This patch it not meant to be accepted as is, but I'm including it to
illustrate the case where using the top byte of kernel pointers causes
issues with the current code.
What happens here, is jbd2/journal.c code was written to account for archs
that don't keep high memory mapped all the time, but rather map and unmap
particular pages when needed. Instead of storing a pointer to the kernel
memory, journal code saves the address of the page structure and offset
within that page for later use. Those pages are then mapped and unmapped
with kmap/kunmap when necessary and virt_to_page is used to get the virtual
address of the page. For arm64 (that keeps the high memory mapped all the
time), kmap is turned into a page_address call.
The issue is that with use of the page_address + virt_to_page sequence
the top byte value of the original pointer gets lost. Right now this is
fixed by simply adding annotations to the code, that fix up the top byte
values, but a more generic solution will probably be needed.
---
fs/jbd2/journal.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index 3fbf48ec2188..8b65d2c49b61 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -365,6 +365,7 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction,
unsigned int new_offset;
struct buffer_head *bh_in = jh2bh(jh_in);
journal_t *journal = transaction->t_journal;
+ u8 new_page_tag = 0xff;
/*
* The buffer really shouldn't be locked: only the current committing
@@ -392,12 +393,14 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction,
done_copy_out = 1;
new_page = virt_to_page(jh_in->b_frozen_data);
new_offset = offset_in_page(jh_in->b_frozen_data);
+ new_page_tag = khwasan_get_tag(jh_in->b_frozen_data);
} else {
new_page = jh2bh(jh_in)->b_page;
new_offset = offset_in_page(jh2bh(jh_in)->b_data);
}
mapped_data = kmap_atomic(new_page);
+ mapped_data = khwasan_set_tag(mapped_data, new_page_tag);
/*
* Fire data frozen trigger if data already wasn't frozen. Do this
* before checking for escaping, as the trigger may modify the magic
@@ -438,10 +441,12 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction,
jh_in->b_frozen_data = tmp;
mapped_data = kmap_atomic(new_page);
+ mapped_data = khwasan_set_tag(mapped_data, new_page_tag);
memcpy(tmp, mapped_data + new_offset, bh_in->b_size);
kunmap_atomic(mapped_data);
new_page = virt_to_page(tmp);
+ new_page_tag = khwasan_get_tag(tmp);
new_offset = offset_in_page(tmp);
done_copy_out = 1;
@@ -459,6 +464,7 @@ int jbd2_journal_write_metadata_buffer(transaction_t *transaction,
*/
if (do_escape) {
mapped_data = kmap_atomic(new_page);
+ mapped_data = khwasan_set_tag(mapped_data, new_page_tag);
*((unsigned int *)(mapped_data + new_offset)) = 0;
kunmap_atomic(mapped_data);
}
--
2.16.2.395.g2e18187dfd-goog
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
