From: Sasha Levin <levinsasha928@gmail.com>
To: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Nick Piggin <npiggin@kernel.dk>, Dave Jones <davej@redhat.com>
Subject: Re: [PATCH v3 06/10] mm: kill vma flag VM_CAN_NONLINEAR
Date: Tue, 09 Oct 2012 19:01:46 -0400 [thread overview]
Message-ID: <5074ACDA.2060705@gmail.com> (raw)
In-Reply-To: <20120731104221.20515.90791.stgit@zurg>
On 07/31/2012 06:42 AM, Konstantin Khlebnikov wrote:
> This patch moves actual ptes filling for non-linear file mappings
> into special vma operation: ->remap_pages().
>
> File system must implement this method to get non-linear mappings support,
> if it uses filemap_fault() then generic_file_remap_pages() can be used.
>
> Now device drivers can implement this method and obtain nonlinear vma support.
>
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Nick Piggin <npiggin@kernel.dk>
> Cc: Ingo Molnar <mingo@redhat.com>
I was fuzzing with trinity inside a KVM tools guest, and hit the following NULL deref:
[ 1202.209854] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
[ 1202.215344] IP: [<ffffffff812290cf>] sys_remap_file_pages+0xcf/0x380
[ 1202.215904] PGD 24ccc067 PUD 2f693067 PMD 0
[ 1202.215904] Oops: 0000 [#2] PREEMPT SMP DEBUG_PAGEALLOC
[ 1202.215904] CPU 3
[ 1202.224995] Pid: 17953, comm: trinity-child3 Tainted: G D W 3.6.0-next-20121009-sasha-00001-ge404bae #43
[ 1202.224995] RIP: 0010:[<ffffffff812290cf>] [<ffffffff812290cf>] sys_remap_file_pages+0xcf/0x380
[ 1202.224995] RSP: 0018:ffff880025819f18 EFLAGS: 00010246
[ 1202.224995] RAX: 00000000050444f9 RBX: 0000000080100000 RCX: 0000000000000001
[ 1202.224995] RDX: 0000000000000000 RSI: 0000000080100000 RDI: ffff8800255f1000
[ 1202.279533] RBP: ffff880025819f78 R08: ffff88000c9ea580 R09: 0000000000000000
[ 1202.279533] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8800255f10a8
[ 1202.279533] R13: 0000000000000000 R14: ffff8800255f1000 R15: 0000000080700000
[ 1202.279533] FS: 00007fa063d0e700(0000) GS:ffff880067600000(0000) knlGS:0000000000000000
[ 1202.279533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1202.279533] CR2: 0000000000000040 CR3: 000000002cc81000 CR4: 00000000000406e0
[ 1202.279533] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1202.279533] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1202.279533] Process trinity-child3 (pid: 17953, threadinfo ffff880025818000, task ffff88003061b000)
[ 1202.279533] Stack:
[ 1202.279533] ffff880025819f48 ffffffff8107dc10 0000000080100000 0000000000000000
[ 1202.279533] 0000000000600000 000000000aefbf86 00000000000000d8 0000000080100000
[ 1202.279533] 0000000000000003 00000000000000d8 0000000000600000 00000000000000d8
[ 1202.279533] Call Trace:
[ 1202.279533] [<ffffffff8107dc10>] ? syscall_trace_enter+0x20/0x2e0
[ 1202.279533] [<ffffffff83a64738>] tracesys+0xe1/0xe6
[ 1202.279533] Code: 02 00 00 48 8b 40 30 a8 08 0f 84 6d 02 00 00 49 83 b8 a0 00 00 00 00 74 0b a9 00 00 80 00 0f 84 58 02 00 00
49 8b 90 88 00 00 00 <48> 83 7a 40 00 0f 84 46 02 00 00 49 8b 50 08 48 39 d3 0f 82 39
[ 1202.279533] RIP [<ffffffff812290cf>] sys_remap_file_pages+0xcf/0x380
[ 1202.279533] RSP <ffff880025819f18>
[ 1202.279533] CR2: 0000000000000040
[ 1202.401144] ---[ end trace fe8a5604834bab83 ]---
It would seem that this patch adds the following check into sys_remap_file_pages():
if (!vma->vm_ops->remap_pages)
goto out;
But vma->vm_ops itself is NULL.
Thanks,
Sasha
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <levinsasha928@gmail.com>
To: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Nick Piggin <npiggin@kernel.dk>, Dave Jones <davej@redhat.com>
Subject: Re: [PATCH v3 06/10] mm: kill vma flag VM_CAN_NONLINEAR
Date: Tue, 09 Oct 2012 19:01:46 -0400 [thread overview]
Message-ID: <5074ACDA.2060705@gmail.com> (raw)
In-Reply-To: <20120731104221.20515.90791.stgit@zurg>
On 07/31/2012 06:42 AM, Konstantin Khlebnikov wrote:
> This patch moves actual ptes filling for non-linear file mappings
> into special vma operation: ->remap_pages().
>
> File system must implement this method to get non-linear mappings support,
> if it uses filemap_fault() then generic_file_remap_pages() can be used.
>
> Now device drivers can implement this method and obtain nonlinear vma support.
>
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Nick Piggin <npiggin@kernel.dk>
> Cc: Ingo Molnar <mingo@redhat.com>
I was fuzzing with trinity inside a KVM tools guest, and hit the following NULL deref:
[ 1202.209854] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
[ 1202.215344] IP: [<ffffffff812290cf>] sys_remap_file_pages+0xcf/0x380
[ 1202.215904] PGD 24ccc067 PUD 2f693067 PMD 0
[ 1202.215904] Oops: 0000 [#2] PREEMPT SMP DEBUG_PAGEALLOC
[ 1202.215904] CPU 3
[ 1202.224995] Pid: 17953, comm: trinity-child3 Tainted: G D W 3.6.0-next-20121009-sasha-00001-ge404bae #43
[ 1202.224995] RIP: 0010:[<ffffffff812290cf>] [<ffffffff812290cf>] sys_remap_file_pages+0xcf/0x380
[ 1202.224995] RSP: 0018:ffff880025819f18 EFLAGS: 00010246
[ 1202.224995] RAX: 00000000050444f9 RBX: 0000000080100000 RCX: 0000000000000001
[ 1202.224995] RDX: 0000000000000000 RSI: 0000000080100000 RDI: ffff8800255f1000
[ 1202.279533] RBP: ffff880025819f78 R08: ffff88000c9ea580 R09: 0000000000000000
[ 1202.279533] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8800255f10a8
[ 1202.279533] R13: 0000000000000000 R14: ffff8800255f1000 R15: 0000000080700000
[ 1202.279533] FS: 00007fa063d0e700(0000) GS:ffff880067600000(0000) knlGS:0000000000000000
[ 1202.279533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1202.279533] CR2: 0000000000000040 CR3: 000000002cc81000 CR4: 00000000000406e0
[ 1202.279533] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1202.279533] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1202.279533] Process trinity-child3 (pid: 17953, threadinfo ffff880025818000, task ffff88003061b000)
[ 1202.279533] Stack:
[ 1202.279533] ffff880025819f48 ffffffff8107dc10 0000000080100000 0000000000000000
[ 1202.279533] 0000000000600000 000000000aefbf86 00000000000000d8 0000000080100000
[ 1202.279533] 0000000000000003 00000000000000d8 0000000000600000 00000000000000d8
[ 1202.279533] Call Trace:
[ 1202.279533] [<ffffffff8107dc10>] ? syscall_trace_enter+0x20/0x2e0
[ 1202.279533] [<ffffffff83a64738>] tracesys+0xe1/0xe6
[ 1202.279533] Code: 02 00 00 48 8b 40 30 a8 08 0f 84 6d 02 00 00 49 83 b8 a0 00 00 00 00 74 0b a9 00 00 80 00 0f 84 58 02 00 00
49 8b 90 88 00 00 00 <48> 83 7a 40 00 0f 84 46 02 00 00 49 8b 50 08 48 39 d3 0f 82 39
[ 1202.279533] RIP [<ffffffff812290cf>] sys_remap_file_pages+0xcf/0x380
[ 1202.279533] RSP <ffff880025819f18>
[ 1202.279533] CR2: 0000000000000040
[ 1202.401144] ---[ end trace fe8a5604834bab83 ]---
It would seem that this patch adds the following check into sys_remap_file_pages():
if (!vma->vm_ops->remap_pages)
goto out;
But vma->vm_ops itself is NULL.
Thanks,
Sasha
next prev parent reply other threads:[~2012-10-09 23:02 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-31 10:41 [PATCH RESEND v3 00/10] mm: vma->vm_flags diet Konstantin Khlebnikov
2012-07-31 10:41 ` Konstantin Khlebnikov
2012-07-31 10:41 ` [PATCH v3 01/10] x86, pat: remove the dependency on 'vm_pgoff' in track/untrack pfn vma routines Konstantin Khlebnikov
2012-07-31 10:41 ` Konstantin Khlebnikov
2012-07-31 10:42 ` [PATCH v3 02/10] x86, pat: separate the pfn attribute tracking for remap_pfn_range and vm_insert_pfn Konstantin Khlebnikov
2012-07-31 10:42 ` Konstantin Khlebnikov
2012-07-31 10:42 ` [PATCH v3 03/10] mm, x86, pat: rework linear pfn-mmap tracking Konstantin Khlebnikov
2012-07-31 10:42 ` Konstantin Khlebnikov
2012-07-31 10:42 ` [PATCH v3 04/10] mm: introduce arch-specific vma flag VM_ARCH_1 Konstantin Khlebnikov
2012-07-31 10:42 ` Konstantin Khlebnikov
2012-07-31 10:42 ` [PATCH v3 05/10] mm: kill vma flag VM_INSERTPAGE Konstantin Khlebnikov
2012-07-31 10:42 ` Konstantin Khlebnikov
2012-07-31 10:42 ` [PATCH v3 06/10] mm: kill vma flag VM_CAN_NONLINEAR Konstantin Khlebnikov
2012-07-31 10:42 ` Konstantin Khlebnikov
2012-10-09 23:01 ` Sasha Levin [this message]
2012-10-09 23:01 ` Sasha Levin
2012-10-11 10:18 ` [PATCH] mm: fix null vm_ops dereference in sys_remap_file_pages Konstantin Khlebnikov
2012-07-31 10:42 ` [PATCH v3 07/10] mm: use mm->exe_file instead of first VM_EXECUTABLE vma->vm_file Konstantin Khlebnikov
2012-07-31 10:42 ` Konstantin Khlebnikov
2012-08-01 1:34 ` James Morris
2012-08-01 1:34 ` James Morris
2012-07-31 10:42 ` [PATCH v3 08/10] mm: kill vma flag VM_EXECUTABLE and mm->num_exe_file_vmas Konstantin Khlebnikov
2012-07-31 10:42 ` Konstantin Khlebnikov
2012-07-31 10:42 ` [PATCH v3 09/10] mm: prepare VM_DONTDUMP for using in drivers Konstantin Khlebnikov
2012-07-31 10:42 ` Konstantin Khlebnikov
2012-07-31 10:42 ` [PATCH v3 10/10] mm: kill vma flag VM_RESERVED and mm->reserved_vm counter Konstantin Khlebnikov
2012-07-31 10:42 ` Konstantin Khlebnikov
2012-10-09 10:02 ` Eric Dumazet
2012-10-09 10:02 ` Eric Dumazet
2012-10-09 12:12 ` Linus Torvalds
2012-10-09 12:12 ` Linus Torvalds
2012-10-09 14:21 ` Alex Williamson
2012-10-09 14:21 ` Alex Williamson
2012-10-09 23:00 ` Alex Williamson
2012-10-09 23:00 ` Alex Williamson
2012-10-10 4:06 ` Alex Williamson
2012-10-10 4:06 ` Alex Williamson
2012-07-31 16:31 ` [PATCH RESEND v3 00/10] mm: vma->vm_flags diet Linus Torvalds
2012-07-31 16:31 ` Linus Torvalds
-- strict thread matches above, loose matches on Subject: below --
2012-07-31 10:34 [PATCH " Konstantin Khlebnikov
2012-07-31 10:34 ` [PATCH v3 06/10] mm: kill vma flag VM_CAN_NONLINEAR Konstantin Khlebnikov
2012-07-31 10:34 ` Konstantin Khlebnikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5074ACDA.2060705@gmail.com \
--to=levinsasha928@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=davej@redhat.com \
--cc=khlebnikov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=npiggin@kernel.dk \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.