Re: mm: NULL ptr deref handling mmaping of special mappings

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Morton <akpm@linux-foundation.org>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: "linux-mm@kvack.org" <linux-mm@kvack.org>,
	Dave Jones <davej@redhat.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: mm: NULL ptr deref handling mmaping of special mappings
Date: Wed, 14 May 2014 13:23:12 -0700	[thread overview]
Message-ID: <20140514132312.573e5d3cf99276c3f0b82980@linux-foundation.org> (raw)
In-Reply-To: <53739201.6080604@oracle.com>

On Wed, 14 May 2014 11:55:45 -0400 Sasha Levin <sasha.levin@oracle.com> wrote:

> Hi all,
> 
> While fuzzing with trinity inside a KVM tools guest running the latest -next
> kernel I've stumbled on the following spew:
> 
> [ 1634.969408] BUG: unable to handle kernel NULL pointer dereference at           (null)
> [ 1634.970538] IP: special_mapping_fault (mm/mmap.c:2961)
> [ 1634.971420] PGD 3334fc067 PUD 3334cf067 PMD 0
> [ 1634.972081] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> [ 1634.972913] Dumping ftrace buffer:
> [ 1634.975493]    (ftrace buffer empty)
> [ 1634.977470] Modules linked in:
> [ 1634.977513] CPU: 6 PID: 29578 Comm: trinity-c269 Not tainted 3.15.0-rc5-next-20140513-sasha-00020-gebce144-dirty #461
> [ 1634.977513] task: ffff880333158000 ti: ffff88033351e000 task.ti: ffff88033351e000
> [ 1634.977513] RIP: special_mapping_fault (mm/mmap.c:2961)

Somebody's gone and broken the x86 oops output.  It used to say
"special_mapping_fault+0x30/0x120" but the offset info has now
disappeared.  That was useful for guesstimating whereabouts in the
function it died.

The line number isn't very useful as it's not possible (or at least,
not convenient) for others to reliably reproduce your kernel.

<scrabbles with git for a while>

: static int special_mapping_fault(struct vm_area_struct *vma,
: 				struct vm_fault *vmf)
: {
: 	pgoff_t pgoff;
: 	struct page **pages;
: 
: 	/*
: 	 * special mappings have no vm_file, and in that case, the mm
: 	 * uses vm_pgoff internally. So we have to subtract it from here.
: 	 * We are allowed to do this because we are the mm; do not copy
: 	 * this code into drivers!
: 	 */
: 	pgoff = vmf->pgoff - vma->vm_pgoff;
: 
: 	for (pages = vma->vm_private_data; pgoff && *pages; ++pages)
: 		pgoff--;
: 
: 	if (*pages) {
: 		struct page *page = *pages;
: 		get_page(page);
: 		vmf->page = page;
: 		return 0;
: 	}
: 
: 	return VM_FAULT_SIGBUS;
: }

OK so it might be the "if (*pages)".  So vma->vm_private_data was NULL
and pgoff was zero.  As usual, I can't imagine what race would cause
that :(

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

next prev parent reply	other threads:[~2014-05-14 20:23 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-14 15:55 Sasha Levin
2014-05-14 20:23 ` Andrew Morton [this message]
2014-05-14 20:41   ` Sasha Levin
2014-05-14 21:03     ` Andrew Morton
2014-05-14 21:11       ` Sasha Levin
2014-05-14 21:31         ` Andrew Morton
2014-05-14 21:33           ` Andy Lutomirski
2014-05-14 22:11             ` Cyrill Gorcunov
2014-05-14 22:23               ` Andy Lutomirski
2014-05-15  2:36                 ` Pavel Emelyanov
2014-05-15 19:42                   ` Andy Lutomirski
2014-05-19  8:27                     ` Pavel Emelyanov
2014-05-19  8:40                       ` Cyrill Gorcunov
2014-05-15  8:45                 ` Cyrill Gorcunov
2014-05-15 19:46                   ` Andy Lutomirski
2014-05-15 19:53                     ` Cyrill Gorcunov
2014-05-15 19:59                       ` Andy Lutomirski
2014-05-15 20:19                         ` Cyrill Gorcunov
2014-05-15 21:31                           ` Cyrill Gorcunov
2014-05-15 21:42                             ` Andy Lutomirski
2014-05-15 21:57                               ` Cyrill Gorcunov
2014-05-15 22:15                                 ` Andy Lutomirski
2014-05-16 22:40                                   ` Andy Lutomirski
2014-05-16 22:56                                     ` H. Peter Anvin
2014-05-16 23:10                                       ` Andy Lutomirski
2014-05-17  6:15                                     ` Cyrill Gorcunov
2014-05-14 22:51           ` Andy Lutomirski
2014-05-14 21:26       ` Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140514132312.573e5d3cf99276c3f0b82980@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=davej@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=sasha.levin@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox