Commit 44960f2a authored by John Stultz's avatar John Stultz Committed by Linus Torvalds

staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages

Amit Pundir and Youling in parallel reported crashes with recent
mainline kernels running Android:

  F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
  F DEBUG   : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key
  F DEBUG   : Revision: '0'
  F DEBUG   : ABI: 'arm'
  F DEBUG   : pid: 2261, tid: 2261, name: zygote  >>> zygote <<<
  F DEBUG   : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008
  ... <snip> ...
  F DEBUG   : backtrace:
  F DEBUG   :     #00 pc 00001c04  /system/lib/ (memset+48)
  F DEBUG   :     #1 pc 0010c513  /system/lib/ (create_mspace_with_base+82)
  F DEBUG   :     #2 pc 0015c601  /system/lib/ (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40)
  F DEBUG   :     #3 pc 0015c3ed  /system/lib/ (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string<char, std::__ 1::char_traits<char>, std::__1::allocator<char>> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36)

This was bisected back to commit bfd40eaf ("mm: fix
vma_is_anonymous() false-positives").

create_mspace_with_base() in the trace above, utilizes ashmem, and with
ashmem, for shared mappings we use shmem_zero_setup(), which sets the
vma->vm_ops to &shmem_vm_ops.  But for private ashmem mappings nothing
sets the vma->vm_ops.

Looking at the problematic patch, it seems to add a requirement that one
call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be
used.  Using the dummy_vm_ops seem to triggger SIGBUS when traversing
unmapped pages.

Thus, this patch adds a call to vma_set_anonymous() for ashmem private
mappings and seems to avoid the reported problem.

Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
Cc: Kirill Shutemov <>
Cc: Andrew Morton <>
Cc: Dmitry Vyukov <>
Cc: Oleg Nesterov <>
Cc: Andrea Arcangeli <>
Cc: Greg Kroah-Hartman <>
Cc: Hugh Dickins <>
Cc: Joel Fernandes <>
Cc: Colin Cross <>
Cc: Matthew Wilcox <>
Reported-by: default avatarAmit Pundir <>
Reported-by: default avatarYouling 257 <>
Signed-off-by: default avatarJohn Stultz <>
Signed-off-by: default avatarLinus Torvalds <>
parent ebad825c
......@@ -402,6 +402,8 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
goto out;
} else {
if (vma->vm_file)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment