From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: qiwuchen55@gmail.com
Cc: akpm@linux-foundation.org, linux-mm@kvack.org,
chenqiwu <chenqiwu@xiaomi.com>
Subject: Re: [PATCH] mm/rmap: ensure the validity of mapping vma which referenced an anon page
Date: Wed, 11 Mar 2020 12:19:43 +0300 [thread overview]
Message-ID: <20200311091943.szpvgb3tsc6ss74z@box> (raw)
In-Reply-To: <1583912713-30778-1-git-send-email-qiwuchen55@gmail.com>
On Wed, Mar 11, 2020 at 03:45:13PM +0800, qiwuchen55@gmail.com wrote:
> From: chenqiwu <chenqiwu@xiaomi.com>
>
> When finding all the mapping vmas for an anon page by anon_vma, there
> is a panic risk that one mapping vma or its vm_mm has been released by
> someone.
What? Who would be able to release the VMA or the mm_struct? We hold
anon_vma lock. It doesn't make sense to me. Something else is broken.
> Like the following crash during kswapd reclaiming pages:
>
> Unable to handle kernel NULL pointer dereference at virtual address
> 00000048
> PC is at page_vma_mapped_walk+0x54/0x16c
> LR is at page_referenced_one+0x44/0x140
> [......]
> CPU: 1 PID: 161 Comm: kswapd0
> Call trace:
> [<ffffff9a080832d0>] el1_da+0x24/0x3c
> [<ffffff9a0823ea18>] page_vma_mapped_walk+0x54/0x16c
> [<ffffff9a0823fd8c>] page_referenced_one+0x44/0x140
> [<ffffff9a08240ef0>] rmap_walk_anon+0x124/0x168
> [<ffffff9a0823fcfc>] page_referenced+0x144/0x190
> [<ffffff9a08213e6c>] shrink_active_list+0x25c/0x478
> [<ffffff9a082126c8>] kswapd+0x7b0/0x9c8
> [<ffffff9a080daffc>] kthread+0x154/0x18c
> [<ffffff9a0808563c>] ret_from_fork+0x10/0x18
>
> The PC is pointed to the following code line:
> bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
> {
> struct mm_struct *mm = pvmw->vma->vm_mm;
> ......
> pgd = pgd_offset(mm, pvmw->address); //PC
> ......
> }
>
> Because the current pvmw->vma->vm_mm is a kernel NULL pointer, which
> causing crash when pgd_offset() dereferences the mm pointer.
>
> This patch fixes the problem by ensuring that both the mapping vma
> and its vm_mm are valid. If not, we just continue to traverse the
> anon_vma->rb_root to avoid the potential junk pointer dereference.
>
> Signed-off-by: chenqiwu <chenqiwu@xiaomi.com>
> ---
> mm/rmap.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/mm/rmap.c b/mm/rmap.c
> index b3e3819..fc42ca2 100644
> --- a/mm/rmap.c
> +++ b/mm/rmap.c
> @@ -1863,6 +1863,9 @@ static void rmap_walk_anon(struct page *page, struct rmap_walk_control *rwc,
> if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
> continue;
>
> + if (!vma && !vma->vm_mm)
> + continue;
> +
Even if the premis of the patch is true, 'vma' got used twice in the loop
iteration before you check if it's non-NULL.
> if (!rwc->rmap_one(page, vma, address, rwc->arg))
> break;
> if (rwc->done && rwc->done(page))
> --
> 1.9.1
>
>
--
Kirill A. Shutemov
next prev parent reply other threads:[~2020-03-11 9:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-11 7:45 qiwuchen55
2020-03-11 9:19 ` Kirill A. Shutemov [this message]
2020-03-11 10:31 ` chenqiwu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200311091943.szpvgb3tsc6ss74z@box \
--to=kirill@shutemov.name \
--cc=akpm@linux-foundation.org \
--cc=chenqiwu@xiaomi.com \
--cc=linux-mm@kvack.org \
--cc=qiwuchen55@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox