From: Davidlohr Bueso <dave@stgolabs.net>
To: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Dmitry Vyukov <dvyukov@google.com>
Subject: Re: [PATCH, RESEND] ipc/shm: handle removed segments gracefully in shm_mmap()
Date: Wed, 11 Nov 2015 09:03:47 -0800 [thread overview]
Message-ID: <20151111170347.GA3502@linux-uzut.site> (raw)
In-Reply-To: <1447232220-36879-1-git-send-email-kirill.shutemov@linux.intel.com>
On Wed, 11 Nov 2015, Kirill A. Shutemov wrote:
>remap_file_pages(2) emulation can reach file which represents removed
>IPC ID as long as a memory segment is mapped. It breaks expectations
>of IPC subsystem.
>
>Test case (rewritten to be more human readable, originally autogenerated
>by syzkaller[1]):
>
> #define _GNU_SOURCE
> #include <stdlib.h>
> #include <sys/ipc.h>
> #include <sys/mman.h>
> #include <sys/shm.h>
>
> #define PAGE_SIZE 4096
>
> int main()
> {
> int id;
> void *p;
>
> id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
> p = shmat(id, NULL, 0);
> shmctl(id, IPC_RMID, NULL);
> remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
>
> return 0;
> }
>
>The patch changes shm_mmap() and code around shm_lock() to propagate
>locking error back to caller of shm_mmap().
>
>[1] http://github.com/google/syzkaller
So this is a very similar approach that I posted back when this discussion
arose: https://lkml.org/lkml/2015/10/12/959 -- There are a few differences
for which I prefer mine :)
o My shm_check_vma_validity() also deals with IPC_RMID as we do the
ipc_valid_object() check.
o We have a new WARN where necessary, instead of having one now is shm_open.
o My no-ops explicitly pair.
[...]
> ret = sfd->file->f_op->mmap(sfd->file, vma);
>- if (ret != 0)
>+ if (ret) {
>+ shm_close(vma);
> return ret;
>+ }
Hmm what's this shm_close() about?
Thanks,
Davidlohr
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Davidlohr Bueso <dave@stgolabs.net>
To: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Dmitry Vyukov <dvyukov@google.com>
Subject: Re: [PATCH, RESEND] ipc/shm: handle removed segments gracefully in shm_mmap()
Date: Wed, 11 Nov 2015 09:03:47 -0800 [thread overview]
Message-ID: <20151111170347.GA3502@linux-uzut.site> (raw)
In-Reply-To: <1447232220-36879-1-git-send-email-kirill.shutemov@linux.intel.com>
On Wed, 11 Nov 2015, Kirill A. Shutemov wrote:
>remap_file_pages(2) emulation can reach file which represents removed
>IPC ID as long as a memory segment is mapped. It breaks expectations
>of IPC subsystem.
>
>Test case (rewritten to be more human readable, originally autogenerated
>by syzkaller[1]):
>
> #define _GNU_SOURCE
> #include <stdlib.h>
> #include <sys/ipc.h>
> #include <sys/mman.h>
> #include <sys/shm.h>
>
> #define PAGE_SIZE 4096
>
> int main()
> {
> int id;
> void *p;
>
> id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
> p = shmat(id, NULL, 0);
> shmctl(id, IPC_RMID, NULL);
> remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
>
> return 0;
> }
>
>The patch changes shm_mmap() and code around shm_lock() to propagate
>locking error back to caller of shm_mmap().
>
>[1] http://github.com/google/syzkaller
So this is a very similar approach that I posted back when this discussion
arose: https://lkml.org/lkml/2015/10/12/959 -- There are a few differences
for which I prefer mine :)
o My shm_check_vma_validity() also deals with IPC_RMID as we do the
ipc_valid_object() check.
o We have a new WARN where necessary, instead of having one now is shm_open.
o My no-ops explicitly pair.
[...]
> ret = sfd->file->f_op->mmap(sfd->file, vma);
>- if (ret != 0)
>+ if (ret) {
>+ shm_close(vma);
> return ret;
>+ }
Hmm what's this shm_close() about?
Thanks,
Davidlohr
next prev parent reply other threads:[~2015-11-11 17:03 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-11 8:57 [PATCH, RESEND] ipc/shm: handle removed segments gracefully in shm_mmap() Kirill A. Shutemov
2015-11-11 8:57 ` Kirill A. Shutemov
2015-11-11 17:03 ` Davidlohr Bueso [this message]
2015-11-11 17:03 ` Davidlohr Bueso
2015-11-11 19:50 ` Kirill A. Shutemov
2015-11-11 19:50 ` Kirill A. Shutemov
2015-11-13 5:31 ` Davidlohr Bueso
2015-11-13 5:31 ` Davidlohr Bueso
2015-11-13 9:12 ` Kirill A. Shutemov
2015-11-13 9:12 ` Kirill A. Shutemov
2015-11-13 19:23 ` Davidlohr Bueso
2015-11-13 19:23 ` Davidlohr Bueso
2015-11-13 19:58 ` Davidlohr Bueso
2015-11-13 19:58 ` Davidlohr Bueso
2015-11-16 9:32 ` Kirill A. Shutemov
2015-11-16 9:32 ` Kirill A. Shutemov
2016-01-02 11:45 ` Manfred Spraul
2016-01-02 11:45 ` Manfred Spraul
2016-01-04 14:11 ` Kirill A. Shutemov
2016-01-04 14:11 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151111170347.GA3502@linux-uzut.site \
--to=dave@stgolabs.net \
--cc=akpm@linux-foundation.org \
--cc=dvyukov@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.