[RFC][PATCH] fix bus error when trying to access anon & shared page created by mremap()[BUG:8691]
From: Ming Lei
Date: Thu Dec 13 2007 - 22:00:11 EST
Fix the bug 8691 reported in http://bugzilla.kernel.org/show_bug.cgi?id=8691.
Also the following bug.
#define _GNU_SOURCE
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, unsigned char* argv[])
{
void *ptr,*ptr1;
if ((ptr=mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_ANONYMOUS|MAP_SHARED, 0, 4096*4)) == MAP_FAILED) {
printf("failed to mmap\n");
return -1;
}
printf("%s:%d\n",__FILE__,__LINE__);
*(unsigned long *)(ptr)= 10; /* bus error */
printf("%s:%d\n",__FILE__,__LINE__); /* can't reach here*/
return 0;
}
Signed-off-by: Ming Lei <tom.leiming@xxxxxxxxx>
---
diff --git a/mm/shmem.c b/mm/shmem.c
index 51b3d6c..7e14bce 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1327,15 +1327,23 @@ failed:
return error;
}
+static struct vfsmount *shm_mnt;
+
static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
{
struct inode *inode = vma->vm_file->f_path.dentry->d_inode;
int error;
int ret;
-
- if (((loff_t)vmf->pgoff << PAGE_CACHE_SHIFT) >= i_size_read(inode))
- return VM_FAULT_SIGBUS;
-
+ loff_t new_size = 0;
+
+ new_size = ((loff_t)vmf->pgoff << PAGE_CACHE_SHIFT);
+ if (new_size >= i_size_read(inode)) {
+ if (vma->vm_file->f_path.mnt == shm_mnt) {
+ inode->i_size = new_size + PAGE_SIZE;
+ }else{
+ return VM_FAULT_SIGBUS;
+ }
+ }
error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_FAULT, &ret);
if (error)
return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS);
@@ -2462,7 +2470,6 @@ static struct file_system_type tmpfs_fs_type = {
.get_sb = shmem_get_sb,
.kill_sb = kill_litter_super,
};
-static struct vfsmount *shm_mnt;
static int __init init_tmpfs(void)
{
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/