This patch it not meant to be accepted as is, but I'm including it to illustrate the case where using the top byte of kernel pointers causes issues with the current code. What happens here, is jbd2/journal.c code was written to account for archs that don't keep high memory mapped all the time, but rather map and unmap particular pages when needed. Instead of storing a pointer to the kernel memory, journal code saves the address of the page structure and offset within that page for later use. Those pages are then mapped and unmapped with kmap/kunmap when necessary and virt_to_page is used to get the virtual address of the page. For arm64 (that keeps the high memory mapped all the time), kmap is turned into a page_address call. The issue is that with use of the page_address + virt_to_page sequence the top byte value of the original pointer gets lost. Right now this is fixed by simply adding annotations to the code, that fix up the top byte values, but a more generic solution will probably be needed. --- fs/jbd2/journal.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c index 3fbf48ec2188..8b65d2c49b61 100644 --- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c @@ -365,6 +365,7 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction, unsigned int new_offset; struct buffer_head *bh_in = jh2bh(jh_in); journal_t *journal = transaction->t_journal; + u8 new_page_tag = 0xff; /* * The buffer really shouldn't be locked: only the current committing @@ -392,12 +393,14 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction, done_copy_out = 1; new_page = virt_to_page(jh_in->b_frozen_data); new_offset = offset_in_page(jh_in->b_frozen_data); + new_page_tag = khwasan_get_tag(jh_in->b_frozen_data); } else { new_page = jh2bh(jh_in)->b_page; new_offset = offset_in_page(jh2bh(jh_in)->b_data); } mapped_data = kmap_atomic(new_page); + mapped_data = khwasan_set_tag(mapped_data, new_page_tag); /* * Fire data frozen trigger if data already wasn't frozen. Do this * before checking for escaping, as the trigger may modify the magic @@ -438,10 +441,12 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction, jh_in->b_frozen_data = tmp; mapped_data = kmap_atomic(new_page); + mapped_data = khwasan_set_tag(mapped_data, new_page_tag); memcpy(tmp, mapped_data + new_offset, bh_in->b_size); kunmap_atomic(mapped_data); new_page = virt_to_page(tmp); + new_page_tag = khwasan_get_tag(tmp); new_offset = offset_in_page(tmp); done_copy_out = 1; @@ -459,6 +464,7 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction, */ if (do_escape) { mapped_data = kmap_atomic(new_page); + mapped_data = khwasan_set_tag(mapped_data, new_page_tag); *((unsigned int *)(mapped_data + new_offset)) = 0; kunmap_atomic(mapped_data); } -- 2.16.2.395.g2e18187dfd-goog -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>