BlaisorBlade wrote:
> Alle 13:39, luned́ 28 giugno 2004, azu ha scritto:
> 
>>Hi,
> 
> 
>>I triggered the following panic from userspace in skas mode
>>by mapping pages above 0xa0000000 ...
> 
> 
>>The check is useless in skas-mode (kernel faults get filtered
>>in segv() before handle_page_fault() is called),
>>so I added an ifdef for tt mode.
> 
> 
> This is a more sensible version of the patch (with runtime checking instead 
> that compile time), if I did not overlook anything: it must be an if(mode_tt). 
> I always compile in TT mode and normally don't use it (and sometimes UML does 
> not compile otherwise), and the patch must still work.
> 
> 
> However, I don't think this is the proper fix: please elaborate a bit more. 
> Segv() works the same way under TT and SKAS, and I think that more likely 
> there were an actual stack overflow (try to increase 
> CONFIG_KERNEL_STACK_ORDER and try to re-get the panic).
>

Paolo, your patch is the better one :-)

But it wasn't a stack overflow ...

Due to "overlapping" address spaces in skas mode,
it is possible to trigger the panic:
A userpage with the same address as current + 4096
must be valid in the vma, but not (yet) mapped to
the user:
0) addr = 0xa0000000
1) mmap a zero page to addr (valid vma) readwrite
2) fork -> mapping is now readonly
3) child writes to page
4) IF addr == current + 4096 THEN panic
5) addr += 4096
6) goto 1)

I wrote a small demo app to trigger the problem.
Limit your UML memory to 16MB or so to trigger the panic faster.



-Alex