qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v10 0/9] KVM: mm: fd-based approach for supporting KVM

From: Liam Merwick
Subject: Re: [PATCH v10 0/9] KVM: mm: fd-based approach for supporting KVM
Date: Wed, 25 Jan 2023 16:01:05 +0000
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 
On 25/01/2023 12:53, Kirill A. Shutemov wrote:

On Wed, Jan 25, 2023 at 12:20:26AM +0000, Sean Christopherson wrote:

On Tue, Jan 24, 2023, Liam Merwick wrote:

On 14/01/2023 00:37, Sean Christopherson wrote:

On Fri, Dec 02, 2022, Chao Peng wrote:

...


When running LTP (https://github.com/linux-test-project/ltp) on the v10
bits (and also with Sean's branch above) I encounter the following NULL
pointer dereference with testcases/kernel/syscalls/madvise/madvise01
(100% reproducible).

It appears that in restrictedmem_error_page() inode->i_mapping->private_data
is NULL
in the list_for_each_entry_safe(inode, next, &sb->s_inodes, i_sb_list)
but I don't know why.


Kirill, can you take a look?  Or pass the buck to someone who can? :-)


The patch below should help.


Thanks, this works for me.

Regards,
Liam



diff --git a/mm/restrictedmem.c b/mm/restrictedmem.c
index 15c52301eeb9..39ada985c7c0 100644
--- a/mm/restrictedmem.c
+++ b/mm/restrictedmem.c
@@ -307,14 +307,29 @@ void restrictedmem_error_page(struct page *page, struct 
address_space *mapping)
spin_lock(&sb->s_inode_list_lock); 
        list_for_each_entry_safe(inode, next, &sb->s_inodes, i_sb_list) {
-               struct restrictedmem *rm = inode->i_mapping->private_data;
                struct restrictedmem_notifier *notifier;
-               struct file *memfd = rm->memfd;
+               struct restrictedmem *rm;
                unsigned long index;
+               struct file *memfd;
- if (memfd->f_mapping != mapping) 
+               if (atomic_read(&inode->i_count))
                        continue;
+ spin_lock(&inode->i_lock); 
+               if (inode->i_state & (I_NEW | I_FREEING | I_WILL_FREE)) {
+                       spin_unlock(&inode->i_lock);
+                       continue;
+               }
+
+               rm = inode->i_mapping->private_data;
+               memfd = rm->memfd;
+
+               if (memfd->f_mapping != mapping) {
+                       spin_unlock(&inode->i_lock);
+                       continue;
+               }
+               spin_unlock(&inode->i_lock);
+
                xa_for_each_range(&rm->bindings, index, notifier, start, end)
                        notifier->ops->error(notifier, start, end);
                break;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]