On 2016-08-31 01:04 PM, Mateusz Guzik wrote:
On Wed, Aug 31, 2016 at 12:36:26PM -0400, Robert Foss wrote:
On 2016-08-31 05:45 AM, Jacek Anaszewski wrote:
+static void *m_totmaps_start(struct seq_file *p, loff_t *pos)
+{
+ return NULL + (*pos == 0);
+}
+
+static void *m_totmaps_next(struct seq_file *p, void *v, loff_t *pos)
+{
+ ++*pos;
+ return NULL;
+}
+
When reading totmaps of kernel processes the following NULL pointer
dereference occurs:
Unable to handle kernel NULL pointer dereference at virtual address
00000044
[<c06c01f4>] (down_read) from [<c022a154>] (totmaps_proc_show+0x2c/0x1e8)
[<c022a154>] (totmaps_proc_show) from [<c01fe564>] (seq_read+0x1c8/0x4b8)
[<c01fe564>] (seq_read) from [<c01dc850>] (__vfs_read+0x2c/0x110)
[<c01dc850>] (__vfs_read) from [<c01ddca0>] (vfs_read+0x8c/0x110)
[<c01ddca0>] (vfs_read) from [<c01ddd64>] (SyS_read+0x40/0x8c)
[<c01ddd64>] (SyS_read) from [<c0107900>] (ret_fast_syscall+0x0/0x3c)
It seems that some protection is needed for such processes, so that
totmaps would return empty string then, like in case of smaps.
Thanks for the testing Jacek!
I had a look around the corresponding smaps code, but I'm not seeing any
checks, do you know where that check actually is made?
See m_start in f/sproc/task_mmu.c. It not only check for non-null mm,
but also tries to bump ->mm_users and only then proceeds to walk the mm.
So a m_totmaps_start that looks something like the below would be
enough? And if so, would mm->mm_users need to be decrement inside of
m_totmaps_start?
static void *m_totmaps_start(struct seq_file *p, loff_t *pos)
{
struct proc_maps_private *priv = m->private;
struct mm_struct *mm;
mm = priv->mm;
if (!mm || !atomic_inc_not_zero(&mm->mm_users))
return NULL;
return NULL + (*pos == 0);
}
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
