>>> Coly Li <[email protected]> schrieb am 18.08.2020 um 14:47 in Nachricht
<[email protected]>:
> The original problem was from nvme-over-tcp code, who mistakenly uses
> kernel_sendpage() to send pages allocated by __get_free_pages() without
> __GFP_COMP flag. Such pages don't have refcount (page_count is 0) on
> tail pages, sending them by kernel_sendpage() may trigger a kernel panic
> from a corrupted kernel heap, because these pages are incorrectly freed
> in network stack as page_count 0 pages.
>
> This patch introduces a helper sendpage_ok(), it returns true if the
> checking page,
> - is not slab page: PageSlab(page) is false.
> - has page refcount: page_count(page) is not zero
>
> All drivers who want to send page to remote end by kernel_sendpage()
> may use this helper to check whether the page is OK. If the helper does
> not return true, the driver should try other non sendpage method (e.g.
> sock_no_sendpage()) to handle the page.
>
> Signed-off-by: Coly Li <[email protected]>
> Cc: Chaitanya Kulkarni <[email protected]>
> Cc: Christoph Hellwig <[email protected]>
> Cc: Hannes Reinecke <[email protected]>
> Cc: Jan Kara <[email protected]>
> Cc: Jens Axboe <[email protected]>
> Cc: Mikhail Skorzhinskii <[email protected]>
> Cc: Philipp Reisner <[email protected]>
> Cc: Sagi Grimberg <[email protected]>
> Cc: Vlastimil Babka <[email protected]>
> Cc: [email protected]
> ---
> include/linux/net.h | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/include/linux/net.h b/include/linux/net.h
> index d48ff1180879..a807fad31958 100644
> --- a/include/linux/net.h
> +++ b/include/linux/net.h
> @@ -21,6 +21,7 @@
> #include <linux/rcupdate.h>
> #include <linux/once.h>
> #include <linux/fs.h>
> +#include <linux/mm.h>
> #include <linux/sockptr.h>
>
> #include <uapi/linux/net.h>
> @@ -286,6 +287,21 @@ do {
> \
> #define net_get_random_once_wait(buf, nbytes) \
> get_random_once_wait((buf), (nbytes))
>
> +/*
> + * E.g. XFS meta- & log-data is in slab pages, or bcache meta
> + * data pages, or other high order pages allocated by
> + * __get_free_pages() without __GFP_COMP, which have a page_count
> + * of 0 and/or have PageSlab() set. We cannot use send_page for
> + * those, as that does get_page(); put_page(); and would cause
> + * either a VM_BUG directly, or __page_cache_release a page that
> + * would actually still be referenced by someone, leading to some
> + * obscure delayed Oops somewhere else.
> + */
Actually I think this comment is somewhat mis-placed:
It should describe what the function does (check for specific properties of a
page), but not where this function might be used. Most notably, because the use
(from where it is called) may change over time, while the function will still
do the same thing.
> +static inline bool sendpage_ok(struct page *page)
> +{
> + return (!PageSlab(page) && page_count(page) >= 1);
> +}
> +
> int kernel_sendmsg(struct socket *sock, struct msghdr *msg, struct kvec
> *vec,
> size_t num, size_t len);
> int kernel_sendmsg_locked(struct sock *sk, struct msghdr *msg,
> --
> 2.26.2
>
> --
> You received this message because you are subscribed to the Google Groups
> "open-iscsi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/open-iscsi/20200818124736.5790-2-colyli%40s
> use.de.
--
You received this message because you are subscribed to the Google Groups
"open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/open-iscsi/5F3CBF53020000A10003AB07%40gwsmtp.uni-regensburg.de.
