From patchwork Sun May 16 12:30:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wilcox X-Patchwork-Id: 441107 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDBABC43460 for ; Sun, 16 May 2021 12:30:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A17EF61185 for ; Sun, 16 May 2021 12:30:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230185AbhEPMbo (ORCPT ); Sun, 16 May 2021 08:31:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232900AbhEPMbo (ORCPT ); Sun, 16 May 2021 08:31:44 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CC330C061573 for ; Sun, 16 May 2021 05:30:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=3q6QbWVrB12KpwQ5dL+xYa2djOucM0M6SP/UE/bRldA=; b=e+A1WutseEDWAvohplsYMnzYtW Ao1H/xMKaGTVXWRUNdo1tWFHMvbAsjT1aC4qTHtbtVQZ+wNAI+ivKwrDEa/5KVNfT/sXVgc1EZDKY jW6Rv0w1CMkp8+nPJ7xncINwZXZop9aT5JSM37B8ex8w83dQAHLUeaRsstg62heTkx3iJ/sTBrfmc BkXUu6VW894Dao/F8sxscLZrTemWtWS1Ctq9Fm9avVSudfSHxZbUZSfUunWgTzEgL2KksbE5M8XnN l7afMTBbJrlgla4VlfSDSOo+duDAJmLxBvfjG2kj+ANfko51S3Kv5/CwI8xVyfIjlbplqZCM5QpvT 4SqBqTnQ==; Received: from willy by casper.infradead.org with local (Exim 4.94 #2 (Red Hat Linux)) id 1liFuM-00C0c6-Gd; Sun, 16 May 2021 12:30:12 +0000 From: "Matthew Wilcox (Oracle)" To: stable@vger.kernel.org Cc: "Matthew Wilcox (Oracle)" , Ilias Apalodimas , Jesper Dangaard Brouer , Vlastimil Babka , Matteo Croce , Andrew Morton , Linus Torvalds Subject: [PATCH 5.4] mm: fix struct page layout on 32-bit systems Date: Sun, 16 May 2021 13:30:06 +0100 Message-Id: <20210516123006.2862183-1-willy@infradead.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org commit 9ddb3c14afba8bc5950ed297f02d4ae05ff35cd1 upstream 32-bit architectures which expect 8-byte alignment for 8-byte integers and need 64-bit DMA addresses (arm, mips, ppc) had their struct page inadvertently expanded in 2019. When the dma_addr_t was added, it forced the alignment of the union to 8 bytes, which inserted a 4 byte gap between 'flags' and the union. Fix this by storing the dma_addr_t in one or two adjacent unsigned longs. This restores the alignment to that of an unsigned long. We always store the low bits in the first word to prevent the PageTail bit from being inadvertently set on a big endian platform. If that happened, get_user_pages_fast() racing against a page which was freed and reallocated to the page_pool could dereference a bogus compound_head(), which would be hard to trace back to this cause. Link: https://lkml.kernel.org/r/20210510153211.1504886-1-willy@infradead.org Fixes: c25fff7171be ("mm: add dma_addr_t to struct page") Signed-off-by: Matthew Wilcox (Oracle) Acked-by: Ilias Apalodimas Acked-by: Jesper Dangaard Brouer Acked-by: Vlastimil Babka Tested-by: Matteo Croce Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- include/linux/mm_types.h | 4 ++-- include/net/page_pool.h | 12 +++++++++++- net/core/page_pool.c | 6 +++--- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 270aa8fd2800..2b3b2fc1cb33 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -95,10 +95,10 @@ struct page { }; struct { /* page_pool used by netstack */ /** - * @dma_addr: might require a 64-bit value even on + * @dma_addr: might require a 64-bit value on * 32-bit architectures. */ - dma_addr_t dma_addr; + unsigned long dma_addr[2]; }; struct { /* slab, slob and slub */ union { diff --git a/include/net/page_pool.h b/include/net/page_pool.h index 1121faa99c12..cf086e13bd25 100644 --- a/include/net/page_pool.h +++ b/include/net/page_pool.h @@ -185,7 +185,17 @@ static inline void page_pool_release_page(struct page_pool *pool, static inline dma_addr_t page_pool_get_dma_addr(struct page *page) { - return page->dma_addr; + dma_addr_t ret = page->dma_addr[0]; + if (sizeof(dma_addr_t) > sizeof(unsigned long)) + ret |= (dma_addr_t)page->dma_addr[1] << 16 << 16; + return ret; +} + +static inline void page_pool_set_dma_addr(struct page *page, dma_addr_t addr) +{ + page->dma_addr[0] = addr; + if (sizeof(dma_addr_t) > sizeof(unsigned long)) + page->dma_addr[1] = upper_32_bits(addr); } static inline bool is_page_pool_compiled_in(void) diff --git a/net/core/page_pool.c b/net/core/page_pool.c index dfc2501c35d9..335f68eaaa05 100644 --- a/net/core/page_pool.c +++ b/net/core/page_pool.c @@ -157,7 +157,7 @@ static struct page *__page_pool_alloc_pages_slow(struct page_pool *pool, put_page(page); return NULL; } - page->dma_addr = dma; + page_pool_set_dma_addr(page, dma); skip_dma_map: /* Track how many pages are held 'in-flight' */ @@ -216,12 +216,12 @@ static void __page_pool_clean_page(struct page_pool *pool, if (!(pool->p.flags & PP_FLAG_DMA_MAP)) goto skip_dma_unmap; - dma = page->dma_addr; + dma = page_pool_get_dma_addr(page); /* DMA unmap */ dma_unmap_page_attrs(pool->p.dev, dma, PAGE_SIZE << pool->p.order, pool->p.dma_dir, DMA_ATTR_SKIP_CPU_SYNC); - page->dma_addr = 0; + page_pool_set_dma_addr(page, 0); skip_dma_unmap: /* This may be the last page returned, releasing the pool, so * it is not safe to reference pool afterwards.