From: chenjie <chenjie6@xxxxxxxxxx>
The madvise() system call supported a set of "conventional" advice values,
the MADV_WILLNEED parameter has possibility of triggering an infinite loop under
direct access mode(DAX).
Infinite loop situation:
1、initial state [ start = vam->vm_start < vam->vm_end < end ].
2、madvise_vma() using MADV_WILLNEED parameter;
madvise_vma() -> madvise_willneed() -> return 0 && the value of [prev] is not updated.
In function SYSCALL_DEFINE3(madvise,...)
When [start = vam->vm_start] the program enters "for" loop,
find_vma_prev() will set the pointer vma and the pointer prev(prev = vam->vm_prev).
Normally ,madvise_vma() will always move the pointer prev ,but when use DAX mode,
it will never update the value of [prev].
=======================================================================
SYSCALL_DEFINE3(madvise,...)
{
[...]
//start = vam->start => prev=vma->prev
vma = find_vma_prev(current->mm, start, &prev);
[...]
for(;;)
{
update [start = vma->vm_start]
con0: if (start >= end) //false always;
goto out;
tmp = vma->vm_end;
//do not update [prev] and always return 0;
error = madvise_willneed();
con1: if (error) //false always;
goto out;
//[ vam->vm_start < start = vam->vm_end <end ]
update [start = tmp ]
con2: if (start >= end) //false always ;
goto out;
//because of pointer [prev] did not change,[vma] keep as it was;
update [ vma = prev->vm_next ]
}
[...]
}
=======================================================================
After the first cycle ;it will always keep
vam->vm_start < start = vam->vm_end < end && vma = prev->vm_next;
since Circulation exit conditions (con{0,1,2}) will never meet ,the
program stuck in infinite loop.
Signed-off-by: chenjie <chenjie6@xxxxxxxxxx>
Signed-off-by: guoxuenan <guoxuenan@xxxxxxxxxx>
---
mm/madvise.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/mm/madvise.c b/mm/madvise.c
index 375cf32..751e97a 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -276,15 +276,14 @@ static long madvise_willneed(struct vm_area_struct *vma,
{
struct file *file = vma->vm_file;
+ *prev = vma;
#ifdef CONFIG_SWAP
if (!file) {
- *prev = vma;
force_swapin_readahead(vma, start, end);
return 0;
}
if (shmem_mapping(file->f_mapping)) {
- *prev = vma;
force_shm_swapin_readahead(vma, start, end,
file->f_mapping);
return 0;
@@ -299,7 +298,6 @@ static long madvise_willneed(struct vm_area_struct *vma,
return 0;
}
- *prev = vma;
start = ((start - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
if (end > vma->vm_end)
end = vma->vm_end;
--
2.9.5
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
