From: Nick Piggin <nickpiggin@yahoo.com.au>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Robin Holt <holt@sgi.com>, Andrew Morton <akpm@osdl.org>,
Roland McGrath <roland@redhat.com>,
Hugh Dickins <hugh@veritas.com>,
linux-mm@kvack.org, linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [patch 2.6.13-rc4] fix get_user_pages bug
Date: Tue, 02 Aug 2005 11:27:59 +1000 [thread overview]
Message-ID: <42EECC1F.9000902@yahoo.com.au> (raw)
In-Reply-To: <Pine.LNX.4.58.0508010833250.14342@g5.osdl.org>
Linus Torvalds wrote:
>
>Instead, I'd suggest changing the logic for "lookup_write". Make it
>require that the page table entry is _dirty_ (not writable), and then
>remove the line that says:
>
> lookup_write = write && !force;
>
>and you're now done. A successful mm fault for write _should_ always have
>marked the PTE dirty (and yes, part of testing this would be to verify
>that this is true - but since architectures that don't have HW dirty
>bits depend on this anyway, I'm pretty sure it _is_ true).
>
>Ie something like the below (which is totally untested, obviously, but I
>think conceptually is a lot more correct, and obviously a lot simpler).
>
>
Surely this introduces integrity problems when `force` is not set?
Security holes? Perhaps not, but I wouldn't guarantee it.
However: I like your idea. And getting rid of the lookup_write logic is
a good thing.
I don't much like that it changes the semantics of follow_page for
write on a readonly pte, and that is where your problem is introduced.
I think to go down this route you'd at least need a follow_page check
that is distinct from 'write'. 'writeable', maybe.
Then, having a 'writeable' flag lets you neatly "comment" your idea of
what might constitute a writeable pte, as opposed to the current code
which basically looks like black magic to a reader, and gives no indication
of how it satisfies the get_user_pages requirements.
A minor issue: I don't much like the proliferation of __follow_page flags
either. Why not make __follow_page take a bitmask, and be used directly by
get_user_pages, which would also allow removal of the 'write' argument from
follow_page.
I would cook you some patches, but I'm not in front of the source tree.
Send instant messages to your online friends http://au.messenger.yahoo.com
WARNING: multiple messages have this Message-ID (diff)
From: Nick Piggin <nickpiggin@yahoo.com.au>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Robin Holt <holt@sgi.com>, Andrew Morton <akpm@osdl.org>,
Roland McGrath <roland@redhat.com>,
Hugh Dickins <hugh@veritas.com>,
linux-mm@kvack.org, linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [patch 2.6.13-rc4] fix get_user_pages bug
Date: Tue, 02 Aug 2005 11:27:59 +1000 [thread overview]
Message-ID: <42EECC1F.9000902@yahoo.com.au> (raw)
In-Reply-To: <Pine.LNX.4.58.0508010833250.14342@g5.osdl.org>
Linus Torvalds wrote:
>
>Instead, I'd suggest changing the logic for "lookup_write". Make it
>require that the page table entry is _dirty_ (not writable), and then
>remove the line that says:
>
> lookup_write = write && !force;
>
>and you're now done. A successful mm fault for write _should_ always have
>marked the PTE dirty (and yes, part of testing this would be to verify
>that this is true - but since architectures that don't have HW dirty
>bits depend on this anyway, I'm pretty sure it _is_ true).
>
>Ie something like the below (which is totally untested, obviously, but I
>think conceptually is a lot more correct, and obviously a lot simpler).
>
>
Surely this introduces integrity problems when `force` is not set?
Security holes? Perhaps not, but I wouldn't guarantee it.
However: I like your idea. And getting rid of the lookup_write logic is
a good thing.
I don't much like that it changes the semantics of follow_page for
write on a readonly pte, and that is where your problem is introduced.
I think to go down this route you'd at least need a follow_page check
that is distinct from 'write'. 'writeable', maybe.
Then, having a 'writeable' flag lets you neatly "comment" your idea of
what might constitute a writeable pte, as opposed to the current code
which basically looks like black magic to a reader, and gives no indication
of how it satisfies the get_user_pages requirements.
A minor issue: I don't much like the proliferation of __follow_page flags
either. Why not make __follow_page take a bitmask, and be used directly by
get_user_pages, which would also allow removal of the 'write' argument from
follow_page.
I would cook you some patches, but I'm not in front of the source tree.
Send instant messages to your online friends http://au.messenger.yahoo.com
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2005-08-02 1:28 UTC|newest]
Thread overview: 133+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-30 20:53 get_user_pages() with write=1 and force=1 gets read-only pages Robin Holt
2005-07-30 22:13 ` Hugh Dickins
2005-07-31 1:52 ` Nick Piggin
2005-07-31 10:52 ` Robin Holt
2005-07-31 11:07 ` Nick Piggin
2005-07-31 11:30 ` Robin Holt
2005-07-31 11:39 ` Robin Holt
2005-07-31 12:09 ` Robin Holt
2005-07-31 22:27 ` Nick Piggin
2005-08-01 3:22 ` Roland McGrath
2005-08-01 8:21 ` [patch 2.6.13-rc4] fix get_user_pages bug Nick Piggin
2005-08-01 9:19 ` Ingo Molnar
2005-08-01 9:19 ` Ingo Molnar
2005-08-01 9:27 ` Nick Piggin
2005-08-01 9:27 ` Nick Piggin
2005-08-01 10:15 ` Ingo Molnar
2005-08-01 10:15 ` Ingo Molnar
2005-08-01 10:57 ` Nick Piggin
2005-08-01 10:57 ` Nick Piggin
2005-08-01 19:43 ` Hugh Dickins
2005-08-01 19:43 ` Hugh Dickins
2005-08-01 20:08 ` Linus Torvalds
2005-08-01 20:08 ` Linus Torvalds
2005-08-01 21:06 ` Hugh Dickins
2005-08-01 21:06 ` Hugh Dickins
2005-08-01 21:51 ` Linus Torvalds
2005-08-01 21:51 ` Linus Torvalds
2005-08-01 22:01 ` Linus Torvalds
2005-08-01 22:01 ` Linus Torvalds
2005-08-02 12:01 ` Martin Schwidefsky
2005-08-02 12:01 ` Martin Schwidefsky
2005-08-02 12:26 ` Hugh Dickins
2005-08-02 12:26 ` Hugh Dickins
2005-08-02 12:28 ` Nick Piggin
2005-08-02 15:19 ` Martin Schwidefsky
2005-08-02 15:19 ` Martin Schwidefsky
2005-08-02 15:30 ` Linus Torvalds
2005-08-02 15:30 ` Linus Torvalds
2005-08-02 16:03 ` Hugh Dickins
2005-08-02 16:03 ` Hugh Dickins
2005-08-02 16:25 ` Linus Torvalds
2005-08-02 16:25 ` Linus Torvalds
2005-08-02 17:02 ` Linus Torvalds
2005-08-02 17:02 ` Linus Torvalds
2005-08-02 17:27 ` Hugh Dickins
2005-08-02 17:27 ` Hugh Dickins
2005-08-02 17:21 ` Hugh Dickins
2005-08-02 17:21 ` Hugh Dickins
2005-08-02 18:47 ` Linus Torvalds
2005-08-02 18:47 ` Linus Torvalds
2005-08-02 19:20 ` Hugh Dickins
2005-08-02 19:20 ` Hugh Dickins
2005-08-02 19:54 ` Linus Torvalds
2005-08-02 19:54 ` Linus Torvalds
2005-08-02 20:55 ` Hugh Dickins
2005-08-02 20:55 ` Hugh Dickins
2005-08-03 10:24 ` Nick Piggin
2005-08-03 11:47 ` Hugh Dickins
2005-08-03 11:47 ` Hugh Dickins
2005-08-03 12:13 ` Nick Piggin
2005-08-03 12:13 ` Nick Piggin
2005-08-03 16:12 ` Linus Torvalds
2005-08-03 16:12 ` Linus Torvalds
2005-08-03 16:39 ` Linus Torvalds
2005-08-03 16:39 ` Linus Torvalds
2005-08-03 16:42 ` Linus Torvalds
2005-08-03 16:42 ` Linus Torvalds
2005-08-03 17:12 ` Hugh Dickins
2005-08-03 17:12 ` Hugh Dickins
2005-08-03 23:03 ` Nick Piggin
2005-08-03 23:03 ` Nick Piggin
2005-08-04 14:14 ` Alexander Nyberg
2005-08-04 14:14 ` Alexander Nyberg
2005-08-04 14:30 ` Nick Piggin
2005-08-04 14:30 ` Nick Piggin
2005-08-04 15:00 ` Alexander Nyberg
2005-08-04 15:00 ` Alexander Nyberg
2005-08-04 15:35 ` Hugh Dickins
2005-08-04 15:35 ` Hugh Dickins
2005-08-04 16:32 ` Russell King
2005-08-04 16:32 ` Russell King
2005-08-04 15:36 ` Linus Torvalds
2005-08-04 15:36 ` Linus Torvalds
2005-08-04 16:29 ` Russell King
2005-08-04 16:29 ` Russell King
2005-08-03 10:24 ` Martin Schwidefsky
2005-08-03 10:24 ` Martin Schwidefsky
2005-08-03 11:57 ` Hugh Dickins
2005-08-03 11:57 ` Hugh Dickins
2005-08-02 16:44 ` Martin Schwidefsky
2005-08-02 16:44 ` Martin Schwidefsky
2005-08-01 15:42 ` Linus Torvalds
2005-08-01 15:42 ` Linus Torvalds
2005-08-01 18:18 ` Linus Torvalds
2005-08-01 18:18 ` Linus Torvalds
2005-08-03 8:24 ` Robin Holt
2005-08-03 8:24 ` Robin Holt
2005-08-03 11:31 ` Hugh Dickins
2005-08-03 11:31 ` Hugh Dickins
2005-08-04 11:48 ` Robin Holt
2005-08-04 11:48 ` Robin Holt
2005-08-04 13:04 ` Hugh Dickins
2005-08-04 13:04 ` Hugh Dickins
2005-08-01 19:29 ` Hugh Dickins
2005-08-01 19:29 ` Hugh Dickins
2005-08-01 19:48 ` Linus Torvalds
2005-08-01 19:48 ` Linus Torvalds
2005-08-02 8:07 ` Martin Schwidefsky
2005-08-02 8:07 ` Martin Schwidefsky
2005-08-01 19:57 ` Andrew Morton
2005-08-01 19:57 ` Andrew Morton
2005-08-01 20:16 ` Linus Torvalds
2005-08-01 20:16 ` Linus Torvalds
2005-08-02 0:14 ` Nick Piggin
2005-08-02 0:14 ` Nick Piggin
2005-08-02 1:27 ` Nick Piggin [this message]
2005-08-02 1:27 ` Nick Piggin
2005-08-02 3:45 ` Linus Torvalds
2005-08-02 3:45 ` Linus Torvalds
2005-08-02 4:25 ` Nick Piggin
2005-08-02 4:25 ` Nick Piggin
2005-08-02 4:35 ` Linus Torvalds
2005-08-02 4:35 ` Linus Torvalds
2005-08-01 20:03 ` Hugh Dickins
2005-08-01 20:03 ` Hugh Dickins
2005-08-01 20:12 ` Andrew Morton
2005-08-01 20:12 ` Andrew Morton
2005-08-01 20:26 ` Linus Torvalds
2005-08-01 20:26 ` Linus Torvalds
2005-08-01 20:51 ` Hugh Dickins
2005-08-01 20:51 ` Hugh Dickins
-- strict thread matches above, loose matches on Subject: below --
2005-08-02 14:02 Dan Higgins
2005-08-02 14:02 ` Dan Higgins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42EECC1F.9000902@yahoo.com.au \
--to=nickpiggin@yahoo.com.au \
--cc=akpm@osdl.org \
--cc=holt@sgi.com \
--cc=hugh@veritas.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=roland@redhat.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.