Re: [PATCH 4/9] mm: use mm_populate() for blocking remap_file_pages()

From: Tommi Rantala
Date: Sun Mar 10 2013 - 14:55:32 EST

2012/12/21 Michel Lespinasse <walken@xxxxxxxxxx>:
> Signed-off-by: Michel Lespinasse <walken@xxxxxxxxxx>

Hello, this patch introduced the following bug, seen while fuzzing with trinity:

[ 396.825414] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000050
[ 396.826013] IP: [<ffffffff81176efb>] sys_remap_file_pages+0xbb/0x3e0
[ 396.826013] PGD 61e65067 PUD 3fb4067 PMD 0
[ 396.826013] Oops: 0000 [#8] SMP
[ 396.826013] CPU 0
[ 396.826013] Pid: 27553, comm: trinity-child53 Tainted: G D W
3.9.0-rc1+ #108 Bochs Bochs
[ 396.826013] RIP: 0010:[<ffffffff81176efb>] [<ffffffff81176efb>]
sys_remap_file_pages+0xbb/0x3e0
[ 396.826013] RSP: 0018:ffff880071a23f08 EFLAGS: 00010246
[ 396.826013] RAX: 0000000000000000 RBX: ffffffff00000000 RCX: 0000000000000001
[ 396.826013] RDX: 0000000000000000 RSI: ffffffff00000000 RDI: ffff8800679657c0
[ 396.826013] RBP: ffff880071a23f78 R08: 0000000000000002 R09: 0000000000000000
[ 396.826013] R10: 0000000026dad294 R11: 0000000000000000 R12: 0000000000000000
[ 396.826013] R13: ffff880067965870 R14: ffffffffffffffea R15: 0000000000000000
[ 396.826013] FS: 00007f6691a57700(0000) GS:ffff88007f800000(0000)
knlGS:0000000000000000
[ 396.826013] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 396.826013] CR2: 0000000000000050 CR3: 0000000068ab3000 CR4: 00000000000006f0
[ 396.826013] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 396.826013] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 396.826013] Process trinity-child53 (pid: 27553, threadinfo
ffff880071a22000, task ffff88006a360000)
[ 396.826013] Stack:
[ 396.826013] 0000000000000000 ffffffff810f33b6 0000000000000035
0000000000000000
[ 396.826013] 000000000000f000 0000000000000000 0000000026dad294
ffff8800679657c0
[ 396.826013] a80006367e000000 ffffffff00000000 00000000000006c0
00000000000000d8
[ 396.826013] Call Trace:
[ 396.826013] [<ffffffff810f33b6>] ? trace_hardirqs_on_caller+0x16/0x1f0
[ 396.826013] [<ffffffff81faf169>] system_call_fastpath+0x16/0x1b
[ 396.826013] Code: 43 e3 00 48 8b 45 a8 25 00 00 01 00 48 89 45 b8
48 8b 7d c8 48 89 de e8 74 9b 00 00 48 85 c0 49 89 c7 75 1c 49 c7 c6
ea ff ff ff <48> 8b 14 25 50 00 00 00 44 89 f0 e9 7f 02 00 00 0f 1f 44
00 00
[ 396.826013] RIP [<ffffffff81176efb>] sys_remap_file_pages+0xbb/0x3e0
[ 396.826013] RSP <ffff880071a23f08>
[ 396.826013] CR2: 0000000000000050
[ 396.876275] ---[ end trace 0444599b5c1ba02b ]---

> ---
> mm/fremap.c | 22 ++++++----------------
> 1 files changed, 6 insertions(+), 16 deletions(-)
>
> diff --git a/mm/fremap.c b/mm/fremap.c
> index 2db886e31044..b42e32171530 100644
> --- a/mm/fremap.c
> +++ b/mm/fremap.c
> @@ -129,6 +129,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
> struct vm_area_struct *vma;
> int err = -EINVAL;
> int has_write_lock = 0;
> + vm_flags_t vm_flags;
>
> if (prot)
> return err;
> @@ -228,30 +229,16 @@ get_write_lock:
> /*
> * drop PG_Mlocked flag for over-mapped range
> */
> - vm_flags_t saved_flags = vma->vm_flags;
> if (!has_write_lock)
> goto get_write_lock;
> + vm_flags = vma->vm_flags;
> munlock_vma_pages_range(vma, start, start + size);
> - vma->vm_flags = saved_flags;
> + vma->vm_flags = vm_flags;
> }
>
> mmu_notifier_invalidate_range_start(mm, start, start + size);
> err = vma->vm_ops->remap_pages(vma, start, size, pgoff);
> mmu_notifier_invalidate_range_end(mm, start, start + size);
> - if (!err) {
> - if (vma->vm_flags & VM_LOCKED) {
> - /*
> - * might be mapping previously unmapped range of file
> - */
> - mlock_vma_pages_range(vma, start, start + size);
> - } else if (!(flags & MAP_NONBLOCK)) {
> - if (unlikely(has_write_lock)) {
> - downgrade_write(&mm->mmap_sem);
> - has_write_lock = 0;
> - }
> - make_pages_present(start, start+size);
> - }
> - }
>
> /*
> * We can't clear VM_NONLINEAR because we'd have to do
> @@ -260,10 +247,13 @@ get_write_lock:
> */
>
> out:
> + vm_flags = vma->vm_flags;

When find_vma() fails, vma is NULL here.

> if (likely(!has_write_lock))
> up_read(&mm->mmap_sem);
> else
> up_write(&mm->mmap_sem);
> + if (!err && ((vm_flags & VM_LOCKED) || !(flags & MAP_NONBLOCK)))
> + mm_populate(start, size);
>
> return err;
> }
> --
> 1.7.7.3
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@xxxxxxxxxx For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/