From patchwork Tue Jul 31 17:17:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Stultz X-Patchwork-Id: 143202 Delivered-To: patches@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp5588354ljj; Tue, 31 Jul 2018 10:17:16 -0700 (PDT) X-Received: by 2002:a63:7a43:: with SMTP id j3-v6mr21066281pgn.363.1533057436609; Tue, 31 Jul 2018 10:17:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533057436; cv=none; d=google.com; s=arc-20160816; b=tSRPtwxEObCeu9hGAIM0tMWK5cC3vs0UhzVRcReLzUnTZYUVADmSp6bp70fC6AJUVj b3M8eR7ELbsMbVPsDnWgku02NVhCQh4VAixQE8suolAbWauKAgoHn2RybA+gAsFf3bBQ KpSszdx9g7aiSZHAp1Lhw5kSx+VszX7tGvnzRbNKw8z8ItYI8HnRi/ibHgkyCFzEqLPZ KFw5SBuZe0B3DkU8BtMB+KWAXW1+EaEGwEttVNGFVnitgluURg/dcls2/lcMIM6I0kyK FrLwGxMN2z4Ag3ImtKzw+SLNbo+peV2D88ypkdDKydtFS0FNGI/ziqGrCDFDeougviIx cf+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=Mr8SlKMMKOWqMOG5/RqK9f9XGsYcnxSMuRGnJK/CucU=; b=o5m+3VYADZxYY9sbpwQdEAnzxCls1GWiVg53BEy9IY5Ko0Prx38F0hFNShrnOPJOGd TZnIfYZ6DdCFx26fsVsGomlm7rDlQcxuULniQVbj87ORT9cSzCTymMVrldPCtz3ZlfgA LYD8HXDwjcKjueebJae3emT+B5PP0Y6AI14oJSfOkzk57Pi1MYo8T0Nw4qdOg8MOCsWw 8xm0hqCOpxZacUrdFLRy5p7CemhsjXzvMoTgmsyWLBO850WldaQUtJ5PVVKyJj2KWWjn i+kqM0v520HfCJ90zHOLX2h2Ziy07WKO/Pa5u8QFjNSBDENwO4yqlM8edeB+PXJVwS1w iA5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JLyAhVhG; spf=pass (google.com: domain of john.stultz@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=john.stultz@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id s24-v6sor4113715pfm.12.2018.07.31.10.17.16 for (Google Transport Security); Tue, 31 Jul 2018 10:17:16 -0700 (PDT) Received-SPF: pass (google.com: domain of john.stultz@linaro.org designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JLyAhVhG; spf=pass (google.com: domain of john.stultz@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=john.stultz@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Mr8SlKMMKOWqMOG5/RqK9f9XGsYcnxSMuRGnJK/CucU=; b=JLyAhVhGcAiy3rzm8sLZ7tPCODrsWKfLyDUpfHHgubx+5um96Xn4BBXWCzu4cLGaj8 H+AVeHGJlw0jpCalPaScnRtvio97Af1j3O19YyYL8O18GF1v9LVE0DhWxOSMZ5Rl3Sko Y+B2Aayqk0hTWycVr3a1xWLR8ITWqNbKlk7JA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Mr8SlKMMKOWqMOG5/RqK9f9XGsYcnxSMuRGnJK/CucU=; b=dltmm0+cenuHiOZLR18wd9EKmVaoA3/a77lB7auTwmc9Vjsaz/GCJ7hv+JMLOqLLcE cCFbCR7U00B2Ow+Se3gUIfrTPP17M593W3iah3Ffwy2bjsLkHZ4RHiBoWjy1eJ5JIy60 WJLy6a13iWjynn9w2jX77qk33xFEDkbM+K3DbpCpfrOUGkKlNIwK/OUza+YzFzXK46Km n2I/mEkmswFNQjaWflA9omhPF+eB7DGDK9edcwy2qpBwxeNT5sd5orBR+3ww+ESCrWNk tkqbX5oaDY3UE3GsRlf1PYoPj/cwLm3pNJsaCiSFfbN8T1DiH+JCEZbUNgcL+X8xwQKU 6DvA== X-Gm-Message-State: AOUpUlFAcSWbBq+56LnwLiqi7yX3VvLzsRQUj4Lhu225lnNvIFrL4Qvc tl5t4R7SiOZI0Ooso/34fX7w5TiS X-Google-Smtp-Source: AAOMgpflYEO42li9iH5OxkY8mQuwLpEiSJXf3JUSCGAGhd5tb5739YZEvpyj3m1NyCogKdDHw6/Ukg== X-Received: by 2002:aa7:850b:: with SMTP id v11-v6mr22763790pfn.165.1533057436022; Tue, 31 Jul 2018 10:17:16 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([2601:1c2:680:1319:4e72:b9ff:fe99:466a]) by smtp.gmail.com with ESMTPSA id y3-v6sm43577938pfi.24.2018.07.31.10.17.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 31 Jul 2018 10:17:14 -0700 (PDT) From: John Stultz To: Linux Kernel Mailing List Cc: John Stultz , Amit Pundir , "Kirill A. Shutemov" , "Kirill A. Shutemov" , Andrew Morton , Dmitry Vyukov , Oleg Nesterov , aarcange@redhat.com, Linus Torvalds , Greg Kroah-Hartman , Hugh Dickins , Joel Fernandes , Colin Cross , Matthew Wilcox , linux-mm@kvack.org, youling 257 Subject: [PATCH] staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages Date: Tue, 31 Jul 2018 10:17:04 -0700 Message-Id: <1533057424-25933-1-git-send-email-john.stultz@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: References: Amit Pundir and Youling in parallel reported crashes with recent mainline kernels running Android: F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** F DEBUG : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key F DEBUG : Revision: '0' F DEBUG : ABI: 'arm' F DEBUG : pid: 2261, tid: 2261, name: zygote >>> zygote <<< F DEBUG : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008 ... ... F DEBUG : backtrace: F DEBUG : #00 pc 00001c04 /system/lib/libc.so (memset+48) F DEBUG : #01 pc 0010c513 /system/lib/libart.so (create_mspace_with_base+82) F DEBUG : #02 pc 0015c601 /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40) F DEBUG : #03 pc 0015c3ed /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string, std::__1::allocator> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36) ... This was bisected back to commit bfd40eaff5ab ("mm: fix vma_is_anonymous() false-positives"). create_mspace_with_base() in the trace above, utilizes ashmem, and with ashmem, for shared mappings we use shmem_zero_setup(), which sets the vma->vm_ops to &shmem_vm_ops. But for private ashmem mappings nothing sets the vma->vm_ops. Looking at the problematic patch, it seems to add a requirement that one call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be used. Using the dummy_vm_ops seem to triggger SIGBUS when traversing unmapped pages. Thus, this patch adds a call to vma_set_anonymous() for ashmem private mappings and seems to avoid the reported problem. Cc: Amit Pundir Cc: "Kirill A. Shutemov" Cc: "Kirill A. Shutemov" Cc: Andrew Morton Cc: Dmitry Vyukov Cc: Oleg Nesterov Cc: aarcange@redhat.com Cc: Linus Torvalds Cc: Greg Kroah-Hartman Cc: Hugh Dickins Cc: Joel Fernandes Cc: Colin Cross Cc: Matthew Wilcox Cc: linux-mm@kvack.org Cc: youling 257 Fixes: bfd40eaff5ab ("mm: fix vma_is_anonymous() false-positives") Reported-by: Amit Pundir Reported-by: Youling 257 Signed-off-by: John Stultz --- Hopefully my explanation make sense here. Please let me know if it needs corrections. thanks -john --- drivers/staging/android/ashmem.c | 2 ++ 1 file changed, 2 insertions(+) -- 2.7.4 diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index a1a0025..d5d33e1 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -402,6 +402,8 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) fput(asma->file); goto out; } + } else { + vma_set_anonymous(vma); } if (vma->vm_file)