The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable@xxxxxxxxxxxxxxx>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1f2803b2660f4b04d48d065072c0ae0c9ca255fd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable@xxxxxxxxxxxxxxx>' --in-reply-to '2023041153-figment-fanfare-e9c7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 1f2803b2660f ("mm: kfence: fix handling discontiguous page") 3ee2d7471fa4 ("mm: kfence: fix PG_slab and memcg_data clearing") 8f0b36497303 ("mm: kfence: fix objcgs vector allocation") b33f778bba5e ("kfence: alloc kfence_pool after system startup") 698361bca2d5 ("kfence: allow re-enabling KFENCE after system startup") 07e8481d3c38 ("kfence: always use static branches to guard kfence_alloc()") 08f6b10630f2 ("kfence: limit currently covered allocations when pool nearly full") a9ab52bbcb52 ("kfence: move saving stack trace of allocations into __kfence_alloc()") 9a19aeb56650 ("kfence: count unexpectedly skipped allocations") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 1f2803b2660f4b04d48d065072c0ae0c9ca255fd Mon Sep 17 00:00:00 2001 From: Muchun Song <muchun.song@xxxxxxxxx> Date: Thu, 23 Mar 2023 10:50:03 +0800 Subject: [PATCH] mm: kfence: fix handling discontiguous page The struct pages could be discontiguous when the kfence pool is allocated via alloc_contig_pages() with CONFIG_SPARSEMEM and !CONFIG_SPARSEMEM_VMEMMAP. This may result in setting PG_slab and memcg_data to a arbitrary address (may be not used as a struct page), which in the worst case might corrupt the kernel. So the iteration should use nth_page(). Link: https://lkml.kernel.org/r/20230323025003.94447-1-songmuchun@xxxxxxxxxxxxx Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure") Signed-off-by: Muchun Song <songmuchun@xxxxxxxxxxxxx> Reviewed-by: Marco Elver <elver@xxxxxxxxxx> Reviewed-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx> Cc: Alexander Potapenko <glider@xxxxxxxxxx> Cc: Dmitry Vyukov <dvyukov@xxxxxxxxxx> Cc: Jann Horn <jannh@xxxxxxxxxx> Cc: SeongJae Park <sjpark@xxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> diff --git a/mm/kfence/core.c b/mm/kfence/core.c index d66092dd187c..1065e0568d05 100644 --- a/mm/kfence/core.c +++ b/mm/kfence/core.c @@ -556,7 +556,7 @@ static unsigned long kfence_init_pool(void) * enters __slab_free() slow-path. */ for (i = 0; i < KFENCE_POOL_SIZE / PAGE_SIZE; i++) { - struct slab *slab = page_slab(&pages[i]); + struct slab *slab = page_slab(nth_page(pages, i)); if (!i || (i % 2)) continue; @@ -602,7 +602,7 @@ static unsigned long kfence_init_pool(void) reset_slab: for (i = 0; i < KFENCE_POOL_SIZE / PAGE_SIZE; i++) { - struct slab *slab = page_slab(&pages[i]); + struct slab *slab = page_slab(nth_page(pages, i)); if (!i || (i % 2)) continue;
