From: "Ken Chen" <kenchen@google.com>
To: "Hugh Dickins" <hugh@veritas.com>
Cc: "Adam Litke" <agl@us.ibm.com>, "Andrew Morton" <akpm@osdl.org>,
"William Irwin" <wli@holomorphy.com>,
"David Gibson" <david@gibson.dropbear.id.au>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
tony.luck@intel.com
Subject: Re: [PATCH] Don't allow the stack to grow into hugetlb reserved regions
Date: Mon, 29 Jan 2007 10:32:39 -0800 [thread overview]
Message-ID: <b040c32a0701291032o431dce63xfc804dc7f9280ff2@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0701291703530.31023@blonde.wat.veritas.com>
On 1/29/07, Hugh Dickins <hugh@veritas.com> wrote:
> But, never mind hugetlb, you still not quite convinced me that there's
> no problem at all with get_user_pages find_extend_vma growing on ia64.
>
> I repeat that ia64_do_page_fault has REGION tests to guard against
> expanding either kind of stack across into another region. ia64_brk,
> ia64_mmap_check and arch_get_unmapped_area have RGN_MAP_LIMIT checks.
> But where is the equivalent paranoia when ptrace calls get_user_pages
> calls find_extend_vma?
>
> If your usual stacks face each other across the same region, they're
> not going to pose problem. But what if someone mmaps MAP_GROWSDOWN
> near the base of a region, then uses ptrace to touch an address near
> the top of the region below?
OK, now I fully understand what you are after. I kept on thinking in the
context of hugetlb. You are correct that ia64 does not have proper address
check for find_extend_vma() and it is indeed a potentially very bad bug in
there. I'm with you, I don't see the equivalent RGN_MAP_LIMIT check in the
get_user_pages() path.
Forwarding this to Tony as I don't have any access to ia64 machine anymore
to test/validate a fix.
- Ken
WARNING: multiple messages have this Message-ID (diff)
From: "Ken Chen" <kenchen@google.com>
To: Hugh Dickins <hugh@veritas.com>
Cc: Adam Litke <agl@us.ibm.com>, Andrew Morton <akpm@osdl.org>,
William Irwin <wli@holomorphy.com>,
David Gibson <david@gibson.dropbear.id.au>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
tony.luck@intel.com
Subject: Re: [PATCH] Don't allow the stack to grow into hugetlb reserved regions
Date: Mon, 29 Jan 2007 10:32:39 -0800 [thread overview]
Message-ID: <b040c32a0701291032o431dce63xfc804dc7f9280ff2@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0701291703530.31023@blonde.wat.veritas.com>
On 1/29/07, Hugh Dickins <hugh@veritas.com> wrote:
> But, never mind hugetlb, you still not quite convinced me that there's
> no problem at all with get_user_pages find_extend_vma growing on ia64.
>
> I repeat that ia64_do_page_fault has REGION tests to guard against
> expanding either kind of stack across into another region. ia64_brk,
> ia64_mmap_check and arch_get_unmapped_area have RGN_MAP_LIMIT checks.
> But where is the equivalent paranoia when ptrace calls get_user_pages
> calls find_extend_vma?
>
> If your usual stacks face each other across the same region, they're
> not going to pose problem. But what if someone mmaps MAP_GROWSDOWN
> near the base of a region, then uses ptrace to touch an address near
> the top of the region below?
OK, now I fully understand what you are after. I kept on thinking in the
context of hugetlb. You are correct that ia64 does not have proper address
check for find_extend_vma() and it is indeed a potentially very bad bug in
there. I'm with you, I don't see the equivalent RGN_MAP_LIMIT check in the
get_user_pages() path.
Forwarding this to Tony as I don't have any access to ia64 machine anymore
to test/validate a fix.
- Ken
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2007-01-29 18:32 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-25 21:40 [PATCH] Don't allow the stack to grow into hugetlb reserved regions Adam Litke
2007-01-25 21:40 ` Adam Litke
2007-01-26 20:05 ` Andrew Morton
2007-01-26 20:05 ` Andrew Morton
2007-01-26 21:02 ` Hugh Dickins
2007-01-26 21:02 ` Hugh Dickins
2007-01-26 22:48 ` Ken Chen
2007-01-26 22:48 ` Ken Chen
2007-01-27 9:08 ` Hugh Dickins
2007-01-27 9:08 ` Hugh Dickins
2007-01-28 20:27 ` Ken Chen
2007-01-28 20:27 ` Ken Chen
2007-01-29 17:26 ` Hugh Dickins
2007-01-29 17:26 ` Hugh Dickins
2007-01-29 18:32 ` Ken Chen [this message]
2007-01-29 18:32 ` Ken Chen
-- strict thread matches above, loose matches on Subject: below --
2007-01-29 18:34 Adam Litke
2007-01-29 18:34 ` Adam Litke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b040c32a0701291032o431dce63xfc804dc7f9280ff2@mail.gmail.com \
--to=kenchen@google.com \
--cc=agl@us.ibm.com \
--cc=akpm@osdl.org \
--cc=david@gibson.dropbear.id.au \
--cc=hugh@veritas.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=tony.luck@intel.com \
--cc=wli@holomorphy.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.