[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <9cfb4aa7-d927-4015-8ef8-1cd081250cdc@huawei-partners.com>
Date: Thu, 21 Mar 2024 18:30:09 +0100
From: Petr Tesarik <petr.tesarik1@...wei-partners.com>
To: David Gow <davidgow@...gle.com>, Petr Tesarik
<petrtesarik@...weicloud.com>
CC: Richard Weinberger <richard@....at>, Anton Ivanov
<anton.ivanov@...bridgegreys.com>, Johannes Berg <johannes@...solutions.net>,
"open list:USER-MODE LINUX (UML)" <linux-um@...ts.infradead.org>, open list
<linux-kernel@...r.kernel.org>, Roberto Sassu <roberto.sassu@...weicloud.com>
Subject: Re: [PATCH RESEND 1/1] um: oops on accessing a non-present page in
the vmalloc area
On 3/21/2024 5:44 AM, David Gow wrote:
> On Fri, 23 Feb 2024 at 22:07, Petr Tesarik <petrtesarik@...weicloud.com> wrote:
>>
>> From: Petr Tesarik <petr.tesarik1@...wei-partners.com>
>>
>> If a segmentation fault is caused by accessing an address in the vmalloc
>> area, check that the target page is present.
>>
>> Currently, if the kernel hits a guard page in the vmalloc area, UML blindly
>> assumes that the fault is caused by a stale mapping and will be fixed by
>> flush_tlb_kernel_vm(). Unsurprisingly, if the fault is caused by accessing
>> a guard page, no mapping is created, and when the faulting instruction is
>> restarted, it will cause exactly the same fault again, effectively creating
>> an infinite loop.
>>
>> Signed-off-by: Petr Tesarik <petr.tesarik1@...wei-partners.com>
>> ---
>> arch/um/kernel/trap.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
>> index 6d8ae86ae978..d5b85f1bfe33 100644
>> --- a/arch/um/kernel/trap.c
>> +++ b/arch/um/kernel/trap.c
>> @@ -206,11 +206,15 @@ unsigned long segv(struct faultinfo fi, unsigned long ip, int is_user,
>> int err;
>> int is_write = FAULT_WRITE(fi);
>> unsigned long address = FAULT_ADDRESS(fi);
>> + pte_t *pte;
>>
>> if (!is_user && regs)
>> current->thread.segv_regs = container_of(regs, struct pt_regs, regs);
>>
>> if (!is_user && (address >= start_vm) && (address < end_vm)) {
>> + pte = virt_to_pte(&init_mm, address);
>> + if (!pte_present(*pte))
>> + page_fault_oops(regs, address, ip);
>
> page_fault_oops() appears to be private to arch/x86/mm/fault.c, so
> can't be used here?
> Also, it accepts struct pt_regs*, not struct uml_pt_regs*, so would
> need to at least handle the type difference here.
Argh, you're right. This was originally a two-patch series, but Richard
wanted improvements in the implementation which would require more
effort, see here:
http://lists.infradead.org/pipermail/linux-um/2024-January/006406.html
So I wanted to fix only the infinite loop, but in the mean time I forgot
about the dependency on the first patch:
http://lists.infradead.org/pipermail/linux-um/2023-December/006380.html
That's because a quick git grep page_fault_oops found the function. It
was my mistake that I did not notice the other page_fault_oops() earlier.
OK, please forget about this patch for now; I must rework it.
> Could we equally avoid the infinite loop here by putting the
> 'flush_tlb_kernel_vm();goto out;' behind a if (pte_present(...))
> check, and let the rest of the UML checks panic or oops if required.
> (Actually OOPSing where we can under UML would be nice to do at some
> point anyway, but is a bigger issue than just fixing a bug, IMO.)
Yes, that would be the best quick fix until I get to implementing all
the blows and whistles (oops_* helpers, notification chains, tainting,
etc.).
Petr T
> Or am I lacking a prerequisite patch or applying this to the wrong
> version (or otherwise missing something), as it definitely doesn't
> build here.
>
> Cheers,
> -- David
Powered by blists - more mailing lists