From: Joshua Hahn <joshua.hahnjy@gmail.com>
To: "Lorenzo Stoakes (Oracle)" <ljs@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Clemens Ladisch <clemens@ladisch.de>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"K . Y . Srinivasan" <kys@microsoft.com>,
Haiyang Zhang <haiyangz@microsoft.com>,
Wei Liu <wei.liu@kernel.org>, Dexuan Cui <decui@microsoft.com>,
Long Li <longli@microsoft.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Maxime Coquelin <mcoquelin.stm32@gmail.com>,
Alexandre Torgue <alexandre.torgue@foss.st.com>,
Miquel Raynal <miquel.raynal@bootlin.com>,
Richard Weinberger <richard@nod.at>,
Vignesh Raghavendra <vigneshr@ti.com>,
Bodo Stroesser <bostroesser@gmail.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
David Hildenbrand <david@kernel.org>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@kernel.org>,
Mike Rapoport <rppt@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Michal Hocko <mhocko@suse.com>, Jann Horn <jannh@google.com>,
Pedro Falcato <pfalcato@suse.de>,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-hyperv@vger.kernel.org,
linux-stm32@st-md-mailman.stormreply.com,
linux-arm-kernel@lists.infradead.org,
linux-mtd@lists.infradead.org, linux-staging@lists.linux.dev,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org,
linux-afs@lists.infradead.org, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, Ryan Roberts <ryan.roberts@arm.com>
Subject: Re: [PATCH v2 12/16] mm: allow handling of stacked mmap_prepare hooks in more drivers
Date: Wed, 18 Mar 2026 14:08:45 -0700 [thread overview]
Message-ID: <20260318210845.2591228-1-joshua.hahnjy@gmail.com> (raw)
In-Reply-To: <72750af6906fd96fb6f18e83ac3e694cf357a2c1.1773695307.git.ljs@kernel.org>
On Mon, 16 Mar 2026 21:12:08 +0000 "Lorenzo Stoakes (Oracle)" <ljs@kernel.org> wrote:
> While the conversion of mmap hooks to mmap_prepare is underway, we wil
> encounter situations where mmap hooks need to invoke nested mmap_prepare
> hooks.
>
> The nesting of mmap hooks is termed 'stacking'. In order to flexibly
> facilitate the conversion of custom mmap hooks in drivers which stack, we
> must split up the existing compat_vma_mapped() function into two separate
> functions:
>
> * compat_set_desc_from_vma() - This allows the setting of a vm_area_desc
> object's fields to the relevant fields of a VMA.
Hello Lorenzo, I hope you are doing well!
Thank you for this patch. I was developing on top of mm-new today and had
an error that I think was caused by this patch. I want to preface this by
saying that I am not at all familiar with this area of the code, so please
do forgive me if I've misinterpreted the crash and mistakenly pointed
at this commit : -)
Here is the crash:
[ 1.083795] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[ 1.083883] BUG: unable to handle page fault for address: ffa00000048efbb8
[ 1.083957] #PF: supervisor instruction fetch in kernel mode
[ 1.084030] #PF: error_code(0x0011) - permissions violation
[ 1.084086] PGD 100000067 P4D 10035f067 PUD 100364067 PMD 441ed9067 PTE 80000004466a3163
[ 1.084162] Oops: Oops: 0011 [#1] SMP
[ 1.084218] CPU: 0 UID: 0 PID: 305 Comm: mkdir Tainted: G W E 7.0.0-rc4-virtme-00442-ge53de5a0302f-dirty #85 PREEMPTLAZY
As you can see, it's on a QEMU instance. I don't think this makes a difference
in the crash, though.
[ 1.084321] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE
[ 1.084369] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-5.el9 11/05/2023
[ 1.084450] RIP: 0010:0xffa00000048efbb8
[ 1.084489] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <40> 12 0e 00 01 00 11 ff d0 fa 8e 04 00 00 a0 ff 80 33 51 02 01 00
[ 1.084642] RSP: 0018:ffa00000048ef998 EFLAGS: 00010286
[ 1.084692] RAX: ffa00000048efbb8 RBX: ff11000102512cc0 RCX: 000000000000000d
[ 1.084766] RDX: ffffffffa06247d0 RSI: ffa00000048efa18 RDI: ff11000102512cc0
[ 1.084826] RBP: ffa00000048ef9c8 R08: 0000000000000000 R09: 0000000000000007
[ 1.084889] R10: ff110001047d1f08 R11: 00007effdc3d0fff R12: ff110001047d3b00
[ 1.084954] R13: ff11000446cae600 R14: ff110001024efe00 R15: ff11000102510a80
[ 1.085021] FS: 0000000000000000(0000) GS:ff110004aae72000(0000) knlGS:0000000000000000
[ 1.085083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.085136] CR2: ffa00000048efbb8 CR3: 0000000102667001 CR4: 0000000000771ef0
[ 1.085201] PKRU: 55555554
[ 1.085228] Call Trace:
[ 1.085248] <TASK>
[ 1.085274] ? __compat_vma_mmap+0x8e/0x130
[ 1.085318] ? compat_vma_mmap+0x76/0x80
[ 1.085354] ? mas_alloc_nodes+0xb2/0x110
[ 1.085390] ? backing_file_mmap+0xc3/0xf0
[ 1.085426] ? ovl_mmap+0x41/0x50
[ 1.085463] ? ovl_mmap+0x50/0x50
[ 1.085499] ? __mmap_region+0x7e8/0x1100
[ 1.085539] ? do_mmap+0x49f/0x5e0
[ 1.085573] ? vm_mmap_pgoff+0xef/0x1e0
[ 1.085609] ? ksys_mmap_pgoff+0x15c/0x1f0
[ 1.085647] ? do_syscall_64+0xab/0x980
[ 1.085684] ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1.085730] </TASK>
[ 1.085770] Modules linked in: virtio_mmio(E) 9pnet_virtio(E) 9p(E) 9pnet(E) netfs(E)
[ 1.085838] CR2: ffa00000048efbb8
[ 1.085874] ---[ end trace 0000000000000000 ]---
[ 1.085875] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[ 1.085918] RIP: 0010:0xffa00000048efbb8
[ 1.085921] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <40> 12 0e 00 01 00 11 ff d0 fa 8e 04 00 00 a0 ff 80 33 51 02 01 00
[ 1.085988] BUG: unable to handle page fault for address: ffa00000048f7bb8
[ 1.086026] RSP: 0018:ffa00000048ef998 EFLAGS: 00010286
[ 1.086166] #PF: supervisor instruction fetch in kernel mode
[ 1.086221]
[ 1.086267] #PF: error_code(0x0011) - permissions violation
[ 1.086321] RAX: ffa00000048efbb8 RBX: ff11000102512cc0 RCX: 000000000000000d
[ 1.086348] PGD 100000067
[ 1.086394] RDX: ffffffffa06247d0 RSI: ffa00000048efa18 RDI: ff11000102512cc0
[ 1.086459] P4D 10035f067
[ 1.086486] RBP: ffa00000048ef9c8 R08: 0000000000000000 R09: 0000000000000007
[ 1.086550] PUD 100364067
[ 1.086577] R10: ff110001047d1f08 R11: 00007effdc3d0fff R12: ff110001047d3b00
[ 1.086641] PMD 441ed9067
[ 1.086668] R13: ff11000446cae600 R14: ff110001024efe00 R15: ff11000102510a80
[ 1.086731] PTE 80000004433d3163
[ 1.086764] FS: 0000000000000000(0000) GS:ff110004aae72000(0000) knlGS:0000000000000000
[ 1.086829]
[ 1.086868] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.086931] Oops: Oops: 0011 [#2] SMP
[ 1.086958] CR2: ffa00000048efbb8 CR3: 0000000102667001 CR4: 0000000000771ef0
[ 1.087015] CPU: 29 UID: 0 PID: 306 Comm: mount Tainted: G D W E 7.0.0-rc4-virtme-00442-ge53de5a0302f-dirty #85 PREEMPTLAZY
[ 1.087050] PKRU: 55555554
[ 1.087115] Tainted: [D]=DIE, [W]=WARN, [E]=UNSIGNED_MODULE
[ 1.087207] Kernel panic - not syncing: Fatal exception
[ 2.158392] Shutting down cpus with NMI
[ 2.158629] Kernel Offset: disabled
[ 2.158668] ---[ end Kernel panic - not syncing: Fatal exception ]---
It crashes at compat_vma_mmap, and here is what I think could be the
potential crash path:
- compat_vma_mmap() creates struct vm_area_desc desc;
- compat_set_desc_from_vma Doesn't initialize the struct, but instead
modifies independent fields. I think this is where the behavior
diverges, since before we would use the C initializer and uninitialized
variables would be set to 0 (including ommitted ones, like
action.success_hook or action.error_hook). But action.type = MMAP_NOTHING
- desc.action.success_hook remains uninitialized in vfs_mmap_prepare
- mmap_action_complete()
- Here, We've set action.type to be MMAP_NOTHING, so we have err = 0
- mmap_action_finish(action, vma, 0)
- And here, since err == 0, we check action->success_hook (which has
garbage, therefore it's nonzero) and call action->success_hook(vma)
And I think action->success_hook(vma) where success_hook is uninitialized
stack garbage gets me to where I am.
Again, I'm not too familiar with this area of the kernel, this is just
based on the quick digging that I did. And aplogies again if I'm missing
something ; -) I do think that the uninitialized members could be a problem
though.
Thank you, I hope you have a great day Lorenzo!
Joshua
next prev parent reply other threads:[~2026-03-18 21:08 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 21:11 [PATCH v2 00/16] mm: expand mmap_prepare functionality and usage Lorenzo Stoakes (Oracle)
2026-03-16 21:11 ` [PATCH v2 01/16] mm: various small mmap_prepare cleanups Lorenzo Stoakes (Oracle)
2026-03-16 21:11 ` [PATCH v2 02/16] mm: add documentation for the mmap_prepare file operation callback Lorenzo Stoakes (Oracle)
2026-03-16 21:11 ` [PATCH v2 03/16] mm: document vm_operations_struct->open the same as close() Lorenzo Stoakes (Oracle)
2026-03-16 21:12 ` [PATCH v2 04/16] mm: add vm_ops->mapped hook Lorenzo Stoakes (Oracle)
2026-03-16 21:12 ` [PATCH v2 05/16] fs: afs: correctly drop reference count on mapping failure Lorenzo Stoakes (Oracle)
2026-03-16 21:12 ` [PATCH v2 06/16] mm: add mmap_action_simple_ioremap() Lorenzo Stoakes (Oracle)
2026-03-17 4:14 ` Suren Baghdasaryan
2026-03-18 20:39 ` Lorenzo Stoakes (Oracle)
2026-03-19 16:29 ` Lorenzo Stoakes (Oracle)
2026-03-16 21:12 ` [PATCH v2 07/16] misc: open-dice: replace deprecated mmap hook with mmap_prepare Lorenzo Stoakes (Oracle)
2026-03-17 4:30 ` Suren Baghdasaryan
2026-03-16 21:12 ` [PATCH v2 08/16] hpet: " Lorenzo Stoakes (Oracle)
2026-03-17 4:33 ` Suren Baghdasaryan
2026-03-16 21:12 ` [PATCH v2 09/16] mtdchar: replace deprecated mmap hook with mmap_prepare, clean up Lorenzo Stoakes (Oracle)
2026-03-16 21:45 ` Richard Weinberger
2026-03-16 21:12 ` [PATCH v2 10/16] stm: replace deprecated mmap hook with mmap_prepare Lorenzo Stoakes (Oracle)
2026-03-17 20:46 ` Suren Baghdasaryan
2026-03-16 21:12 ` [PATCH v2 11/16] staging: vme_user: " Lorenzo Stoakes (Oracle)
2026-03-17 21:26 ` Suren Baghdasaryan
2026-03-17 21:32 ` Suren Baghdasaryan
2026-03-19 14:54 ` Lorenzo Stoakes (Oracle)
2026-03-19 15:19 ` Suren Baghdasaryan
2026-03-19 15:19 ` Suren Baghdasaryan
2026-03-16 21:12 ` [PATCH v2 12/16] mm: allow handling of stacked mmap_prepare hooks in more drivers Lorenzo Stoakes (Oracle)
2026-03-18 15:33 ` Suren Baghdasaryan
2026-03-19 15:10 ` Lorenzo Stoakes (Oracle)
2026-03-18 21:08 ` Joshua Hahn [this message]
2026-03-19 12:52 ` Lorenzo Stoakes (Oracle)
2026-03-16 21:12 ` [PATCH v2 13/16] drivers: hv: vmbus: replace deprecated mmap hook with mmap_prepare Lorenzo Stoakes (Oracle)
2026-03-16 21:12 ` [PATCH v2 14/16] uio: replace deprecated mmap hook with mmap_prepare in uio_info Lorenzo Stoakes (Oracle)
2026-03-16 21:12 ` [PATCH v2 15/16] mm: add mmap_action_map_kernel_pages[_full]() Lorenzo Stoakes (Oracle)
2026-03-18 16:00 ` Suren Baghdasaryan
2026-03-19 15:05 ` Lorenzo Stoakes (Oracle)
2026-03-19 15:14 ` Suren Baghdasaryan
2026-03-16 21:12 ` [PATCH v2 16/16] mm: on remap assert that input range within the proposed VMA Lorenzo Stoakes (Oracle)
2026-03-18 16:02 ` Suren Baghdasaryan
2026-03-16 21:33 ` [PATCH v2 00/16] mm: expand mmap_prepare functionality and usage Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318210845.2591228-1-joshua.hahnjy@gmail.com \
--to=joshua.hahnjy@gmail.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=alexandre.torgue@foss.st.com \
--cc=arnd@arndb.de \
--cc=bostroesser@gmail.com \
--cc=brauner@kernel.org \
--cc=clemens@ladisch.de \
--cc=david@kernel.org \
--cc=decui@microsoft.com \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=haiyangz@microsoft.com \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=kys@microsoft.com \
--cc=linux-afs@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-scsi@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=linux-stm32@st-md-mailman.stormreply.com \
--cc=ljs@kernel.org \
--cc=longli@microsoft.com \
--cc=marc.dionne@auristor.com \
--cc=martin.petersen@oracle.com \
--cc=mcoquelin.stm32@gmail.com \
--cc=mhocko@suse.com \
--cc=miquel.raynal@bootlin.com \
--cc=pfalcato@suse.de \
--cc=richard@nod.at \
--cc=rppt@kernel.org \
--cc=ryan.roberts@arm.com \
--cc=surenb@google.com \
--cc=target-devel@vger.kernel.org \
--cc=vbabka@kernel.org \
--cc=vigneshr@ti.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wei.liu@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox