Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5404849imm; Tue, 31 Jul 2018 10:19:30 -0700 (PDT) X-Google-Smtp-Source: AAOMgpey5tqyExVbVsL5BfkOoG4c8P5ntoCjrbQ/h/QCqtEt6/qmNNXcJFhx3vYg7mf8GA1W26aV X-Received: by 2002:a63:d20e:: with SMTP id a14-v6mr21250587pgg.226.1533057569990; Tue, 31 Jul 2018 10:19:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533057569; cv=none; d=google.com; s=arc-20160816; b=XSSLN67rmvevPyNM05vj0+XKIQ9UY+0EQI8X/6wh3CgAJ+xnuHX0MoG364BfDNBW7X x0Li2j9BE+GQpkawYIZCaovyKXyWb40Q8sPpHLkwC/YAzDX6TRRZTaDJcDovGUEUj9Sc q3l8f+W1JEt6ZUJa+nXNh7lw1BxKB9oIxoeTifNZsZf/Ezi0FdmvsPVMT57MNQQfPqvA uWmOq5uuroHj3kqLyeHwVFBXdooVt2NQyD43iiCeBmG+ZFvgWKzUKkY9yevYwlIOo7i5 84g/DhBHaRWRgLTqYDj4QT3XMZgCD3gZdYD1cL9pdOdclmRPih9A9edkn5kPv80ufSBB epqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=Mr8SlKMMKOWqMOG5/RqK9f9XGsYcnxSMuRGnJK/CucU=; b=PyAoYBAIwzLwuiOcHd9i18u35aa7Lqao9SE6F7fW+vFmjub6M6iL2Df+SnhzFwtX9P pGEJiTjQPezGtXG93Askl6zEUhyMS+uab3EWglTJjC93YM1DZVB8SeZ4Y23tTLAQSOyt zlVqJbfywW8iU90RohXH/JPLvYlsmC5BgXKsGEstKAkF/THJO1qnU1THkJ4lFSfrKReG rejoys5n56Fu236zeOrbX5ztzVbOsaIYQrFbJ1JEIjgAyp6sKbPs1Qsabxlstbgy9NyP OSZer2HXvwNhhw9zDYqFfh92BERm5BnhXuo+kozEdFzMtp4qCzLJtYai337LSPccmaI6 BpQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JLyAhVhG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b5-v6si13627054pga.227.2018.07.31.10.19.15; Tue, 31 Jul 2018 10:19:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JLyAhVhG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730196AbeGaS6e (ORCPT + 99 others); Tue, 31 Jul 2018 14:58:34 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:39189 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727261AbeGaS6e (ORCPT ); Tue, 31 Jul 2018 14:58:34 -0400 Received: by mail-pf1-f195.google.com with SMTP id j8-v6so6424224pff.6 for ; Tue, 31 Jul 2018 10:17:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Mr8SlKMMKOWqMOG5/RqK9f9XGsYcnxSMuRGnJK/CucU=; b=JLyAhVhGcAiy3rzm8sLZ7tPCODrsWKfLyDUpfHHgubx+5um96Xn4BBXWCzu4cLGaj8 H+AVeHGJlw0jpCalPaScnRtvio97Af1j3O19YyYL8O18GF1v9LVE0DhWxOSMZ5Rl3Sko Y+B2Aayqk0hTWycVr3a1xWLR8ITWqNbKlk7JA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Mr8SlKMMKOWqMOG5/RqK9f9XGsYcnxSMuRGnJK/CucU=; b=e6wrPEGfNLvqvMLU5UGgU5EYFTNvnjYBrzEy+jUIaqdTiHr5f6Ag4YOVTe3vVrRUP2 g5B4NxN8de4NZeBlqOxC7BooyqQSboByV66QbQq+CghhrrXImLRjSETlK6QGla37YftA /Gd43FF/yOTAqLUMMqj7R7jA7sT/YDExBBuBpY0TDLhT/9SwJpLvAqT+2up92Zkng0/D 7v3nleV2MP+skc3or3BVNuLtZeFuy/+GLOFPfKDPKVAjjsKOgarZ3uIOjEMhH7ZKHTEu UEE32w2tAWuCPmyKWPsOKMgvmLquegbK4m0sb7OYF8IQRGQZx6jtJYTiuDKZjX8PYmt3 mM2g== X-Gm-Message-State: AOUpUlHtDJsCzNzVUq6I5/NqSVgKXhcUDEJEXfP3wE4mmpcan0z1i8Gr q6jtQk7PBZG0Wh+RTc1gE3de+xcgFxs= X-Received: by 2002:aa7:850b:: with SMTP id v11-v6mr22763790pfn.165.1533057436022; Tue, 31 Jul 2018 10:17:16 -0700 (PDT) Received: from localhost.localdomain ([2601:1c2:680:1319:4e72:b9ff:fe99:466a]) by smtp.gmail.com with ESMTPSA id y3-v6sm43577938pfi.24.2018.07.31.10.17.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 31 Jul 2018 10:17:14 -0700 (PDT) From: John Stultz To: Linux Kernel Mailing List Cc: John Stultz , Amit Pundir , "Kirill A. Shutemov" , "Kirill A. Shutemov" , Andrew Morton , Dmitry Vyukov , Oleg Nesterov , aarcange@redhat.com, Linus Torvalds , Greg Kroah-Hartman , Hugh Dickins , Joel Fernandes , Colin Cross , Matthew Wilcox , linux-mm@kvack.org, youling 257 Subject: [PATCH] staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages Date: Tue, 31 Jul 2018 10:17:04 -0700 Message-Id: <1533057424-25933-1-git-send-email-john.stultz@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Amit Pundir and Youling in parallel reported crashes with recent mainline kernels running Android: F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** F DEBUG : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key F DEBUG : Revision: '0' F DEBUG : ABI: 'arm' F DEBUG : pid: 2261, tid: 2261, name: zygote >>> zygote <<< F DEBUG : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008 ... ... F DEBUG : backtrace: F DEBUG : #00 pc 00001c04 /system/lib/libc.so (memset+48) F DEBUG : #01 pc 0010c513 /system/lib/libart.so (create_mspace_with_base+82) F DEBUG : #02 pc 0015c601 /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40) F DEBUG : #03 pc 0015c3ed /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string, std::__1::allocator> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36) ... This was bisected back to commit bfd40eaff5ab ("mm: fix vma_is_anonymous() false-positives"). create_mspace_with_base() in the trace above, utilizes ashmem, and with ashmem, for shared mappings we use shmem_zero_setup(), which sets the vma->vm_ops to &shmem_vm_ops. But for private ashmem mappings nothing sets the vma->vm_ops. Looking at the problematic patch, it seems to add a requirement that one call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be used. Using the dummy_vm_ops seem to triggger SIGBUS when traversing unmapped pages. Thus, this patch adds a call to vma_set_anonymous() for ashmem private mappings and seems to avoid the reported problem. Cc: Amit Pundir Cc: "Kirill A. Shutemov" Cc: "Kirill A. Shutemov" Cc: Andrew Morton Cc: Dmitry Vyukov Cc: Oleg Nesterov Cc: aarcange@redhat.com Cc: Linus Torvalds Cc: Greg Kroah-Hartman Cc: Hugh Dickins Cc: Joel Fernandes Cc: Colin Cross Cc: Matthew Wilcox Cc: linux-mm@kvack.org Cc: youling 257 Fixes: bfd40eaff5ab ("mm: fix vma_is_anonymous() false-positives") Reported-by: Amit Pundir Reported-by: Youling 257 Signed-off-by: John Stultz --- Hopefully my explanation make sense here. Please let me know if it needs corrections. thanks -john --- drivers/staging/android/ashmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index a1a0025..d5d33e1 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -402,6 +402,8 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) fput(asma->file); goto out; } + } else { + vma_set_anonymous(vma); } if (vma->vm_file) -- 2.7.4