From: Nam Cao <namcao@linutronix.de>
To: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Cc: jayalk@intworks.biz, Daniel Vetter <daniel@ffwll.ch>,
deller@gmx.de, linux-fbdev@vger.kernel.org,
dri-devel@lists.freedesktop.org, tiwai@suse.de,
bigeasy@linutronix.de, patrik.r.jakobsson@gmail.com,
LKML <linux-kernel@vger.kernel.org>,
Vegard Nossum <vegard.nossum@oracle.com>,
George Kennedy <george.kennedy@oracle.com>,
Darren Kenny <darren.kenny@oracle.com>,
chuansheng.liu@intel.com
Subject: Re: [bug-report] task info hung problem in fb_deferred_io_work()
Date: Fri, 19 Apr 2024 16:59:15 +0200 [thread overview]
Message-ID: <20240419165915.228c76e9@namcao> (raw)
In-Reply-To: <271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com>
On 2024-04-18 Harshit Mogalapalli wrote:
> While fuzzing 5.15.y kernel with Syzkaller, we noticed a INFO: task hung
> bug in fb_deferred_io_work()
I think the problem is because of improper offset address calculation.
The kernel calculate address offset with:
offset = vmf->address - vmf->vma->vm_start
Now the problem is that your C program mmap the framebuffer at 2
different offsets:
mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000);
mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0);
but the kernel doesn't take these different offsets into account.
So, 2 different pages are mistakenly recognized as the same page.
Can you try the following patch?
Best regards,
Nam
diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index dae96c9f61cf..d5d6cd9e8b29 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -196,7 +196,8 @@ static vm_fault_t fb_deferred_io_track_page(struct fb_info *info, unsigned long
*/
static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf)
{
- unsigned long offset = vmf->address - vmf->vma->vm_start;
+ unsigned long offset = vmf->address - vmf->vma->vm_start
+ + (vmf->vma->vm_pgoff << PAGE_SHIFT);
struct page *page = vmf->page;
file_update_time(vmf->vma->vm_file);
next prev parent reply other threads:[~2024-04-19 15:04 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-18 12:39 [bug-report] task info hung problem in fb_deferred_io_work() Harshit Mogalapalli
2024-04-18 13:14 ` Patrik Jakobsson
2024-04-18 14:05 ` Nam Cao
2024-04-18 14:34 ` Patrik Jakobsson
2024-04-19 15:18 ` Nam Cao
2024-04-19 7:27 ` Harshit Mogalapalli
2024-04-18 14:06 ` Nam Cao
2024-04-18 14:26 ` Takashi Iwai
2024-04-18 19:29 ` Helge Deller
2024-04-19 6:44 ` Takashi Iwai
2024-04-19 7:39 ` Harshit Mogalapalli
2024-04-19 7:45 ` Takashi Iwai
2024-04-19 7:50 ` Patrik Jakobsson
2024-04-19 15:34 ` Nam Cao
2024-04-30 11:45 ` Patrik Jakobsson
2024-04-19 14:42 ` Harshit Mogalapalli
2024-04-19 7:35 ` Harshit Mogalapalli
2024-04-19 14:59 ` Nam Cao [this message]
2024-04-19 16:05 ` Harshit Mogalapalli
2024-04-19 16:23 ` Nam Cao
2024-04-19 16:39 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240419165915.228c76e9@namcao \
--to=namcao@linutronix.de \
--cc=bigeasy@linutronix.de \
--cc=chuansheng.liu@intel.com \
--cc=daniel@ffwll.ch \
--cc=darren.kenny@oracle.com \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=george.kennedy@oracle.com \
--cc=harshit.m.mogalapalli@oracle.com \
--cc=jayalk@intworks.biz \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=patrik.r.jakobsson@gmail.com \
--cc=tiwai@suse.de \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).