[RFC 0/1] io_uring: preserve work->mm since actual work processing may need it

public inbox for [email protected]
 help / color / mirror / Atom feed

From: Bijan Mottahedeh <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: [RFC 0/1] io_uring: preserve work->mm since actual work processing may need it
Date: Thu,  9 Apr 2020 15:03:36 -0700	[thread overview]
Message-ID: <[email protected]> (raw)

The liburing madvise test crashes the system with a NULL pointer
dereference because io_madvise() is passing a NULL mm value, previously
cleared in io_wq_switch_mm(), to do_advise().

I'm not clear why work->mm is being cleared, especially since it seems
to run contrary to what the comment above it states, but in any case
preserving the work->mm value gets rid of the crash.

--------------------------------------------------------------------------

Running test madvise
[  165.733724] BUG: kernel NULL pointer dereference, address: 0000000000000138
[  165.735088] #PF: supervisor read access in kernel mode
[  165.736027] #PF: error_code(0x0000) - not-present page
[  165.736971] PGD 8000000fa3c32067 P4D 8000000fa3c32067 PUD fc4e17067 PMD 0
[  165.738254] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
[  165.739140] CPU: 18 PID: 30105 Comm: io_wqe_worker-0 Not tainted 5.6.0-next-1
[  165.740640] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-4
[  165.742721] RIP: 0010:__lock_acquire.isra.29+0x37/0x6c0
[  165.743656] Code: 25 40 8e 01 00 53 48 83 ec 18 44 8b 35 e6 2f 61 01 45 85 fc
[  165.747020] RSP: 0018:ffffc9000b08bba0 EFLAGS: 00010097
[  165.747989] RAX: 0000000000000000 RBX: 0000000000000130 RCX: 0000000000000001
[  165.749276] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000130
[  165.750552] RBP: ffff888fa35224c0 R08: 0000000000000000 R09: 0000000000000000
[  165.751862] R10: 0000000000000130 R11: 0000000000000000 R12: 0000000000000000
[  165.753195] R13: 0000000000000001 R14: 0000000000000000 R15: 00007f5c4ecea000
[  165.754490] FS:  0000000000000000(0000) GS:ffff888ff4600000(0000) knlGS:00000
[  165.756007] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  165.757054] CR2: 0000000000000138 CR3: 0000000fc709c002 CR4: 0000000000160ee0
[  165.758339] Call Trace:
[  165.758805]  ? load_balance+0x1b4/0xd00
[  165.759525]  lock_acquire+0xf9/0x160
[  165.760202]  ? do_madvise+0xa59/0xb20
[  165.760894]  down_read+0x3c/0xe0
[  165.761479]  ? do_madvise+0xa59/0xb20
[  165.762188]  do_madvise+0xa59/0xb20
[  165.762830]  ? kvm_sched_clock_read+0xd/0x20
[  165.763643]  ? free_debug_processing+0x291/0x2c8
[  165.764535]  ? do_raw_spin_unlock+0x83/0x90
[  165.765303]  ? free_debug_processing+0x291/0x2c8
[  165.766184]  io_issue_sqe+0xafa/0x11e0
[  165.766867]  ? kvm_sched_clock_read+0xd/0x20
[  165.767641]  ? __free_pages_ok+0x3db/0x550
[  165.768390]  ? _raw_spin_unlock+0x1f/0x30
[  165.769129]  io_wq_submit_work+0x2f/0x80
[  165.769800]  io_worker_handle_work+0x38a/0x540
[  165.770650]  io_wqe_worker+0x32a/0x370
[  165.771342]  kthread+0x118/0x120
[  165.771948]  ? io_worker_handle_work+0x540/0x540
[  165.772784]  ? kthread_insert_work_sanity_check+0x60/0x60
[  165.773766]  ret_from_fork+0x1f/0x30
[  165.774419] Modules linked in: xfs dm_mod sr_mod sd_mod cdrom crc32c_intel nt
[  165.777124] CR2: 0000000000000138
[  165.777733] ---[ end trace 2a1a5b9c912bd387 ]---

Bijan Mottahedeh (1):
  io_uring: preserve work->mm since actual work processing may need it

 fs/io-wq.c | 2 --
 1 file changed, 2 deletions(-)

-- 
1.8.3.1

next             reply	other threads:[~2020-04-09 22:03 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-09 22:03 Bijan Mottahedeh [this message]
2020-04-09 22:03 ` [RFC 1/1] io_uring: preserve work->mm since actual work processing may need it Bijan Mottahedeh
2020-04-10  8:47   ` Pavel Begunkov
2020-04-10 16:54     ` Bijan Mottahedeh
2020-04-10 17:51       ` Pavel Begunkov
2020-04-10 17:57         ` Pavel Begunkov
2020-04-10 19:09         ` Bijan Mottahedeh
2020-04-11  2:17           ` Jens Axboe
2020-04-16 20:24             ` Minchan Kim
2020-04-16 20:30               ` Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1586469817-59280-1-git-send-email-bijan.mottahedeh@oracle.com \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox