Opened 11 months ago
Closed 11 months ago
#18422 closed bug (fixed)
mmap a file twice with MAP_FIXED on overlapping regions crashes the kernel
| Reported by: | trungnt2910 | Owned by: | nobody |
|---|---|---|---|
| Priority: | high | Milestone: | R1/beta5 |
| Component: | System/Kernel | Version: | R1/beta4 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
#include <unistd.h> #include <sys/mman.h> #include <fcntl.h> int main() { int fd = open("./mmap", O_RDWR); mmap((void*)0xdeadbeef000, 4096, PROT_NONE, MAP_SHARED | MAP_FIXED, fd, 0); mmap((void*)0xdeadbeef000, 4096, PROT_NONE, MAP_SHARED | MAP_FIXED, fd, 0); }
0xdeadbeef000 can be replaced with any valid userland address, PROT_NONE can be replaced with any valid protection, "./mmap" can be replaced with any path to an existing file, both 4096 can be replaced with any valid area sizes, and both 0 can be replaced with any non-negative offset.
The code above crashes the kernel because the new cache (the one pointed by fd) and the old cache (the one held by the first mmaped area) is the same. When map_backing_store is called with the new cache, unmap_address_range is called and tries to lock the old cache in order to free the old area. This results in a double lock, making the kernel panic at _mutex_lock.
Change History (3)
comment:1 by , 11 months ago
| Keywords: | mmap removed |
|---|---|
| Milestone: | Unscheduled → R1/beta5 |
| Priority: | normal → high |
comment:2 by , 11 months ago
Note:
See TracTickets
for help on using tickets.
Some more discussion about fixes in https://review.haiku-os.org/c/haiku/+/6392