diff options
author | Matthew Wilcox (Oracle) <willy@infradead.org> | 2024-11-25 20:17:19 +0000 |
---|---|---|
committer | Andrew Morton <akpm@linux-foundation.org> | 2024-12-05 19:54:45 -0800 |
commit | 6a7de1bf218d75f27f68d6a3f5ae1eb7332b941e (patch) | |
tree | 82629ff29f55b989191db0463fd76b00fb38828b /mm/debug.c | |
parent | 4de22b2a6a7477d84d9a01eb6b62a9117309d722 (diff) | |
download | lwn-6a7de1bf218d75f27f68d6a3f5ae1eb7332b941e.tar.gz lwn-6a7de1bf218d75f27f68d6a3f5ae1eb7332b941e.zip |
mm: open-code page_folio() in dump_page()
page_folio() calls page_fixed_fake_head() which will misidentify this page
as being a fake head and load off the end of 'precise'. We may have a
pointer to a fake head, but that's OK because it contains the right
information for dump_page().
gcc-15 is smart enough to catch this with -Warray-bounds:
In function 'page_fixed_fake_head',
inlined from '_compound_head' at ../include/linux/page-flags.h:251:24,
inlined from '__dump_page' at ../mm/debug.c:123:11:
../include/asm-generic/rwonce.h:44:26: warning: array subscript 9 is outside
+array bounds of 'struct page[1]' [-Warray-bounds=]
Link: https://lkml.kernel.org/r/20241125201721.2963278-2-willy@infradead.org
Fixes: fae7d834c43c ("mm: add __dump_folio()")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reported-by: Kees Cook <kees@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Diffstat (limited to 'mm/debug.c')
-rw-r--r-- | mm/debug.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/mm/debug.c b/mm/debug.c index aa57d3ffd4ed..95b6ab809c0e 100644 --- a/mm/debug.c +++ b/mm/debug.c @@ -124,19 +124,22 @@ static void __dump_page(const struct page *page) { struct folio *foliop, folio; struct page precise; + unsigned long head; unsigned long pfn = page_to_pfn(page); unsigned long idx, nr_pages = 1; int loops = 5; again: memcpy(&precise, page, sizeof(*page)); - foliop = page_folio(&precise); - if (foliop == (struct folio *)&precise) { + head = precise.compound_head; + if ((head & 1) == 0) { + foliop = (struct folio *)&precise; idx = 0; if (!folio_test_large(foliop)) goto dump; foliop = (struct folio *)page; } else { + foliop = (struct folio *)(head - 1); idx = folio_page_idx(foliop, page); } |