Commit 8a9cc3b5 authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Linus Torvalds

mmap: fix the usage of ->vm_pgoff in special_mapping paths

Test-case:

	#include <stdio.h>
	#include <unistd.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/mman.h>
	#include <assert.h>

	void *find_vdso_vaddr(void)
	{
		FILE *perl;
		char buf[32] = {};

		perl = popen("perl -e 'open STDIN,qq|/proc/@{[getppid]}/maps|;"
				"/^(.*?)-.*vdso/ && print hex $1 while <>'", "r");
		fread(buf, sizeof(buf), 1, perl);
		fclose(perl);

		return (void *)atol(buf);
	}

	#define PAGE_SIZE	4096

	int main(void)
	{
		void *vdso = find_vdso_vaddr();
		assert(vdso);

		// of course they should differ, and they do so far
		printf("vdso pages differ: %d\n",
			!!memcmp(vdso, vdso + PAGE_SIZE, PAGE_SIZE));

		// split into 2 vma's
		assert(mprotect(vdso, PAGE_SIZE, PROT_READ) == 0);

		// force another fault on the next check
		assert(madvise(vdso, 2 * PAGE_SIZE, MADV_DONTNEED) == 0);

		// now they no longer differ, the 2nd vm_pgoff is wrong
		printf("vdso pages differ: %d\n",
			!!memcmp(vdso, vdso + PAGE_SIZE, PAGE_SIZE));

		return 0;
	}

Output:

	vdso pages differ: 1
	vdso pages differ: 0

This is because split_vma() correctly updates ->vm_pgoff, but the logic
in insert_vm_struct() and special_mapping_fault() is absolutely broken,
so the fault at vdso + PAGE_SIZE return the 1st page. The same happens
if you simply unmap the 1st page.

special_mapping_fault() does:

	pgoff = vmf->pgoff - vma->vm_pgoff;

and this is _only_ correct if vma->vm_start mmaps the first page from
->vm_private_data array.

vdso or any other user of install_special_mapping() is not anonymous,
it has the "backing storage" even if it is just the array of pages.
So we actually need to make vm_pgoff work as an offset in this array.

Note: this also allows to fix another problem: currently gdb can't access
"[vvar]" memory because in this case special_mapping_fault() doesn't work.
Now that we can use ->vm_pgoff we can implement ->access() and fix this.
Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent b5330628
...@@ -2884,7 +2884,7 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) ...@@ -2884,7 +2884,7 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
* using the existing file pgoff checks and manipulations. * using the existing file pgoff checks and manipulations.
* Similarly in do_mmap_pgoff and in do_brk. * Similarly in do_mmap_pgoff and in do_brk.
*/ */
if (!vma->vm_file) { if (vma_is_anonymous(vma)) {
BUG_ON(vma->anon_vma); BUG_ON(vma->anon_vma);
vma->vm_pgoff = vma->vm_start >> PAGE_SHIFT; vma->vm_pgoff = vma->vm_start >> PAGE_SHIFT;
} }
...@@ -3027,21 +3027,13 @@ static int special_mapping_fault(struct vm_area_struct *vma, ...@@ -3027,21 +3027,13 @@ static int special_mapping_fault(struct vm_area_struct *vma,
pgoff_t pgoff; pgoff_t pgoff;
struct page **pages; struct page **pages;
/*
* special mappings have no vm_file, and in that case, the mm
* uses vm_pgoff internally. So we have to subtract it from here.
* We are allowed to do this because we are the mm; do not copy
* this code into drivers!
*/
pgoff = vmf->pgoff - vma->vm_pgoff;
if (vma->vm_ops == &legacy_special_mapping_vmops) if (vma->vm_ops == &legacy_special_mapping_vmops)
pages = vma->vm_private_data; pages = vma->vm_private_data;
else else
pages = ((struct vm_special_mapping *)vma->vm_private_data)-> pages = ((struct vm_special_mapping *)vma->vm_private_data)->
pages; pages;
for (; pgoff && *pages; ++pages) for (pgoff = vmf->pgoff; pgoff && *pages; ++pages)
pgoff--; pgoff--;
if (*pages) { if (*pages) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment