Re: Ugly rmap NULL ptr deref oopsie on hibernate (was Linux2.6.34-rc3)

[Linus Torvalds]

On Tue, 6 Apr 2010, Rik van Riel wrote:
> 
> It gets more fun.  It looks like the anon_vma is only
> allocated through anon_vma_alloc() and only handled
> by the functions in rmap.c
> 
> By themselves, all of those functions look alright.

Yes. Very trivially so, in fact.

> However, I think I may have found a possible bug in
> the interplay between anon_vma_prepare() and vma_adjust(),
> across several mprotect invocations.
> 
> Let me explain what I think may be going on in small
> steps, since it is quite subtle (assuming I am right).

Sounds at least possible. Way more likely than any of the "trivially 
obvious" code being buggy, or the SLUB layer suddenly having a serious bug 
that only the new user could trigger.

That said, the code that _really_ confuses me is the stuff that uses 
"anon_vma_clone()". Could you please also explain the code flow of 
vma_adjust() to mere mortals, please?

I suspect Borislav is sleeping. But at least we have a patch for him to 
test when he wakes up ;)

		Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/