On Tue, Dec 29, 2020 at 01:05:48AM +0300, Kirill A. Shutemov wrote: > On Mon, Dec 28, 2020 at 10:47:36AM -0800, Linus Torvalds wrote: > > On Mon, Dec 28, 2020 at 4:53 AM Kirill A. Shutemov <kirill@xxxxxxxxxxxxx> wrote: > > > > > > So far I only found one more pin leak and always-true check. I don't see > > > how can it lead to crash or corruption. Keep looking. > > > > Well, I noticed that the nommu.c version of filemap_map_pages() needs > > fixing, but that's obviously not the case Hugh sees. > > > > No,m I think the problem is the > > > > pte_unmap_unlock(vmf->pte, vmf->ptl); > > > > at the end of filemap_map_pages(). > > > > Why? > > > > Because we've been updating vmf->pte as we go along: > > > > vmf->pte += xas.xa_index - last_pgoff; > > > > and I think that by the time we get to that "pte_unmap_unlock()", > > vmf->pte potentially points to past the edge of the page directory. > > Well, if it's true we have bigger problem: we set up an pte entry without > relevant PTL. > > But I *think* we should be fine here: do_fault_around() limits start_pgoff > and end_pgoff to stay within the page table. > > It made mw looking at the code around pte_unmap_unlock() and I think that > the bug is that we have to reset vmf->address and NULLify vmf->pte once we > are done with faultaround: > > diff --git a/mm/memory.c b/mm/memory.c Ugh.. Wrong place. Need to sleep. I'll look into your idea tomorrow. diff --git a/mm/filemap.c b/mm/filemap.c index 87671284de62..e4daab80ed81 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2987,6 +2987,8 @@ vm_fault_t filemap_map_pages(struct vm_fault *vmf, unsigned long address, } while ((head = next_map_page(vmf, &xas, end_pgoff)) != NULL); pte_unmap_unlock(vmf->pte, vmf->ptl); rcu_read_unlock(); + vmf->address = address; + vmf->pte = NULL; WRITE_ONCE(file->f_ra.mmap_miss, mmap_miss); return ret; -- Kirill A. Shutemov
