Re: [linux-stable-rc:linux-6.2.y] [mm/mempolicy] 75cd8305a0: WARNING:at_mm/mmap.c:#vma_merge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Apr 30, 2023 at 10:57:44AM +0800, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "WARNING:at_mm/mmap.c:#vma_merge" on:
>
> commit: 75cd8305a0bd360c3fedaefce1801c13b58e2311 ("mm/mempolicy: fix use-after-free of VMA iterator")
> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git linux-6.2.y
>
> in testcase: trinity
> version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28
> with following parameters:
>
> 	runtime: 300s
> 	group: group-03
>
> test-description: Trinity is a linux system call fuzz tester.
> test-url: http://codemonkey.org.uk/projects/trinity/
>
>
> compiler: gcc-11
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
>
> If you fix the issue, kindly add following tag
> | Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
> | Link: https://lore.kernel.org/oe-lkp/202304292203.44ddeff6-oliver.sang@xxxxxxxxx

[snip]

(resending email without the egregious quoting of the entire .config ,
apologies for that! :)

I have diagnosed this and submitted a patch which fixes it to mainline [1],
which should apply cleanly on backport.

Here is a reliable repro, should be built with -lnuma (forgive the messy
code, it can probably be pared down further from this):-

#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <numaif.h>

int main()
{
        const long page_size = sysconf(_SC_PAGESIZE);

        char *ptr = mmap(NULL, 5 * page_size,PROT_READ | PROT_WRITE,
                         MAP_ANON | MAP_PRIVATE | MAP_POPULATE, -1, 0);
        if (ptr == MAP_FAILED) {
                perror("mmap");
                return EXIT_FAILURE;
        }

        // Split into 5.
        if (mlock(ptr + page_size, page_size)) {
                perror("mlock 1");
                return EXIT_FAILURE;
        }

        unsigned long nodemask = 1;

        if (mbind(ptr, page_size * 2, MPOL_LOCAL, &nodemask, 1, 0)) {
                perror("mbind 1");
                return EXIT_FAILURE;
        }

        nodemask = 0;

        // Initialise ranges to be the same for first two pages.
        if (mbind(ptr, page_size * 2, MPOL_PREFERRED, &nodemask, 1, 0)) {
                perror("mbind 2");
                return EXIT_FAILURE;
        }

        // Now, try changing for full range.
        if (mbind(ptr, page_size * 4, MPOL_PREFERRED, &nodemask, 1, 0)) {
                perror("mbind 3");
                return EXIT_FAILURE;
        }

        return EXIT_SUCCESS;
}

[1]:https://lore.kernel.org/all/db42467a692d78c654ec5c1953329401bd8a9c34.1682859234.git.lstoakes@xxxxxxxxx/
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux