From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, arve@android.com, airlied@linux.ie,
carsteno@de.ibm.com, steiner@sgi.com
Subject: [patches] VM-related fixes
Date: Mon, 5 Mar 2012 06:37:07 +0000 [thread overview]
Message-ID: <20120305063707.GH23916@ZenIV.linux.org.uk> (raw)
I'd been crawling through VMA-related code for the last couple
of weeks; the obvious parts of fallout are in followups and IMO they
need to go into -stable as well; there's more, including some bugs I
don't know what to do about and patches that need more testing...
* aout handling needs to do setup_arg_pages() _before_ it does any mmap();
otherwise we might easily end up with bprm->vma freed by the time we
get to setup_arg_pages(). Sure, long-term we want setup_new_exec()
merged with setup_arg_pages(), but not this late in the cycle...
* anonymous shared mapping should *not* get VM_GROWS{UP,DOWN}, or we'll
end up with very unpleasant things happening.
* __unmap_hugepage_range() calls flush_tlb_range() without ->mmap_sem,
which means that we need ->page_table_lock. Call it before dropping
->page_table_lock, not after that...
[unsolved] binder is insane, even more than usual for drivers/staging.
It stores a reference to mm at open() time, then it stores a reference to
vma at mmap() time, then it cheerfully works with that ->vma assuming that
->mmap_sem on stored reference to ->mm would suffice. Guess what happens
if somebody opens it and then forks and does mmap in child? Moreover, if
we fork() and have child exit(), we get ->close() called on each VMA we'd
copied into child. Since they have stored reference to vma invalidated by
->close(), that has unpleasant side effects, to put it mildly. And yes,
I realize that android userland probably doesn't do anything of that kind;
fat lot of good it does us...
[unsolved] a bunch of ->fault() instances are doing things that need
->mmap_sem exclusive; e.g. vm_insert_page() is called by xip_file_fault(),
drivers/misc/sgi-gru/grumain.c:gru_fault() does remap_pfn_range().
drivers/gpu/drm/gma500/framebuffer.c:psbfb_vm_fault() does
vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
and drivers/gpu/drm/ttm/ttm_bo_vm.c:ttm_bo_vm_fault() does very similar
things, same for spufs ->fault() instances.
next reply other threads:[~2012-03-05 6:37 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-05 6:37 Al Viro [this message]
2012-03-05 6:38 ` [PATCH 1/3] aout: move setup_arg_pages() prior to reading/mapping the binary Al Viro
2012-03-05 6:39 ` [PATCH 2/3] VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Al Viro
2012-03-05 6:40 ` [PATCH 3/3] flush_tlb_range() needs ->page_table_lock when ->mmap_sem is not held Al Viro
2012-03-05 20:30 ` Linus Torvalds
2012-03-05 20:53 ` Al Viro
2012-03-09 21:06 ` Benjamin Herrenschmidt
2012-03-06 3:38 ` [patches] VM-related fixes Arve Hjønnevåg
2012-03-06 4:10 ` Al Viro
2012-03-06 5:25 ` Arve Hjønnevåg
2012-03-06 5:57 ` Al Viro
2012-03-06 6:36 ` Arve Hjønnevåg
2012-03-08 23:43 ` [PATCH] Staging: android: binder: Fix use-after-free bug Arve Hjønnevåg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120305063707.GH23916@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=airlied@linux.ie \
--cc=arve@android.com \
--cc=carsteno@de.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=steiner@sgi.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.