >       pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags);
> >
> > +hex_only:
> >       print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32,
> >                       sizeof(unsigned long), page,
> >                       sizeof(struct page), false);
> > @@ -68,7 +77,7 @@ void __dump_page(struct page *page, const char *reason)
> >               pr_alert("page dumped because: %s\n", reason);
> >
> >  #ifdef CONFIG_MEMCG
> > -     if (page->mem_cgroup)
> > +     if (!page_poisoned && page->mem_cgroup)
> >               pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup);
> >  #endif
> >  }
> > --
> > 2.18.0
> >
>
> --
> Michal Hocko
> SUSE Labs
>
diff mbox

Patch

diff --git a/mm/debug.c b/mm/debug.c
index 56e2d9125ea5..469b526e6abc 100644
--- a/mm/debug.c
+++ b/mm/debug.c
@@ -43,12 +43,20 @@  const struct trace_print_flags vmaflag_names[] = {
 
 void __dump_page(struct page *page, const char *reason)
 {
+	bool page_poisoned = PagePoisoned(page);
+	int mapcount;
+
+	if (page_poisoned) {
+		pr_emerg("page:%px is uninitialized and poisoned", page);
+		goto hex_only;
+	}
+
 	/*
 	 * Avoid VM_BUG_ON() in page_mapcount().
 	 * page->_mapcount space in struct page is used by sl[aou]b pages to
 	 * encode own info.
 	 */
-	int mapcount = PageSlab(page) ? 0 : page_mapcount(page);
+	mapcount = PageSlab(page) ? 0 : page_mapcount(page);
 
 	pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx",
 		  page, page_ref_count(page), mapcount,
@@ -60,6 +68,7 @@  void __dump_page(struct page *page, const char *reason)
 
 	pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags);
 
+hex_only:
 	print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32,
 			sizeof(unsigned long), page,
 			sizeof(struct page), false);
@@ -68,7 +77,7 @@  void __dump_page(struct page *page, const char *reason)
 		pr_alert("page dumped because: %s\n", reason);
 
 #ifdef CONFIG_MEMCG
-	if (page->mem_cgroup)
+	if (!page_poisoned && page->mem_cgroup)
 		pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup);
 #endif
 }