In the special case where
p = mmap(NULL, ALLOC_SIZE, PROT_READ,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, -1, 0);
is followed by
rc = mprotect(p, ALLOC_SIZE, PROT_NONE);
the _PAGE_SPECIAL bit in the page tables will be cleared by
mistake and the later unmapped operations will incorrectly
modify the struct page for the the zero page. This sequence
occurs in the madvise05 test of the Linux Test Project
suite of tests.
This was discovered while testing an older version of the kernel
(5.4.17) on a MIPS device. Unfortunately, support for this device
is not available in newer kernels, so I can't test this with the
latest Linux kernel code. It looks like the problem exists in
newer kernels, but I can't verify it. Except for the LTP test,
this sequence of calls is probably not common.
Passing it along in the hope it will be useful to someone.
Signed-off-by: Henry Willard <henry.willard@oracle.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
1492c6b187