From: "Darrick J. Wong" <djwong@us.ibm.com>
To: linux-aio@kvack.org
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] Oops in aio_free_ring on 2.6.9
Date: Fri, 05 Nov 2004 11:34:20 -0800 [thread overview]
Message-ID: <1099683260.12365.348.camel@bluebox> (raw)
Hi,
In pounding on various i386 machines with a random syscall generator, I
uncovered a situation in which the kernel oopses:
1. Use mmap() to map out as much of the process address
space as possible. This is about 2047M on i386.
2. Call io_setup with the first argument set to a
large (~65000) value.
(These notes reference the mainline 2.6.9 source.)
What happens is that the number of pages required to service the
io_setup request is larger than the block of internally allocated page
pointers (fs/aio.c:126), so aio_setup_ring kmalloc's a blob of struct
page pointers, and initializes these pointers to NULL. (fs/aio.c:130)
Next, the aio_setup_ring function tries to mmap a bunch of pages and
fails, because in step 1 we used up all the address space.
aio_setup_ring then calls aio_free_ring to tear all of this down.
(fs/aio.c:143)
aio_free_ring sees the block of struct page pointers and calls free_page
(fs/aio.c:88) on the pointers without checking that they're not NULL.
Unfortunately, they _are_ NULL and *oops*! My patch amends the function
to include a null pointer check.
I have a simple testcase that causes this oops; see
http://submarine.dyndns.org/~djwong/docs/iosetup_crash.c. Run
"./iosetup_crash 100 100000 1000000" to reproduce the oops.
This flaw shows up on mainline 2.6.9, Debian 2.6.8 and SLES9 2.6.5 on
four different machines. The patch is against 2.6.9 mainline and the
problem isn't fixed in 2.6.10-rc1.
Please send replies directly to me, as I'm not subscribed to
linux-kernel or linux-aio.
--Darrick
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
diff -uprN linux-2.6.9-orig/fs/aio.c linux-2.6.9/fs/aio.c
--- linux-2.6.9-orig/fs/aio.c 2004-10-18 14:54:07.000000000 -0700
+++ linux-2.6.9/fs/aio.c 2004-11-03 08:47:51.000000000 -0800
@@ -85,7 +85,8 @@ static void aio_free_ring(struct kioctx
long i;
for (i=0; i<info->nr_pages; i++)
- put_page(info->ring_pages[i]);
+ if (info->ring_pages[i])
+ put_page(info->ring_pages[i]);
if (info->mmap_size) {
down_write(&ctx->mm->mmap_sem);
next reply other threads:[~2004-11-05 19:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-05 19:34 Darrick J. Wong [this message]
2004-11-07 3:43 ` [PATCH] Oops in aio_free_ring on 2.6.9 Linus Torvalds
2004-11-08 4:17 ` Suparna Bhattacharya
2004-11-08 19:30 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1099683260.12365.348.camel@bluebox \
--to=djwong@us.ibm.com \
--cc=linux-aio@kvack.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox