From: Matthew Wilcox <matthew@wil.cx>
To: William Lee Irwin III <wli@holomorphy.com>
Cc: Hugh Dickins <hugh@veritas.com>, Nick Piggin <npiggin@suse.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux Memory Management List <linux-mm@kvack.org>,
linux-arch@vger.kernel.org
Subject: Re: [rfc] increase struct page size?!
Date: Sun, 20 May 2007 16:50:17 -0600 [thread overview]
Message-ID: <20070520225017.GC10562@parisc-linux.org> (raw)
In-Reply-To: <20070519175320.GB19966@holomorphy.com>
On Sat, May 19, 2007 at 10:53:20AM -0700, William Lee Irwin III wrote:
> On Fri, May 18, 2007 at 04:42:10PM +0100, Hugh Dickins wrote:
> > Sooner rather than later, don't we need those 8 bytes to expand from
> > atomic_t to atomic64_t _count and _mapcount? Not that we really need
> > all 64 bits of both, but I don't know how to work atomically with less.
> > (Why do I have this sneaking feeling that you're actually wanting
> > to stick something into the lower bits of page->virtual?)
>
> I wonder how close we get to overflow on ->_mapcount and ->_count.
> (untested/uncompiled).
I think the problem is that an attacker can deliberately overflow
->_count, not that it can happen innocuously. By mmaping, say, the page
of libc that contains memcpy() several million times, and forking
enough, can't you make ->_mapcount hit 0? I'm not a VM guy, I just
vaguely remember people talking about this before.
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Wilcox <matthew@wil.cx>
To: William Lee Irwin III <wli@holomorphy.com>
Cc: Hugh Dickins <hugh@veritas.com>, Nick Piggin <npiggin@suse.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux Memory Management List <linux-mm@kvack.org>,
linux-arch@vger.kernel.org
Subject: Re: [rfc] increase struct page size?!
Date: Sun, 20 May 2007 16:50:17 -0600 [thread overview]
Message-ID: <20070520225017.GC10562@parisc-linux.org> (raw)
In-Reply-To: <20070519175320.GB19966@holomorphy.com>
On Sat, May 19, 2007 at 10:53:20AM -0700, William Lee Irwin III wrote:
> On Fri, May 18, 2007 at 04:42:10PM +0100, Hugh Dickins wrote:
> > Sooner rather than later, don't we need those 8 bytes to expand from
> > atomic_t to atomic64_t _count and _mapcount? Not that we really need
> > all 64 bits of both, but I don't know how to work atomically with less.
> > (Why do I have this sneaking feeling that you're actually wanting
> > to stick something into the lower bits of page->virtual?)
>
> I wonder how close we get to overflow on ->_mapcount and ->_count.
> (untested/uncompiled).
I think the problem is that an attacker can deliberately overflow
->_count, not that it can happen innocuously. By mmaping, say, the page
of libc that contains memcpy() several million times, and forking
enough, can't you make ->_mapcount hit 0? I'm not a VM guy, I just
vaguely remember people talking about this before.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2007-05-20 22:50 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-18 4:08 [rfc] increase struct page size?! Nick Piggin
2007-05-18 4:08 ` Nick Piggin
2007-05-18 4:47 ` David Miller
2007-05-18 4:47 ` David Miller, Nick Piggin
2007-05-18 5:12 ` Nick Piggin
2007-05-18 5:12 ` Nick Piggin
2007-05-18 5:22 ` David Miller
2007-05-18 5:22 ` David Miller, Nick Piggin
2007-05-18 5:31 ` Nick Piggin
2007-05-18 5:31 ` Nick Piggin
2007-05-18 18:15 ` Christoph Lameter
2007-05-18 18:15 ` Christoph Lameter
2007-05-18 7:19 ` Andrew Morton
2007-05-18 7:19 ` Andrew Morton
2007-05-18 7:32 ` Nick Piggin
2007-05-18 7:32 ` Nick Piggin
2007-05-18 7:43 ` Andrew Morton
2007-05-18 7:43 ` Andrew Morton
2007-05-18 7:59 ` Nick Piggin
2007-05-18 7:59 ` Nick Piggin
2007-05-18 9:42 ` David Howells
2007-05-18 9:42 ` David Howells
2007-05-19 1:30 ` Nick Piggin
2007-05-19 1:30 ` Nick Piggin
2007-05-19 1:30 ` Nick Piggin
2007-05-18 12:06 ` Andi Kleen
2007-05-18 12:06 ` Andi Kleen
2007-05-18 15:42 ` Hugh Dickins
2007-05-18 15:42 ` Hugh Dickins
2007-05-19 1:22 ` Nick Piggin
2007-05-19 1:22 ` Nick Piggin
2007-05-19 17:53 ` William Lee Irwin III
2007-05-19 17:53 ` William Lee Irwin III
2007-05-20 22:50 ` Matthew Wilcox [this message]
2007-05-20 22:50 ` Matthew Wilcox
2007-05-18 18:14 ` Christoph Lameter
2007-05-18 18:14 ` Christoph Lameter
2007-05-18 20:37 ` Luck, Tony
2007-05-18 20:37 ` Luck, Tony
2007-05-18 20:37 ` Luck, Tony
2007-05-21 6:28 ` KAMEZAWA Hiroyuki
2007-05-21 6:28 ` KAMEZAWA Hiroyuki
2007-05-19 1:25 ` Nick Piggin
2007-05-19 1:25 ` Nick Piggin
2007-05-19 2:03 ` [rfc] increase struct page size?! (now sparsemem vmemmap) Christoph Lameter
2007-05-19 2:03 ` Christoph Lameter
2007-05-19 15:43 ` Andy Whitcroft
2007-05-19 15:43 ` Andy Whitcroft
2007-05-19 18:15 ` [rfc] increase struct page size?! William Lee Irwin III
2007-05-19 18:15 ` William Lee Irwin III
2007-05-19 18:25 ` Christoph Lameter
2007-05-19 18:25 ` Christoph Lameter
2007-05-20 4:10 ` Eric Dumazet
2007-05-20 4:10 ` Eric Dumazet
2007-05-20 12:56 ` Andi Kleen
2007-05-20 12:56 ` Andi Kleen
2007-05-21 17:08 ` Christoph Lameter
2007-05-21 17:08 ` Christoph Lameter
2007-05-22 0:30 ` KAMEZAWA Hiroyuki
2007-05-22 0:30 ` KAMEZAWA Hiroyuki
2007-05-22 0:38 ` Christoph Lameter
2007-05-22 0:38 ` Christoph Lameter
2007-05-22 0:58 ` KAMEZAWA Hiroyuki
2007-05-22 0:58 ` KAMEZAWA Hiroyuki
2007-05-22 9:44 ` Geert Uytterhoeven
2007-05-22 9:44 ` Geert Uytterhoeven
2007-05-19 22:09 ` Andrew Morton
2007-05-19 22:09 ` Andrew Morton
2007-05-20 7:26 ` William Lee Irwin III
2007-05-20 7:26 ` William Lee Irwin III
2007-05-21 9:12 ` Helge Hafting
2007-05-21 9:12 ` Helge Hafting
2007-05-21 9:45 ` Nick Piggin
2007-05-21 9:45 ` Nick Piggin
2007-05-20 5:22 ` Nick Piggin
2007-05-20 5:22 ` Nick Piggin
2007-05-20 8:46 ` William Lee Irwin III
2007-05-20 8:46 ` William Lee Irwin III
2007-05-20 9:25 ` Nick Piggin
2007-05-20 9:25 ` Nick Piggin
2007-05-21 8:08 ` William Lee Irwin III
2007-05-21 8:08 ` William Lee Irwin III
2007-05-21 9:27 ` Nick Piggin
2007-05-21 9:27 ` Nick Piggin
2007-05-21 11:26 ` William Lee Irwin III
2007-05-21 11:26 ` William Lee Irwin III
2007-05-22 0:52 ` Nick Piggin
2007-05-22 0:52 ` Nick Piggin
2007-05-21 22:43 ` Matt Mackall
2007-05-21 22:43 ` Matt Mackall
2007-05-22 1:08 ` Nick Piggin
2007-05-22 1:08 ` Nick Piggin
2007-05-22 1:13 ` Christoph Lameter
2007-05-22 1:13 ` Christoph Lameter
2007-05-22 1:39 ` William Lee Irwin III
2007-05-22 1:39 ` William Lee Irwin III
2007-05-22 1:57 ` Nick Piggin
2007-05-22 1:57 ` Nick Piggin
2007-05-22 5:04 ` William Lee Irwin III
2007-05-22 5:04 ` William Lee Irwin III
2007-05-22 6:24 ` Nick Piggin
2007-05-22 6:24 ` Nick Piggin
2007-05-22 10:59 ` William Lee Irwin III
2007-05-22 10:59 ` William Lee Irwin III
2007-05-21 9:31 ` Eric Dumazet
2007-05-21 9:31 ` Eric Dumazet
2007-05-21 17:06 ` Christoph Lameter
2007-05-21 17:06 ` Christoph Lameter
2007-05-20 17:13 ` Andrea Arcangeli
2007-05-20 17:13 ` Andrea Arcangeli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070520225017.GC10562@parisc-linux.org \
--to=matthew@wil.cx \
--cc=hugh@veritas.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=npiggin@suse.de \
--cc=wli@holomorphy.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.