Re: [PATCH 4/9] mm: use mm_populate() for blocking remap_file_pages()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2012/12/21 Michel Lespinasse <walken@xxxxxxxxxx>:
> Signed-off-by: Michel Lespinasse <walken@xxxxxxxxxx>

Hello, this patch introduced the following bug, seen while fuzzing with trinity:

[  396.825414] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000050
[  396.826013] IP: [<ffffffff81176efb>] sys_remap_file_pages+0xbb/0x3e0
[  396.826013] PGD 61e65067 PUD 3fb4067 PMD 0
[  396.826013] Oops: 0000 [#8] SMP
[  396.826013] CPU 0
[  396.826013] Pid: 27553, comm: trinity-child53 Tainted: G      D W
 3.9.0-rc1+ #108 Bochs Bochs
[  396.826013] RIP: 0010:[<ffffffff81176efb>]  [<ffffffff81176efb>]
sys_remap_file_pages+0xbb/0x3e0
[  396.826013] RSP: 0018:ffff880071a23f08  EFLAGS: 00010246
[  396.826013] RAX: 0000000000000000 RBX: ffffffff00000000 RCX: 0000000000000001
[  396.826013] RDX: 0000000000000000 RSI: ffffffff00000000 RDI: ffff8800679657c0
[  396.826013] RBP: ffff880071a23f78 R08: 0000000000000002 R09: 0000000000000000
[  396.826013] R10: 0000000026dad294 R11: 0000000000000000 R12: 0000000000000000
[  396.826013] R13: ffff880067965870 R14: ffffffffffffffea R15: 0000000000000000
[  396.826013] FS:  00007f6691a57700(0000) GS:ffff88007f800000(0000)
knlGS:0000000000000000
[  396.826013] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  396.826013] CR2: 0000000000000050 CR3: 0000000068ab3000 CR4: 00000000000006f0
[  396.826013] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  396.826013] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  396.826013] Process trinity-child53 (pid: 27553, threadinfo
ffff880071a22000, task ffff88006a360000)
[  396.826013] Stack:
[  396.826013]  0000000000000000 ffffffff810f33b6 0000000000000035
0000000000000000
[  396.826013]  000000000000f000 0000000000000000 0000000026dad294
ffff8800679657c0
[  396.826013]  a80006367e000000 ffffffff00000000 00000000000006c0
00000000000000d8
[  396.826013] Call Trace:
[  396.826013]  [<ffffffff810f33b6>] ? trace_hardirqs_on_caller+0x16/0x1f0
[  396.826013]  [<ffffffff81faf169>] system_call_fastpath+0x16/0x1b
[  396.826013] Code: 43 e3 00 48 8b 45 a8 25 00 00 01 00 48 89 45 b8
48 8b 7d c8 48 89 de e8 74 9b 00 00 48 85 c0 49 89 c7 75 1c 49 c7 c6
ea ff ff ff <48> 8b 14 25 50 00 00 00 44 89 f0 e9 7f 02 00 00 0f 1f 44
00 00
[  396.826013] RIP  [<ffffffff81176efb>] sys_remap_file_pages+0xbb/0x3e0
[  396.826013]  RSP <ffff880071a23f08>
[  396.826013] CR2: 0000000000000050
[  396.876275] ---[ end trace 0444599b5c1ba02b ]---

> ---
>  mm/fremap.c |   22 ++++++----------------
>  1 files changed, 6 insertions(+), 16 deletions(-)
>
> diff --git a/mm/fremap.c b/mm/fremap.c
> index 2db886e31044..b42e32171530 100644
> --- a/mm/fremap.c
> +++ b/mm/fremap.c
> @@ -129,6 +129,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
>         struct vm_area_struct *vma;
>         int err = -EINVAL;
>         int has_write_lock = 0;
> +       vm_flags_t vm_flags;
>
>         if (prot)
>                 return err;
> @@ -228,30 +229,16 @@ get_write_lock:
>                 /*
>                  * drop PG_Mlocked flag for over-mapped range
>                  */
> -               vm_flags_t saved_flags = vma->vm_flags;
>                 if (!has_write_lock)
>                         goto get_write_lock;
> +               vm_flags = vma->vm_flags;
>                 munlock_vma_pages_range(vma, start, start + size);
> -               vma->vm_flags = saved_flags;
> +               vma->vm_flags = vm_flags;
>         }
>
>         mmu_notifier_invalidate_range_start(mm, start, start + size);
>         err = vma->vm_ops->remap_pages(vma, start, size, pgoff);
>         mmu_notifier_invalidate_range_end(mm, start, start + size);
> -       if (!err) {
> -               if (vma->vm_flags & VM_LOCKED) {
> -                       /*
> -                        * might be mapping previously unmapped range of file
> -                        */
> -                       mlock_vma_pages_range(vma, start, start + size);
> -               } else if (!(flags & MAP_NONBLOCK)) {
> -                       if (unlikely(has_write_lock)) {
> -                               downgrade_write(&mm->mmap_sem);
> -                               has_write_lock = 0;
> -                       }
> -                       make_pages_present(start, start+size);
> -               }
> -       }
>
>         /*
>          * We can't clear VM_NONLINEAR because we'd have to do
> @@ -260,10 +247,13 @@ get_write_lock:
>          */
>
>  out:
> +       vm_flags = vma->vm_flags;

When find_vma() fails, vma is NULL here.

>         if (likely(!has_write_lock))
>                 up_read(&mm->mmap_sem);
>         else
>                 up_write(&mm->mmap_sem);
> +       if (!err && ((vm_flags & VM_LOCKED) || !(flags & MAP_NONBLOCK)))
> +               mm_populate(start, size);
>
>         return err;
>  }
> --
> 1.7.7.3
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>


[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]