[PATCH] mm,madvise: bugfix of madvise systemcall infinite loop under special circumstances.

guoxuenan <guoxuenan@xxxxxxxxxx> · Fri, 24 Nov 2017 10:27:57 +0800

From: chenjie <chenjie6@xxxxxxxxxx>

The madvise() system call supported a set of "conventional" advice values,
the MADV_WILLNEED parameter will trigger an infinite loop under direct
access mode(DAX). In DAX mode, the function madvise_vma() will return
directly without updating the pointer [prev].

For example:
Special circumstances:
1、init [ start < vam->vm_start < vam->vm_end < end ]
2、madvise_vma() using MADV_WILLNEED parameter ;
madvise_vma() -> madvise_willneed() -> return 0 && without updating [prev]

=======================================================================
in Function SYSCALL_DEFINE3(madvise,...)

for (;;)
{
//[first loop: start = vam->vm_start < vam->vm_end  <end ];
      update [start = vma->vm_start | end  ]

con0: if (start >= end)                 //false always;
	goto out;
      tmp = vma->vm_end;

//do not update [prev] and always return 0;
      error = madvise_willneed();

con1: if (error)                        //false always;
	goto out;

//[ vam->vm_start < start = vam->vm_end  <end ]
      update [start = tmp ]

con2: if (start >= end)                 //false always ;
	goto out;

//because of pointer [prev] did not change,[vma] keep as it was;
      update [ vma = prev->vm_next ]
}

=======================================================================
After the first cycle ;it will always keep
[ vam->vm_start < start = vam->vm_end  < end ].
since Circulation exit conditions (con{0,1,2}) will never meet ,the
program stuck in infinite loop.

Signed-off-by: chenjie <chenjie6@xxxxxxxxxx>
Signed-off-by: guoxuenan <guoxuenan@xxxxxxxxxx>
---
 mm/madvise.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/madvise.c b/mm/madvise.c
index 21261ff..c355fee 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -294,6 +294,7 @@ static long madvise_willneed(struct vm_area_struct *vma,
 #endif
 
 	if (IS_DAX(file_inode(file))) {
+		*prev = vma;
 		/* no bad return value, but ignore advice */
 		return 0;
 	}
-- 
2.9.5

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>






