From: Petr Tesarik <petr.tesarik1@huawei-partners.com>
To: David Gow <davidgow@google.com>,
Petr Tesarik <petrtesarik@huaweicloud.com>
Cc: Richard Weinberger <richard@nod.at>,
Anton Ivanov <anton.ivanov@cambridgegreys.com>,
Johannes Berg <johannes@sipsolutions.net>,
"open list:USER-MODE LINUX (UML)" <linux-um@lists.infradead.org>,
open list <linux-kernel@vger.kernel.org>,
Roberto Sassu <roberto.sassu@huaweicloud.com>
Subject: Re: [PATCH RESEND 1/1] um: oops on accessing a non-present page in the vmalloc area
Date: Thu, 21 Mar 2024 18:30:09 +0100 [thread overview]
Message-ID: <9cfb4aa7-d927-4015-8ef8-1cd081250cdc@huawei-partners.com> (raw)
In-Reply-To: <CABVgOSmNbBzR=QV4RDSdBPzBU=8mP5r0gVf5wqADm_9e9htM2g@mail.gmail.com>
On 3/21/2024 5:44 AM, David Gow wrote:
> On Fri, 23 Feb 2024 at 22:07, Petr Tesarik <petrtesarik@huaweicloud.com> wrote:
>>
>> From: Petr Tesarik <petr.tesarik1@huawei-partners.com>
>>
>> If a segmentation fault is caused by accessing an address in the vmalloc
>> area, check that the target page is present.
>>
>> Currently, if the kernel hits a guard page in the vmalloc area, UML blindly
>> assumes that the fault is caused by a stale mapping and will be fixed by
>> flush_tlb_kernel_vm(). Unsurprisingly, if the fault is caused by accessing
>> a guard page, no mapping is created, and when the faulting instruction is
>> restarted, it will cause exactly the same fault again, effectively creating
>> an infinite loop.
>>
>> Signed-off-by: Petr Tesarik <petr.tesarik1@huawei-partners.com>
>> ---
>> arch/um/kernel/trap.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
>> index 6d8ae86ae978..d5b85f1bfe33 100644
>> --- a/arch/um/kernel/trap.c
>> +++ b/arch/um/kernel/trap.c
>> @@ -206,11 +206,15 @@ unsigned long segv(struct faultinfo fi, unsigned long ip, int is_user,
>> int err;
>> int is_write = FAULT_WRITE(fi);
>> unsigned long address = FAULT_ADDRESS(fi);
>> + pte_t *pte;
>>
>> if (!is_user && regs)
>> current->thread.segv_regs = container_of(regs, struct pt_regs, regs);
>>
>> if (!is_user && (address >= start_vm) && (address < end_vm)) {
>> + pte = virt_to_pte(&init_mm, address);
>> + if (!pte_present(*pte))
>> + page_fault_oops(regs, address, ip);
>
> page_fault_oops() appears to be private to arch/x86/mm/fault.c, so
> can't be used here?
> Also, it accepts struct pt_regs*, not struct uml_pt_regs*, so would
> need to at least handle the type difference here.
Argh, you're right. This was originally a two-patch series, but Richard
wanted improvements in the implementation which would require more
effort, see here:
http://lists.infradead.org/pipermail/linux-um/2024-January/006406.html
So I wanted to fix only the infinite loop, but in the mean time I forgot
about the dependency on the first patch:
http://lists.infradead.org/pipermail/linux-um/2023-December/006380.html
That's because a quick git grep page_fault_oops found the function. It
was my mistake that I did not notice the other page_fault_oops() earlier.
OK, please forget about this patch for now; I must rework it.
> Could we equally avoid the infinite loop here by putting the
> 'flush_tlb_kernel_vm();goto out;' behind a if (pte_present(...))
> check, and let the rest of the UML checks panic or oops if required.
> (Actually OOPSing where we can under UML would be nice to do at some
> point anyway, but is a bigger issue than just fixing a bug, IMO.)
Yes, that would be the best quick fix until I get to implementing all
the blows and whistles (oops_* helpers, notification chains, tainting,
etc.).
Petr T
> Or am I lacking a prerequisite patch or applying this to the wrong
> version (or otherwise missing something), as it definitely doesn't
> build here.
>
> Cheers,
> -- David
prev parent reply other threads:[~2024-03-21 17:30 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-23 14:04 [PATCH RESEND 1/1] um: oops on accessing a non-present page in the vmalloc area Petr Tesarik
2024-03-12 15:07 ` Petr Tesarik
2024-03-18 13:09 ` Petr Tesarik
2024-03-19 22:18 ` Richard Weinberger
2024-03-20 13:58 ` Petr Tesarik
2024-03-20 14:09 ` Richard Weinberger
2024-03-20 15:14 ` Anton Ivanov
2024-03-21 4:44 ` David Gow
2024-03-21 17:30 ` Petr Tesarik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9cfb4aa7-d927-4015-8ef8-1cd081250cdc@huawei-partners.com \
--to=petr.tesarik1@huawei-partners.com \
--cc=anton.ivanov@cambridgegreys.com \
--cc=davidgow@google.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-um@lists.infradead.org \
--cc=petrtesarik@huaweicloud.com \
--cc=richard@nod.at \
--cc=roberto.sassu@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).