Re: [PATCH resend] mm/page_alloc: fix comment is __get_free_pages

From: Andrew Morton
Date: Thu Dec 14 2017 - 15:33:18 EST


On Thu, 14 Dec 2017 15:06:08 +0100 Michal Hocko <mhocko@xxxxxxxxxx> wrote:

> On Fri 01-12-17 12:18:45, Michal Hocko wrote:
> > On Fri 01-12-17 08:24:14, Michal Hocko wrote:
> > > On Thu 30-11-17 13:17:06, Andrew Morton wrote:
> > > > On Thu, 30 Nov 2017 07:53:35 +0100 Michal Hocko <mhocko@xxxxxxxxxx> wrote:
> > > >
> > > > > > mm... So we have a caller which hopes to be getting highmem pages but
> > > > > > isn't. Caller then proceeds to pointlessly kmap the page and wonders
> > > > > > why it isn't getting as much memory as it would like on 32-bit systems,
> > > > > > etc.
> > > > >
> > > > > How he can kmap the page when he gets a _virtual_ address?
> > > >
> > > > doh.
> > > >
> > > > > > I do think we should help ferret out such bogosity. A WARN_ON_ONCE
> > > > > > would suffice.
> > > > >
> > > > > This function has always been about lowmem pages. I seriously doubt we
> > > > > have anybody confused and asking for a highmem page in the kernel. I
> > > > > haven't checked that but it would already blow up as VM_BUG_ON tends to
> > > > > be enabled on many setups.
> > > >
> > > > OK. But silently accepting __GFP_HIGHMEM is a bit weird - callers
> > > > shouldn't be doing that in the first place.
> > >
> > > Yes, they shouldn't be.
> > >
> > > > I wonder what happens if we just remove the WARN_ON and pass any
> > > > __GFP_HIGHMEM straight through. The caller gets a weird address from
> > > > page_to_virt(highmem page) and usually goes splat? Good enough
> > > > treatment for something which never happens anyway?
> > >
> > > page_address will return NULL so they will blow up and leak the freshly
> > > allocated memory.
> >
> > let me be more specific. They will blow up and leak if the returned
> > address is not checked. If it is then we just leak. None of that sounds
> > good to me.
>
> So do we care and I will resend the patch in that case or I just drop
> this from my patch queue?

Well.. I still think that silently accepting bad input would be bad
practice. If we can just delete the assertion and have such a caller
reliably blow up later on then that's good enough. Otherwise let's
leave the code as-is?