From patchwork Mon Oct 12 13:26:58 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 270342
Return-Path: <SRS0=uWP8=DT=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,
 MAILING_LIST_MULTI, 
 SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT
 autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 35C7FC43467
 for <stable@archiver.kernel.org>;
 Mon, 12 Oct 2020 13:42:28 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id F120C22202
 for <stable@archiver.kernel.org>;
 Mon, 12 Oct 2020 13:42:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=default; t=1602510148;
 bh=SagM/+ssNdab14RfdeRph0M1lhneTxrqr5Ig6X/gDYo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From;
 b=laJRt2MHSW0CPrtLdiROer1kNPMmyg/Pzr44EnB5QoOBZr6of5BU878Qtf0JV51av
 KMyZDkJ5UzA7gxoTQTVSnzNhDV4Djnt9yYozFK7og6+zKQPpnshBSHhZ2O1a34/Aot
 Tk/24ox8b1vECqCRhB+vHwAovobNSQQ3QdwVR4ek=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S2389252AbgJLNm0 (ORCPT <rfc822;stable@archiver.kernel.org>);
 Mon, 12 Oct 2020 09:42:26 -0400
Received: from mail.kernel.org ([198.145.29.99]:46216 "EHLO mail.kernel.org"
 rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
 id S1731065AbgJLNlh (ORCPT <rfc822;stable@vger.kernel.org>);
 Mon, 12 Oct 2020 09:41:37 -0400
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by mail.kernel.org (Postfix) with ESMTPSA id BA4BE21D81;
 Mon, 12 Oct 2020 13:41:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=default; t=1602510089;
 bh=SagM/+ssNdab14RfdeRph0M1lhneTxrqr5Ig6X/gDYo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=aIHuPzgFrYAugw+Qo0fCFxYfTEQ0m6OvWkrouIRG9sBUm7p5yhZlxO/laaa3SvKpm
 pqdBbgylYK2+dOFHeF9gQqt6HtV3KBs4qYFvZC9vHabvPwDrjkB2qjzP4B7a42t2L8
 Mmtw7JcsWlPcA+rafj6Gr0SxMUpDV0pvl38W2AWg=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 stable@vger.kernel.org, Coly Li <colyli@suse.de>,
 Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>,
 Christoph Hellwig <hch@lst.de>, Hannes Reinecke <hare@suse.de>,
 Jan Kara <jack@suse.com>, Jens Axboe <axboe@kernel.dk>,
 Mikhail Skorzhinskii <mskorzhinskiy@solarflare.com>,
 Philipp Reisner <philipp.reisner@linbit.com>,
 Sagi Grimberg <sagi@grimberg.me>, Vlastimil Babka <vbabka@suse.com>,
 "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.4 35/85] net: introduce helper sendpage_ok() in
 include/linux/net.h
Date: Mon, 12 Oct 2020 15:26:58 +0200
Message-Id: <20201012132634.549294666@linuxfoundation.org>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20201012132632.846779148@linuxfoundation.org>
References: <20201012132632.846779148@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Coly Li <colyli@suse.de>

commit c381b07941adc2274ce552daf86c94701c5e265a upstream.

The original problem was from nvme-over-tcp code, who mistakenly uses
kernel_sendpage() to send pages allocated by __get_free_pages() without
__GFP_COMP flag. Such pages don't have refcount (page_count is 0) on
tail pages, sending them by kernel_sendpage() may trigger a kernel panic
from a corrupted kernel heap, because these pages are incorrectly freed
in network stack as page_count 0 pages.

This patch introduces a helper sendpage_ok(), it returns true if the
checking page,
- is not slab page: PageSlab(page) is false.
- has page refcount: page_count(page) is not zero

All drivers who want to send page to remote end by kernel_sendpage()
may use this helper to check whether the page is OK. If the helper does
not return true, the driver should try other non sendpage method (e.g.
sock_no_sendpage()) to handle the page.

Signed-off-by: Coly Li <colyli@suse.de>
Cc: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Jan Kara <jack@suse.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Mikhail Skorzhinskii <mskorzhinskiy@solarflare.com>
Cc: Philipp Reisner <philipp.reisner@linbit.com>
Cc: Sagi Grimberg <sagi@grimberg.me>
Cc: Vlastimil Babka <vbabka@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/net.h |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/include/linux/net.h
+++ b/include/linux/net.h
@@ -21,6 +21,7 @@
 #include <linux/rcupdate.h>
 #include <linux/once.h>
 #include <linux/fs.h>
+#include <linux/mm.h>
 
 #include <uapi/linux/net.h>
 
@@ -288,6 +289,21 @@ do {									\
 #define net_get_random_once_wait(buf, nbytes)			\
 	get_random_once_wait((buf), (nbytes))
 
+/*
+ * E.g. XFS meta- & log-data is in slab pages, or bcache meta
+ * data pages, or other high order pages allocated by
+ * __get_free_pages() without __GFP_COMP, which have a page_count
+ * of 0 and/or have PageSlab() set. We cannot use send_page for
+ * those, as that does get_page(); put_page(); and would cause
+ * either a VM_BUG directly, or __page_cache_release a page that
+ * would actually still be referenced by someone, leading to some
+ * obscure delayed Oops somewhere else.
+ */
+static inline bool sendpage_ok(struct page *page)
+{
+	return !PageSlab(page) && page_count(page) >= 1;
+}
+
 int kernel_sendmsg(struct socket *sock, struct msghdr *msg, struct kvec *vec,
 		   size_t num, size_t len);
 int kernel_sendmsg_locked(struct sock *sk, struct msghdr *msg,