On 25/01/2023 12:53, Kirill A. Shutemov wrote:
On Wed, Jan 25, 2023 at 12:20:26AM +0000, Sean Christopherson wrote:
On Tue, Jan 24, 2023, Liam Merwick wrote:
On 14/01/2023 00:37, Sean Christopherson wrote:
On Fri, Dec 02, 2022, Chao Peng wrote:
...
When running LTP (https://github.com/linux-test-project/ltp) on the v10
bits (and also with Sean's branch above) I encounter the following NULL
pointer dereference with testcases/kernel/syscalls/madvise/madvise01
(100% reproducible).
It appears that in restrictedmem_error_page() inode->i_mapping->private_data
is NULL
in the list_for_each_entry_safe(inode, next, &sb->s_inodes, i_sb_list)
but I don't know why.
Kirill, can you take a look? Or pass the buck to someone who can? :-)
The patch below should help.
Thanks, this works for me.
Regards,
Liam
diff --git a/mm/restrictedmem.c b/mm/restrictedmem.c
index 15c52301eeb9..39ada985c7c0 100644
--- a/mm/restrictedmem.c
+++ b/mm/restrictedmem.c
@@ -307,14 +307,29 @@ void restrictedmem_error_page(struct page *page, struct address_space *mapping)
spin_lock(&sb->s_inode_list_lock);
list_for_each_entry_safe(inode, next, &sb->s_inodes, i_sb_list) {
- struct restrictedmem *rm = inode->i_mapping->private_data;
struct restrictedmem_notifier *notifier;
- struct file *memfd = rm->memfd;
+ struct restrictedmem *rm;
unsigned long index;
+ struct file *memfd;
- if (memfd->f_mapping != mapping)
+ if (atomic_read(&inode->i_count))
continue;
+ spin_lock(&inode->i_lock);
+ if (inode->i_state & (I_NEW | I_FREEING | I_WILL_FREE)) {
+ spin_unlock(&inode->i_lock);
+ continue;
+ }
+
+ rm = inode->i_mapping->private_data;
+ memfd = rm->memfd;
+
+ if (memfd->f_mapping != mapping) {
+ spin_unlock(&inode->i_lock);
+ continue;
+ }
+ spin_unlock(&inode->i_lock);
+
xa_for_each_range(&rm->bindings, index, notifier, start, end)
notifier->ops->error(notifier, start, end);
break;
