On Wed, 3 Jan 2018 12:26:04 +0300
"Kirill A. Shutemov" wrote:
> > > - unsigned long offset, chunk_idx;
> > > + unsigned long offset, chunk_idx, flags;
> > > struct page *pageptr;
> > >
> > > + mutex_lock(&rp->fetch_lock);
> > > + spin_lock_irqsave(&rp->b_lock, flags);
> > > offset = vmf->pg
On Fri, 29 Dec 2017 16:24:20 +0300
"Kirill A. Shutemov" wrote:
> Looks like MON_IOCT_RING_SIZE reallocates ring buffer without any
> serialization wrt mon_bin_vma_fault(). By the time of get_page() the page
> may be freed.
As an update: I tried to make a smaller test for this, but was unsuccessf
On Wed, 3 Jan 2018 13:08:12 -0800
Matthew Wilcox wrote:
> > + mutex_lock(&rp->fetch_lock);
> > offset = vmf->pgoff << PAGE_SHIFT;
> > if (offset >= rp->b_size)
> > + mutex_unlock(&rp->fetch_lock);
> > return VM_FAULT_SIGBUS;
> > chunk_idx = offset / CHUNK_SIZE;
On Wed, Jan 03, 2018 at 03:04:19PM -0600, Pete Zaitcev wrote:
> @@ -1231,12 +1233,15 @@ static int mon_bin_vma_fault(struct vm_fault *vmf)
> unsigned long offset, chunk_idx;
> struct page *pageptr;
>
> + mutex_lock(&rp->fetch_lock);
> offset = vmf->pgoff << PAGE_SHIFT;
>
On Wed, 3 Jan 2018 12:26:04 +0300
"Kirill A. Shutemov" wrote:
> > > +++ b/drivers/usb/mon/mon_bin.c
> > > @@ -1228,15 +1228,24 @@ static void mon_bin_vma_close(struct
> > > vm_area_struct *vma)
> > > static int mon_bin_vma_fault(struct vm_fault *vmf)
> > > {
> > > struct mon_reader_bin *rp =
On Wed, Jan 03, 2018 at 01:02:38AM -0600, Pete Zaitcev wrote:
> On Fri, 29 Dec 2017 16:24:20 +0300
> "Kirill A. Shutemov" wrote:
>
> > Looks like MON_IOCT_RING_SIZE reallocates ring buffer without any
> > serialization wrt mon_bin_vma_fault(). By the time of get_page() the page
> > may be freed.
On Fri, 29 Dec 2017 16:24:20 +0300
"Kirill A. Shutemov" wrote:
> Looks like MON_IOCT_RING_SIZE reallocates ring buffer without any
> serialization wrt mon_bin_vma_fault(). By the time of get_page() the page
> may be freed.
Okay. Who knew that you could fork while holding an open descriptor. :-)
