Skip to content

Commit

Permalink
ANDROID: dm-user: fix typo in channel_free
Browse files Browse the repository at this point in the history 
We loop around from_user, but we dereference to_user. Whoops.

Fixes this trace seen in some cleanup paths:

[   11.612684] BUG: unable to handle page fault for address: 0000000000113d62
[   11.612777] #PF: supervisor write access in kernel mode
[   11.612777] #PF: error_code(0x0002) - not-present page
[   11.612777] PGD 0 P4D 0
[   11.612777] Oops: 0002 [#1] PREEMPT SMP PTI
[   11.612777] CPU: 1 PID: 150 Comm: snapuserd Tainted: G           O      5.10.4-android12-0-03442-gf2684370d34d-ab7068937 #1
[   11.612777] Hardware name: ChromiumOS crosvm, BIOS 0
[   11.612777] RIP: 0010:channel_free+0xb0/0x140
[   11.612777] Code: 48 49 8b 5c 24 48 4c 39 fb 74 48 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 4c 8d 73 a0 4d 8b 2c 24 49 83 c5 38 48 8b 43 c8 <c6> 40 1a 0a 48 8b 7b c8 e8 e3 87 bd ff 48 8b 7b c8 e8 1a 71 bd ff
[   11.612777] RSP: 0018:ffff9728c029fc18 EFLAGS: 00010282
[   11.612777] RAX: 0000000000113d48 RBX: ffff8a3941e021d0 RCX: ffff8a3944221080
[   11.612777] RDX: ffff8a39452e5810 RSI: ffff8a39452e5800 RDI: ffff8a39486f9300
[   11.612777] RBP: ffff9728c029fc40 R08: ffff8a3940148500 R09: ffff8a394886a7c0
[   11.612777] R10: ffff8a3944200650 R11: ffffffff86623d30 R12: ffff8a39486f9300
[   11.612777] R13: ffff8a3941749638 R14: ffff8a3941e02170 R15: ffff8a39486f9348
[   11.612777] FS:  0000000000000000(0000) GS:ffff8a396bc80000(0000) knlGS:0000000000000000
[   11.612777] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   11.612777] CR2: 0000000000113d62 CR3: 000000001820c005 CR4: 0000000000170ee0
[   11.612777] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   11.612777] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   11.612777] Call Trace:
[   11.612777]  dev_release+0x22/0x40
[   11.612777]  __fput+0xe0/0x210
[   11.612777]  ____fput+0x9/0x10
[   11.612777]  task_work_run+0x6f/0xb0
[   11.612777]  do_exit+0x332/0xa80
[   11.612777]  do_group_exit+0x8c/0xb0
[   11.612777]  get_signal+0x78d/0x9c0
[   11.612777]  arch_do_signal+0x80/0x260
[   11.612777]  exit_to_user_mode_prepare+0xaa/0xe0
[   11.612777]  syscall_exit_to_user_mode+0x24/0x40
[   11.612777]  __do_fast_syscall_32+0x7d/0x90
[   11.612777]  do_fast_syscall_32+0x34/0x70
[   11.612777]  do_SYSENTER_32+0x1b/0x20
[   11.612777]  entry_SYSENTER_compat_after_hwframe+0x4d/0x5f

Bug: 161496058
Test: launch_cvd ..
Change-Id: I26b244b66121324aef6956d01adcc3ad55c782a9
Signed-off-by: Alistair Delva <adelva@google.com>
  • Loading branch information
@adelva1984
adelva1984 committed Jan 14, 2021
1 parent 8ca2f02 commit 890bc85
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/md/dm-user.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -617,7 +617,7 @@ static void channel_free(struct channel *c)
if (c->cur_from_user != &c->scratch_message_from_user)
message_kill(c->cur_from_user, &c->target->message_pool);
list_for_each (cur, &c->from_user)
message_kill(list_entry(cur, struct message, to_user),
message_kill(list_entry(cur, struct message, from_user),
&c->target->message_pool);

mutex_lock(&c->target->lock);
Expand Down

0 comments on commit 890bc85

Please sign in to comment.