Re: mmap() bug in 2.1.106

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Densin Roy.: "Y2K"
• Previous message: Ragnar Hojland Espinosa: "Re: ssh: connect() stalls on RedHat 5.1 / kernel 2.0.34"
• In reply to: Paul Gortmaker: "mmap() bug in 2.1.106"

|> For all intents and purposes, I think the two lines:
|>
|> ptr = (void*)mmap(0, size, prot, mapping, fd, 0);
|>
|> and
|>
|> ptr = (void *)syscall(SYS_mmap, 0, size, prot, mapping, fd, 0);
|>
|> should behave identically. However, in 2.1.106 (and most likely
|> other 2.1.x) the latter ends up permanently in D state and the load
|> climbs up to the next integer value. Need to reboot to kill 'em.

Here is a patch. The problem is that it faults in copy_from_user on the
null pointer reference, and the fault handler wants to grap the mmap
semaphore again -> deadlock.

--- linux/arch/i386/kernel/sys_i386.c.~1~ Fri Jun 19 11:09:32 1998
+++ linux/arch/i386/kernel/sys_i386.c Fri Jun 19 11:24:55 1998
@@ -63,7 +63,6 @@
struct file * file = NULL;
struct mmap_arg_struct a;

- down(&current->mm->mmap_sem);
lock_kernel();
if (copy_from_user(&a, arg, sizeof(a)))
goto out;
@@ -75,12 +74,13 @@
}
a.flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);

+ down(&current->mm->mmap_sem);
error = do_mmap(file, a.addr, a.len, a.prot, a.flags, a.offset);
+ up(&current->mm->mmap_sem);
if (file)
fput(file);
out:
unlock_kernel();
- up(&current->mm->mmap_sem);
return error;
}

-- 
Andreas Schwab                                      "And now for something
schwab@issan.informatik.uni-dortmund.de              completely different"
schwab@gnu.org

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu

• Next message: Densin Roy.: "Y2K"
• Previous message: Ragnar Hojland Espinosa: "Re: ssh: connect() stalls on RedHat 5.1 / kernel 2.0.34"
• In reply to: Paul Gortmaker: "mmap() bug in 2.1.106"