• John Stultz's avatar
    staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem pages · 44960f2a
    John Stultz authored
    Amit Pundir and Youling in parallel reported crashes with recent
    mainline kernels running Android:
    
      F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
      F DEBUG   : Build fingerprint: 'Android/db410c32_only/db410c32_only:Q/OC-MR1/102:userdebug/test-key
      F DEBUG   : Revision: '0'
      F DEBUG   : ABI: 'arm'
      F DEBUG   : pid: 2261, tid: 2261, name: zygote  >>> zygote <<<
      F DEBUG   : signal 7 (SIGBUS), code 2 (BUS_ADRERR), fault addr 0xec00008
      ... <snip> ...
      F DEBUG   : backtrace:
      F DEBUG   :     #00 pc 00001c04  /system/lib/libc.so (memset+48)
      F DEBUG   :     #1 pc 0010c513  /system/lib/libart.so (create_mspace_with_base+82)
      F DEBUG   :     #2 pc 0015c601  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateMspace(void*, unsigned int, unsigned int)+40)
      F DEBUG   :     #03 pc 0015c3ed  /system/lib/libart.so (art::gc::space::DlMallocSpace::CreateFromMemMap(art::MemMap*, std::__1::basic_string<char, std::__ 1::char_traits<char>, std::__1::allocator<char>> const&, unsigned int, unsigned int, unsigned int, unsigned int, bool)+36)
      ...
    
    This was bisected back to commit bfd40eaf ("mm: fix
    vma_is_anonymous() false-positives").
    
    create_mspace_with_base() in the trace above, utilizes ashmem, and with
    ashmem, for shared mappings we use shmem_zero_setup(), which sets the
    vma->vm_ops to &shmem_vm_ops.  But for private ashmem mappings nothing
    sets the vma->vm_ops.
    
    Looking at the problematic patch, it seems to add a requirement that one
    call vma_set_anonymous() on a vma, otherwise the dummy_vm_ops will be
    used.  Using the dummy_vm_ops seem to triggger SIGBUS when traversing
    unmapped pages.
    
    Thus, this patch adds a call to vma_set_anonymous() for ashmem private
    mappings and seems to avoid the reported problem.
    
    Fixes: bfd40eaf ("mm: fix vma_is_anonymous() false-positives")
    Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Joel Fernandes <joelaf@google.com>
    Cc: Colin Cross <ccross@google.com>
    Cc: Matthew Wilcox <willy@infradead.org>
    Reported-by: default avatarAmit Pundir <amit.pundir@linaro.org>
    Reported-by: default avatarYouling 257 <youling257@gmail.com>
    Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    44960f2a
Name
Last commit
Last update
..
android Loading commit data...
board Loading commit data...
clocking-wizard Loading commit data...
comedi Loading commit data...
dgnc Loading commit data...
emxx_udc Loading commit data...
fbtft Loading commit data...
fsl-dpaa2 Loading commit data...
fsl-mc Loading commit data...
fwserial Loading commit data...
gdm724x Loading commit data...
goldfish Loading commit data...
greybus Loading commit data...
gs_fpgaboot Loading commit data...
iio Loading commit data...
ks7010 Loading commit data...
media Loading commit data...
most Loading commit data...
mt29f_spinand Loading commit data...
mt7621-dma Loading commit data...
mt7621-dts Loading commit data...
mt7621-eth Loading commit data...
mt7621-gpio Loading commit data...
mt7621-mmc Loading commit data...
mt7621-pci Loading commit data...
mt7621-pinctrl Loading commit data...
mt7621-spi Loading commit data...
netlogic Loading commit data...
nvec Loading commit data...
octeon Loading commit data...
octeon-usb Loading commit data...
olpc_dcon Loading commit data...
pi433 Loading commit data...
rtl8188eu Loading commit data...
rtl8192e Loading commit data...
rtl8192u Loading commit data...
rtl8712 Loading commit data...
rtl8723bs Loading commit data...
rtlwifi Loading commit data...
rts5208 Loading commit data...
skein Loading commit data...
sm750fb Loading commit data...
speakup Loading commit data...
typec Loading commit data...
unisys Loading commit data...
vboxvideo Loading commit data...
vc04_services Loading commit data...
vme Loading commit data...
vt6655 Loading commit data...
vt6656 Loading commit data...
wilc1000 Loading commit data...
wlan-ng Loading commit data...
xgifb Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...