From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl0-f72.google.com (mail-pl0-f72.google.com [209.85.160.72]) by kanga.kvack.org (Postfix) with ESMTP id 8C4156B0005 for ; Tue, 31 Jul 2018 13:17:17 -0400 (EDT) Received: by mail-pl0-f72.google.com with SMTP id 2-v6so2666882plc.11 for ; Tue, 31 Jul 2018 10:17:17 -0700 (PDT) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id q23-v6sor4151810pfh.16.2018.07.31.10.17.16 for (Google Transport Security); Tue, 31 Jul 2018 10:17:16 -0700 (PDT) From: John Stultz Subject: [PATCH] staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages Date: Tue, 31 Jul 2018 10:17:04 -0700 Message-Id: <1533057424-25933-1-git-send-email-john.stultz@linaro.org> In-Reply-To: References: Sender: owner-linux-mm@kvack.org List-ID: To: Linux Kernel Mailing List Cc: John Stultz , Amit Pundir , "Kirill A. Shutemov" , "Kirill A. Shutemov" , Andrew Morton , Dmitry Vyukov , Oleg Nesterov , aarcange@redhat.com, Linus Torvalds , Greg Kroah-Hartman , Hugh Dickins , Joel Fernandes , Colin Cross , Matthew Wilcox , linux-mm@kvack.org, youling 257 Amit Pundir and Youling in parallel reported crashes with recent mainline kernels running Android: F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** F DEBUG : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key F DEBUG : Revision: '0' F DEBUG : ABI: 'arm' F DEBUG : pid: 2261, tid: 2261, name: zygote >>> zygote <<< F DEBUG : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008 ... ... F DEBUG : backtrace: F DEBUG : #00 pc 00001c04 /system/lib/libc.so (memset+48) F DEBUG : #01 pc 0010c513 /system/lib/libart.so (create_mspace_with_base+82) F DEBUG : #02 pc 0015c601 /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40) F DEBUG : #03 pc 0015c3ed /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string, std::__1::allocator> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36) ... This was bisected back to commit bfd40eaff5ab ("mm: fix vma_is_anonymous() false-positives"). create_mspace_with_base() in the trace above, utilizes ashmem, and with ashmem, for shared mappings we use shmem_zero_setup(), which sets the vma->vm_ops to &shmem_vm_ops. But for private ashmem mappings nothing sets the vma->vm_ops. Looking at the problematic patch, it seems to add a requirement that one call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be used. Using the dummy_vm_ops seem to triggger SIGBUS when traversing unmapped pages. Thus, this patch adds a call to vma_set_anonymous() for ashmem private mappings and seems to avoid the reported problem. Cc: Amit Pundir Cc: "Kirill A. Shutemov" Cc: "Kirill A. Shutemov" Cc: Andrew Morton Cc: Dmitry Vyukov Cc: Oleg Nesterov Cc: aarcange@redhat.com Cc: Linus Torvalds Cc: Greg Kroah-Hartman Cc: Hugh Dickins Cc: Joel Fernandes Cc: Colin Cross Cc: Matthew Wilcox Cc: linux-mm@kvack.org Cc: youling 257 Fixes: bfd40eaff5ab ("mm: fix vma_is_anonymous() false-positives") Reported-by: Amit Pundir Reported-by: Youling 257 Signed-off-by: John Stultz --- Hopefully my explanation make sense here. Please let me know if it needs corrections. thanks -john --- drivers/staging/android/ashmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index a1a0025..d5d33e1 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -402,6 +402,8 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) fput(asma->file); goto out; } + } else { + vma_set_anonymous(vma); } if (vma->vm_file) -- 2.7.4