From: Michal Hocko <mhocko@kernel.org>
To: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: linux-api@vger.kernel.org, Khalid Aziz <khalid.aziz@oracle.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Andrew Morton <akpm@linux-foundation.org>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Andrea Arcangeli <aarcange@redhat.com>,
linux-mm@kvack.org, LKML <linux-kernel@vger.kernel.org>,
linux-arch@vger.kernel.org, Florian Weimer <fweimer@redhat.com>,
John Hubbard <jhubbard@nvidia.com>,
Matthew Wilcox <willy@infradead.org>,
Jann Horn <jannh@google.com>,
Mike Rapoport <rppt@linux.vnet.ibm.com>,
Cyril Hrubis <chrubis@suse.cz>, Pavel Machek <pavel@ucw.cz>,
Michal Hocko <mhocko@suse.com>
Subject: [PATCH 2/2] mmap.2: MAP_FIXED updated documentation
Date: Wed, 13 Dec 2017 10:31:10 +0100 [thread overview]
Message-ID: <20171213093110.3550-2-mhocko@kernel.org> (raw)
In-Reply-To: <20171213093110.3550-1-mhocko@kernel.org>
From: John Hubbard <jhubbard@nvidia.com>
-- Expand the documentation to discuss the hazards in
enough detail to allow avoiding them.
-- Mention the upcoming MAP_FIXED_SAFE flag.
-- Enhance the alignment requirement slightly.
CC: Michael Ellerman <mpe@ellerman.id.au>
CC: Jann Horn <jannh@google.com>
CC: Matthew Wilcox <willy@infradead.org>
CC: Michal Hocko <mhocko@kernel.org>
CC: Mike Rapoport <rppt@linux.vnet.ibm.com>
CC: Cyril Hrubis <chrubis@suse.cz>
CC: Pavel Machek <pavel@ucw.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
---
man2/mmap.2 | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/man2/mmap.2 b/man2/mmap.2
index 02d391697ce6..cb8789daec2d 100644
--- a/man2/mmap.2
+++ b/man2/mmap.2
@@ -212,8 +212,9 @@ Don't interpret
.I addr
as a hint: place the mapping at exactly that address.
.I addr
-must be a multiple of the page size.
-If the memory region specified by
+must be suitably aligned: for most architectures a multiple of page
+size is sufficient; however, some architectures may impose additional
+restrictions. If the memory region specified by
.I addr
and
.I len
@@ -226,6 +227,33 @@ Software that aspires to be portable should use this option with care, keeping
in mind that the exact layout of a process' memory map is allowed to change
significantly between kernel versions, C library versions, and operating system
releases.
+.IP
+Furthermore, this option is extremely hazardous (when used on its own), because
+it forcibly removes pre-existing mappings, making it easy for a multi-threaded
+process to corrupt its own address space.
+.IP
+For example, thread A looks through
+.I /proc/<pid>/maps
+and locates an available
+address range, while thread B simultaneously acquires part or all of that same
+address range. Thread A then calls mmap(MAP_FIXED), effectively overwriting
+the mapping that thread B created.
+.IP
+Thread B need not create a mapping directly; simply making a library call
+that, internally, uses
+.I dlopen(3)
+to load some other shared library, will
+suffice. The dlopen(3) call will map the library into the process's address
+space. Furthermore, almost any library call may be implemented using this
+technique.
+Examples include brk(2), malloc(3), pthread_create(3), and the PAM libraries
+(http://www.linux-pam.org).
+.IP
+Newer kernels
+(Linux 4.16 and later) have a
+.B MAP_FIXED_SAFE
+option that avoids the corruption problem; if available, MAP_FIXED_SAFE
+should be preferred over MAP_FIXED.
.TP
.BR MAP_FIXED_SAFE " (since Linux 4.16)"
Similar to MAP_FIXED with respect to the
--
2.15.0
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Michal Hocko <mhocko@kernel.org>
To: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: linux-api@vger.kernel.org, Khalid Aziz <khalid.aziz@oracle.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Andrew Morton <akpm@linux-foundation.org>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Andrea Arcangeli <aarcange@redhat.com>,
linux-mm@kvack.org, LKML <linux-kernel@vger.kernel.org>,
linux-arch@vger.kernel.org, Florian Weimer <fweimer@redhat.com>,
John Hubbard <jhubbard@nvidia.com>,
Matthew Wilcox <willy@infradead.org>,
Jann Horn <jannh@google.com>,
Mike Rapoport <rppt@linux.vnet.ibm.com>,
Cyril Hrubis <chrubis@suse.cz>, Pavel Machek <pavel@ucw.cz>,
Michal Hocko <mhocko@suse.com>
Subject: [PATCH 2/2] mmap.2: MAP_FIXED updated documentation
Date: Wed, 13 Dec 2017 10:31:10 +0100 [thread overview]
Message-ID: <20171213093110.3550-2-mhocko@kernel.org> (raw)
Message-ID: <20171213093110.tFlkQZtZxL-_MyAF1cZNol1W3WOG6sZSw65_EdsiVRQ@z> (raw)
In-Reply-To: <20171213093110.3550-1-mhocko@kernel.org>
From: John Hubbard <jhubbard@nvidia.com>
-- Expand the documentation to discuss the hazards in
enough detail to allow avoiding them.
-- Mention the upcoming MAP_FIXED_SAFE flag.
-- Enhance the alignment requirement slightly.
CC: Michael Ellerman <mpe@ellerman.id.au>
CC: Jann Horn <jannh@google.com>
CC: Matthew Wilcox <willy@infradead.org>
CC: Michal Hocko <mhocko@kernel.org>
CC: Mike Rapoport <rppt@linux.vnet.ibm.com>
CC: Cyril Hrubis <chrubis@suse.cz>
CC: Pavel Machek <pavel@ucw.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
---
man2/mmap.2 | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/man2/mmap.2 b/man2/mmap.2
index 02d391697ce6..cb8789daec2d 100644
--- a/man2/mmap.2
+++ b/man2/mmap.2
@@ -212,8 +212,9 @@ Don't interpret
.I addr
as a hint: place the mapping at exactly that address.
.I addr
-must be a multiple of the page size.
-If the memory region specified by
+must be suitably aligned: for most architectures a multiple of page
+size is sufficient; however, some architectures may impose additional
+restrictions. If the memory region specified by
.I addr
and
.I len
@@ -226,6 +227,33 @@ Software that aspires to be portable should use this option with care, keeping
in mind that the exact layout of a process' memory map is allowed to change
significantly between kernel versions, C library versions, and operating system
releases.
+.IP
+Furthermore, this option is extremely hazardous (when used on its own), because
+it forcibly removes pre-existing mappings, making it easy for a multi-threaded
+process to corrupt its own address space.
+.IP
+For example, thread A looks through
+.I /proc/<pid>/maps
+and locates an available
+address range, while thread B simultaneously acquires part or all of that same
+address range. Thread A then calls mmap(MAP_FIXED), effectively overwriting
+the mapping that thread B created.
+.IP
+Thread B need not create a mapping directly; simply making a library call
+that, internally, uses
+.I dlopen(3)
+to load some other shared library, will
+suffice. The dlopen(3) call will map the library into the process's address
+space. Furthermore, almost any library call may be implemented using this
+technique.
+Examples include brk(2), malloc(3), pthread_create(3), and the PAM libraries
+(http://www.linux-pam.org).
+.IP
+Newer kernels
+(Linux 4.16 and later) have a
+.B MAP_FIXED_SAFE
+option that avoids the corruption problem; if available, MAP_FIXED_SAFE
+should be preferred over MAP_FIXED.
.TP
.BR MAP_FIXED_SAFE " (since Linux 4.16)"
Similar to MAP_FIXED with respect to the
--
2.15.0
next prev parent reply other threads:[~2017-12-13 9:31 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-13 9:25 [PATCH v2 0/2] mm: introduce MAP_FIXED_SAFE Michal Hocko
2017-12-13 9:25 ` Michal Hocko
2017-12-13 9:25 ` [PATCH 1/2] " Michal Hocko
2017-12-13 9:25 ` Michal Hocko
[not found] ` <20171213092550.2774-2-mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2017-12-13 12:50 ` Matthew Wilcox
2017-12-13 12:50 ` Matthew Wilcox
2017-12-13 13:01 ` Michal Hocko
2017-12-13 13:01 ` Michal Hocko
2017-12-13 9:25 ` [PATCH 2/2] fs, elf: drop MAP_FIXED usage from elf_map Michal Hocko
2017-12-13 9:25 ` Michal Hocko
2017-12-16 0:49 ` [2/2] " Andrei Vagin
2017-12-18 9:13 ` Michal Hocko
2017-12-18 9:13 ` Michal Hocko
2017-12-18 18:12 ` Andrei Vagin
2017-12-18 18:12 ` Andrei Vagin
2017-12-13 9:31 ` [PATCH 1/2] mmap.2: document new MAP_FIXED_SAFE flag Michal Hocko
2017-12-13 9:31 ` Michal Hocko
2017-12-13 9:31 ` Michal Hocko [this message]
2017-12-13 9:31 ` [PATCH 2/2] mmap.2: MAP_FIXED updated documentation Michal Hocko
2017-12-13 12:55 ` Pavel Machek
2017-12-13 13:03 ` Cyril Hrubis
2017-12-13 13:03 ` Cyril Hrubis
2017-12-13 13:04 ` Michal Hocko
2017-12-13 13:09 ` Pavel Machek
2017-12-13 13:16 ` Michal Hocko
2017-12-13 13:16 ` Michal Hocko
[not found] ` <20171213131640.GJ25185-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2017-12-13 13:21 ` Pavel Machek
2017-12-13 13:21 ` Pavel Machek
2017-12-13 13:35 ` Michal Hocko
2017-12-13 13:35 ` Michal Hocko
2017-12-13 14:40 ` Cyril Hrubis
2017-12-13 14:40 ` Cyril Hrubis
2017-12-13 23:19 ` Kees Cook
2017-12-13 23:19 ` Kees Cook
[not found] ` <CAGXu5jLqE6cUxk-Girx6PG7upEzz8jmu1OH_3LVC26iJc2vTxQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-14 7:07 ` Michal Hocko
2017-12-14 7:07 ` Michal Hocko
2017-12-18 19:12 ` Michael Kerrisk (man-pages)
2017-12-18 19:12 ` Michael Kerrisk (man-pages)
2017-12-18 20:19 ` Kees Cook
2017-12-18 20:19 ` Kees Cook
2017-12-18 20:33 ` Matthew Wilcox
[not found] ` <CAGXu5jJ289R9koVoHmxcvUWr6XHSZR2p0qq3WtpNyN-iNSvrNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-21 12:38 ` Michael Ellerman
2017-12-21 12:38 ` Michael Ellerman
2017-12-21 14:59 ` known bad patch in -mm tree was " Pavel Machek
2017-12-21 15:08 ` Michal Hocko
2017-12-21 15:08 ` Michal Hocko
2017-12-21 22:24 ` Andrew Morton
2017-12-21 22:24 ` Andrew Morton
2017-12-22 0:06 ` Michael Ellerman
2017-12-14 2:52 ` Jann Horn
2017-12-14 2:52 ` Jann Horn
[not found] ` <CAG48ez0JZ3PVW3vgSXDmDijS+a_5bSX9qNuyggnsB6JTSkKngA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-14 5:28 ` John Hubbard
2017-12-14 5:28 ` John Hubbard
2017-12-14 23:06 ` John Hubbard
[not found] ` <b4fb7b3a-e53e-bf87-53c5-186751a14f4e-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2017-12-14 23:10 ` Jann Horn
2017-12-14 23:10 ` Jann Horn
[not found] ` <20171213092550.2774-1-mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2017-12-13 12:25 ` [PATCH v2 0/2] mm: introduce MAP_FIXED_SAFE Matthew Wilcox
2017-12-13 12:25 ` Matthew Wilcox
2017-12-13 12:34 ` Michal Hocko
2017-12-13 12:34 ` Michal Hocko
2017-12-13 17:13 ` Kees Cook
2017-12-13 17:13 ` Kees Cook
2017-12-15 9:02 ` Michael Ellerman
2017-12-15 9:02 ` Michael Ellerman
2017-12-14 0:32 ` Andrew Morton
2017-12-14 0:32 ` Andrew Morton
2017-12-14 1:35 ` David Goldblatt
2017-12-14 1:42 ` David Goldblatt
2017-12-14 1:42 ` David Goldblatt
2017-12-14 12:44 ` Edward Napierala
2017-12-14 13:15 ` Michal Hocko
2017-12-14 13:15 ` Michal Hocko
2017-12-14 14:54 ` Edward Napierala
2017-12-14 14:54 ` Edward Napierala
2017-12-19 12:40 ` David Laight
2017-12-19 12:40 ` David Laight
2017-12-19 12:46 ` Michal Hocko
2017-12-19 12:46 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171213093110.3550-2-mhocko@kernel.org \
--to=mhocko@kernel.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=chrubis@suse.cz \
--cc=fweimer@redhat.com \
--cc=jannh@google.com \
--cc=jhubbard@nvidia.com \
--cc=khalid.aziz@oracle.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux@armlinux.org.uk \
--cc=mhocko@suse.com \
--cc=mpe@ellerman.id.au \
--cc=mtk.manpages@gmail.com \
--cc=pavel@ucw.cz \
--cc=rppt@linux.vnet.ibm.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.