In the Linux kernel, the following vulnerability has been resolved:

mm/filemap: make MAXPAGECACHEORDER acceptable to xarray

Patch series "mm/filemap: Limit page cache size to that supported by xarray", v2.

Currently, xarray can't support arbitrary page cache size. More details can be found from the WARNON() statement in xassplitalloc(). In our test whose code is attached below, we hit the WARNON() on ARM64 system where the base page size is 64KB and huge page size is 512MB. The issue was reported long time ago and some discussions on it can be found here [1].

[1] https://www.spinics.net/lists/linux-xfs/msg75404.html

In order to fix the issue, we need to adjust MAXPAGECACHEORDER to one supported by xarray and avoid PMD-sized page cache if needed. The code changes are suggested by David Hildenbrand.

PATCH[1] adjusts MAXPAGECACHEORDER to that supported by xarray PATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path PATCH[4] avoids PMD-sized page cache for shmem files if needed

Test program

cat test.c

define GNUSOURCE

include <stdio.h>

include <stdlib.h>

include <unistd.h>

include <string.h>

include <fcntl.h>

include <errno.h>

include <sys/syscall.h>

include <sys/mman.h>

define TESTXFSFILENAME "/tmp/data"

define TESTSHMEMFILENAME "/dev/shm/data"

define TESTMEMSIZE 0x20000000

int main(int argc, char **argv) { const char *filename; int fd = 0; void *buf = (void *)-1, *p; int pgsize = getpagesize(); int ret;

if (pgsize != 0x10000) {
    fprintf(stderr, "64KB base page size is required\n");
    return -EPERM;
}

system("echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled");
system("rm -fr /tmp/data");
system("rm -fr /dev/shm/data");
system("echo 1 > /proc/sys/vm/drop_caches");

/* Open xfs or shmem file */
filename = TEST_XFS_FILENAME;
if (argc > 1 && !strcmp(argv[1], "shmem"))
    filename = TEST_SHMEM_FILENAME;

fd = open(filename, O_CREAT | O_RDWR | O_TRUNC);
if (fd < 0) {
    fprintf(stderr, "Unable to open <%s>\n", filename);
    return -EIO;
}

/* Extend file size */
ret = ftruncate(fd, TEST_MEM_SIZE);
if (ret) {
    fprintf(stderr, "Error %d to ftruncate()\n", ret);
    goto cleanup;
}

/* Create VMA */
buf = mmap(NULL, TEST_MEM_SIZE,
       PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (buf == (void *)-1) {
    fprintf(stderr, "Unable to mmap <%s>\n", filename);
    goto cleanup;
}

fprintf(stdout, "mapped buffer at 0x%p\n", buf);
ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);
    if (ret) {
    fprintf(stderr, "Unable to madvise(MADV_HUGEPAGE)\n");
    goto cleanup;
}

/* Populate VMA */
ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);
if (ret) {
    fprintf(stderr, "Error %d to madvise(MADV_POPULATE_WRITE)\n", ret);
    goto cleanup;
}

/* Punch the file to enforce xarray split */
ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,
            TEST_MEM_SIZE - pgsize, pgsize);
if (ret)
    fprintf(stderr, "Error %d to fallocate()\n", ret);

cleanup: if (buf != (void *)-1) munmap(buf, TESTMEMSIZE); if (fd > 0) close(fd);

return 0;

}

gcc test.c -o test

cat /proc/1/smaps | grep KernelPageSize | head -n 1

KernelPageSize: 64 kB

./test shmem

: ------------[ cut here ]------------ WARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xassplitalloc+0xf8/0x128 Modules linked in: nftfibinet nftfibipv4 nftfibipv6 nftfib \ nftrejectinet nfrejectipv4 nfrejectipv6 nftreject nftct \ nftchainnat nfnat nfconntrack nfdefragipv6 nfdefragipv4 \ ipset nftables rfkill nfnetlink vfat fat virtioballoon \ drm fuse xfs libcrc32c crct10difce ghashce sha2ce sha256arm64 \ virtionet sha1ce netfailover failover virtioconsole virtioblk \ dimlib virtiommio CPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TC ---truncated---