• Barry Song's avatar
    dma-mapping: benchmark: fix kernel crash when dma_map_single fails · d17405d5
    Barry Song authored
    if dma_map_single() fails, kernel will give the below oops since
    task_struct has been destroyed and we are running into the memory
    corruption due to use-after-free in kthread_stop():
    
    [   48.095310] Unable to handle kernel paging request at virtual address 000000c473548040
    [   48.095736] Mem abort info:
    [   48.095864]   ESR = 0x96000004
    [   48.096025]   EC = 0x25: DABT (current EL), IL = 32 bits
    [   48.096268]   SET = 0, FnV = 0
    [   48.096401]   EA = 0, S1PTW = 0
    [   48.096538] Data abort info:
    [   48.096659]   ISV = 0, ISS = 0x00000004
    [   48.096820]   CM = 0, WnR = 0
    [   48.097079] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000104639000
    [   48.098099] [000000c473548040] pgd=0000000000000000, p4d=0000000000000000
    [   48.098832] Internal error: Oops: 96000004 [#1] PREEMPT SMP
    [   48.099232] Modules linked in:
    [   48.099387] CPU: 0 PID: 2 Comm: kthreadd Tainted: G        W
    [   48.099887] Hardware name: linux,dummy-virt (DT)
    [   48.100078] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--)
    [   48.100516] pc : __kmalloc_node+0x214/0x368
    [   48.100944] lr : __kmalloc_node+0x1f4/0x368
    [   48.101458] sp : ffff800011f0bb80
    [   48.101843] x29: ffff800011f0bb80 x28: ffff0000c0098ec0
    [   48.102330] x27: 0000000000000000 x26: 00000000001d4600
    [   48.102648] x25: ffff0000c0098ec0 x24: ffff800011b6a000
    [   48.102988] x23: 00000000ffffffff x22: ffff0000c0098ec0
    [   48.103333] x21: ffff8000101d7a54 x20: 0000000000000dc0
    [   48.103657] x19: ffff0000c0001e00 x18: 0000000000000000
    [   48.104069] x17: 0000000000000000 x16: 0000000000000000
    [   48.105449] x15: 000001aa0304e7b9 x14: 00000000000003b1
    [   48.106401] x13: ffff8000122d5000 x12: ffff80001228d000
    [   48.107296] x11: ffff0000c0154340 x10: 0000000000000000
    [   48.107862] x9 : ffff80000fffffff x8 : ffff0000c473527f
    [   48.108326] x7 : ffff800011e62f58 x6 : ffff0000c01c8ed8
    [   48.108778] x5 : ffff0000c0098ec0 x4 : 0000000000000000
    [   48.109223] x3 : 00000000001d4600 x2 : 0000000000000040
    [   48.109656] x1 : 0000000000000001 x0 : ff0000c473548000
    [   48.110104] Call trace:
    [   48.110287]  __kmalloc_node+0x214/0x368
    [   48.110493]  __vmalloc_node_range+0xc4/0x298
    [   48.110805]  copy_process+0x2c8/0x15c8
    [   48.111133]  kernel_clone+0x5c/0x3c0
    [   48.111373]  kernel_thread+0x64/0x90
    [   48.111604]  kthreadd+0x158/0x368
    [   48.111810]  ret_from_fork+0x10/0x30
    [   48.112336] Code: 17ffffe9 b9402a62 b94008a1 11000421 (f8626802)
    [   48.112884] ---[ end trace d4890e21e75419d5 ]---
    Signed-off-by: default avatarBarry Song <song.bao.hua@hisilicon.com>
    Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
    d17405d5
map_benchmark.c 8.95 KB