[PATCH] staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: John Stultz <john.stultz@linaro.org>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: John Stultz <john.stultz@linaro.org>,
	Amit Pundir <amit.pundir@linaro.org>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	"Kirill A. Shutemov" <kirill@shutemov.name>,
	Andrew Morton <akpm@linux-foundation.org>,
	Dmitry Vyukov <dvyukov@google.com>,
	Oleg Nesterov <oleg@redhat.com>,
	aarcange@redhat.com,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Hugh Dickins <hughd@google.com>,
	Joel Fernandes <joelaf@google.com>,
	Colin Cross <ccross@google.com>,
	Matthew Wilcox <willy@infradead.org>,
	linux-mm@kvack.org, youling 257 <youling257@gmail.com>
Subject: [PATCH] staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages
Date: Tue, 31 Jul 2018 10:17:04 -0700	[thread overview]
Message-ID: <1533057424-25933-1-git-send-email-john.stultz@linaro.org> (raw)
In-Reply-To: <CA+55aFx=-tHXjv3gv4W=xYwM+VOHJQE5q5VyihkPK7s560x-vQ@mail.gmail.com>

Amit Pundir and Youling in parallel reported crashes with recent
mainline kernels running Android:

F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
F DEBUG   : Build fingerprint:
'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key
F DEBUG   : Revision: '0'
F DEBUG   : ABI: 'arm'
F DEBUG   : pid: 2261, tid: 2261, name: zygote  >>> zygote <<<
F DEBUG   : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008
... <snip> ...
F DEBUG   : backtrace:
F DEBUG   :     #00 pc 00001c04  /system/lib/libc.so (memset+48)
F DEBUG   :     #01 pc 0010c513  /system/lib/libart.so
(create_mspace_with_base+82)
F DEBUG   :     #02 pc 0015c601  /system/lib/libart.so
(art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int,
unsigned int)+40)
F DEBUG   :     #03 pc 0015c3ed  /system/lib/libart.so
(art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*,
std::__1::basic_string<char, std::__
1::char_traits<char>, std::__1::allocator<char>> const&, unsigned int,
unsigned int, unsigned int, unsigned int, bool)+36)
...

This was bisected back to commit bfd40eaff5ab ("mm: fix vma_is_anonymous()
false-positives").

create_mspace_with_base() in the trace above, utilizes ashmem, and
with ashmem, for shared mappings we use shmem_zero_setup(), which sets
the vma->vm_ops to &shmem_vm_ops. But for private ashmem mappings
nothing sets the vma->vm_ops.

Looking at the problematic patch, it seems to add a requirement that
one call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will
be used. Using the dummy_vm_ops seem to triggger SIGBUS when traversing
unmapped pages.

Thus, this patch adds a call to vma_set_anonymous() for ashmem private
mappings and seems to avoid the reported problem.

Cc: Amit Pundir <amit.pundir@linaro.org>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: aarcange@redhat.com
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Joel Fernandes <joelaf@google.com>
Cc: Colin Cross <ccross@google.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: linux-mm@kvack.org
Cc: youling 257 <youling257@gmail.com>
Fixes: bfd40eaff5ab ("mm: fix vma_is_anonymous() false-positives")
Reported-by: Amit Pundir <amit.pundir@linaro.org>
Reported-by: Youling 257 <youling257@gmail.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
---

Hopefully my explanation make sense here. Please let me know if it
needs corrections.
thanks
-john

---
 drivers/staging/android/ashmem.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index a1a0025..d5d33e1 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -402,6 +402,8 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
 			fput(asma->file);
 			goto out;
 		}
+	} else {
+		vma_set_anonymous(vma);
 	}
 
 	if (vma->vm_file)
-- 
2.7.4

next prev parent reply	other threads:[~2018-07-31 17:17 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CA+55aFxpFefwVdTGVML99PSFUqwpJXPx5LVCA3D=g2t2_QLNsA@mail.gmail.com>
2018-07-30  6:47 ` Linux 4.18-rc7 Amit Pundir
2018-07-30 13:01   ` Kirill A. Shutemov
2018-07-30 13:34     ` Amit Pundir
2018-07-30 17:32     ` Linus Torvalds
2018-07-30 21:53       ` Hugh Dickins
2018-07-31  1:01         ` Linus Torvalds
2018-07-31  3:26           ` Hugh Dickins
2018-07-31  4:25             ` John Stultz
2018-07-31  6:40               ` Amit Pundir
2018-07-31  6:56                 ` Kirill A. Shutemov
2018-07-31 16:29                 ` Linus Torvalds
2018-07-31 16:56                   ` John Stultz
2018-07-31 17:03                   ` Kirill A. Shutemov
2018-07-31 17:43                     ` Luck, Tony
2018-07-31 19:02                       ` Linus Torvalds
2018-08-01 17:15                       ` Linus Torvalds
2018-08-01 18:31                         ` Hugh Dickins
2018-08-01 20:58                           ` Kirill A. Shutemov
2018-08-01 21:55                             ` Hugh Dickins
2018-08-02 19:12                               ` John Stultz
2018-08-01 18:36                         ` Luck, Tony
2018-08-01 20:05                         ` Linus Torvalds
2018-08-01 20:51                           ` Kirill A. Shutemov
2018-08-01 20:56                             ` Linus Torvalds
2018-08-01 21:25                               ` Kirill A. Shutemov
2018-08-02  6:59                         ` Amit Pundir
2018-07-31 17:17                   ` John Stultz [this message]
2018-07-31 22:57                   ` youling 257
2018-07-31 23:07                   ` youling 257
2018-07-31  6:29           ` Kirill A. Shutemov
2018-07-31 14:57             ` Kirill A. Shutemov
2018-08-01  0:09               ` Hugh Dickins

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a1a0025 dfblob:d5d33e1 )
 OR (
bs:"[PATCH] staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1533057424-25933-1-git-send-email-john.stultz@linaro.org \
    --to=john.stultz@linaro.org \
    --cc=aarcange@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=amit.pundir@linaro.org \
    --cc=ccross@google.com \
    --cc=dvyukov@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hughd@google.com \
    --cc=joelaf@google.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=kirill@shutemov.name \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=oleg@redhat.com \
    --cc=torvalds@linux-foundation.org \
    --cc=willy@infradead.org \
    --cc=youling257@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).