* [PATCH] mmap.2: MAP_FIXED is no longer discouraged @ 2017-12-02 2:16 john.hubbard-Re5JQEeQqe8AvxtiuMwx3w 2017-12-02 15:05 ` Matthew Wilcox 0 siblings, 1 reply; 6+ messages in thread From: john.hubbard-Re5JQEeQqe8AvxtiuMwx3w @ 2017-12-02 2:16 UTC (permalink / raw) To: Michael Kerrisk Cc: linux-man, linux-api-u79uwXL29TY76Z2rM5mHXA, Michael Ellerman, linux-mm-Bw31MaZKKs3YtjvyW6yDsg, LKML, linux-arch-u79uwXL29TY76Z2rM5mHXA, Michal Hocko, John Hubbard From: John Hubbard <jhubbard-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org> MAP_FIXED has been widely used for a very long time, yet the man page still claims that "the use of this option is discouraged". The documentation assumes that "less portable" == "must be discouraged". Instead of discouraging something that is so useful and widely used, change the documentation to explain its limitations better. Signed-off-by: John Hubbard <jhubbard-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org> --- While reviewing Michal Hocko's man page update for MAP_FIXED_SAFE, I noticed that MAP_FIXED was no longer reflecting the current situation, so here is a patch to bring it into the year 2017. man2/mmap.2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/man2/mmap.2 b/man2/mmap.2 index 385f3bfd5..a5a8eb47a 100644 --- a/man2/mmap.2 +++ b/man2/mmap.2 @@ -222,8 +222,10 @@ part of the existing mapping(s) will be discarded. If the specified address cannot be used, .BR mmap () will fail. -Because requiring a fixed address for a mapping is less portable, -the use of this option is discouraged. +Software that aspires to be portable should use this option with care, keeping +in mind that the exact layout of a process' memory map is allowed to change +significantly between kernel versions, C library versions, and operating system +releases. .TP .B MAP_GROWSDOWN This flag is used for stacks. -- 2.15.1 -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] mmap.2: MAP_FIXED is no longer discouraged 2017-12-02 2:16 [PATCH] mmap.2: MAP_FIXED is no longer discouraged john.hubbard-Re5JQEeQqe8AvxtiuMwx3w @ 2017-12-02 15:05 ` Matthew Wilcox 2017-12-02 18:49 ` Jann Horn 0 siblings, 1 reply; 6+ messages in thread From: Matthew Wilcox @ 2017-12-02 15:05 UTC (permalink / raw) To: john.hubbard Cc: Michael Kerrisk, linux-man, linux-api, Michael Ellerman, linux-mm, LKML, linux-arch, Michal Hocko, John Hubbard On Fri, Dec 01, 2017 at 06:16:26PM -0800, john.hubbard@gmail.com wrote: > MAP_FIXED has been widely used for a very long time, yet the man > page still claims that "the use of this option is discouraged". I think we should continue to discourage the use of this option, but I'm going to include some of your text in my replacement paragraph ... -Because requiring a fixed address for a mapping is less portable, -the use of this option is discouraged. +The use of this option is discouraged because it forcibly unmaps any +existing mapping at that address. Programs which use this option need +to be aware that their memory map may change significantly from one run to +the next, depending on library versions, kernel versions and random numbers. +In a threaded process, checking the existing mappings can race against +a new dynamic library being loaded, for example in response to another +thread making a library call which causes a PAM module to be loaded. (I don't love this text, in particular "PAM module". I'm going off to use the ATM machine now. Please edit.) ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mmap.2: MAP_FIXED is no longer discouraged 2017-12-02 15:05 ` Matthew Wilcox @ 2017-12-02 18:49 ` Jann Horn [not found] ` <CAG48ez2u3fjBDCMH4x3EUhG6ZD6VUa=A1p441P9fg=wUdzwHNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 6+ messages in thread From: Jann Horn @ 2017-12-02 18:49 UTC (permalink / raw) To: Matthew Wilcox Cc: john.hubbard, Michael Kerrisk, linux-man, Linux API, Michael Ellerman, linux-mm, LKML, linux-arch, Michal Hocko, John Hubbard On Sat, Dec 2, 2017 at 4:05 PM, Matthew Wilcox <willy@infradead.org> wrote: > On Fri, Dec 01, 2017 at 06:16:26PM -0800, john.hubbard@gmail.com wrote: >> MAP_FIXED has been widely used for a very long time, yet the man >> page still claims that "the use of this option is discouraged". > > I think we should continue to discourage the use of this option, but > I'm going to include some of your text in my replacement paragraph ... > > -Because requiring a fixed address for a mapping is less portable, > -the use of this option is discouraged. > +The use of this option is discouraged because it forcibly unmaps any > +existing mapping at that address. Programs which use this option need > +to be aware that their memory map may change significantly from one run to > +the next, depending on library versions, kernel versions and random numbers. How about adding something explicit about when it's okay to use MAP_FIXED? "This option should only be used to displace an existing mapping that is controlled by the caller, or part of such a mapping." or something like that? > +In a threaded process, checking the existing mappings can race against > +a new dynamic library being loaded malloc() and its various callers can also cause mmap() calls, which is probably more relevant than library loading. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <CAG48ez2u3fjBDCMH4x3EUhG6ZD6VUa=A1p441P9fg=wUdzwHNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH] mmap.2: MAP_FIXED is no longer discouraged [not found] ` <CAG48ez2u3fjBDCMH4x3EUhG6ZD6VUa=A1p441P9fg=wUdzwHNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2017-12-02 22:19 ` Matthew Wilcox [not found] ` <20171202221910.GA8228-PfSpb0PWhxZc2C7mugBRk2EX/6BAtgUQ@public.gmane.org> 0 siblings, 1 reply; 6+ messages in thread From: Matthew Wilcox @ 2017-12-02 22:19 UTC (permalink / raw) To: Jann Horn Cc: john.hubbard-Re5JQEeQqe8AvxtiuMwx3w, Michael Kerrisk, linux-man, Linux API, Michael Ellerman, linux-mm-Bw31MaZKKs3YtjvyW6yDsg, LKML, linux-arch, Michal Hocko, John Hubbard On Sat, Dec 02, 2017 at 07:49:20PM +0100, Jann Horn wrote: > On Sat, Dec 2, 2017 at 4:05 PM, Matthew Wilcox <willy-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> wrote: > > On Fri, Dec 01, 2017 at 06:16:26PM -0800, john.hubbard-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote: > >> MAP_FIXED has been widely used for a very long time, yet the man > >> page still claims that "the use of this option is discouraged". > > > > I think we should continue to discourage the use of this option, but > > I'm going to include some of your text in my replacement paragraph ... > > > > -Because requiring a fixed address for a mapping is less portable, > > -the use of this option is discouraged. > > +The use of this option is discouraged because it forcibly unmaps any > > +existing mapping at that address. Programs which use this option need > > +to be aware that their memory map may change significantly from one run to > > +the next, depending on library versions, kernel versions and random numbers. > > How about adding something explicit about when it's okay to use MAP_FIXED? > "This option should only be used to displace an existing mapping that is > controlled by the caller, or part of such a mapping." or something like that? > > > +In a threaded process, checking the existing mappings can race against > > +a new dynamic library being loaded > > malloc() and its various callers can also cause mmap() calls, which is probably > more relevant than library loading. That's a bit more expected though. "I called malloc and my address space changed". Well, yeah. But "I called getpwnam and my address space changed" is a bit more surprising. Don't you think? Maybe that should be up front rather than buried at the end of the sentence. "In a multi-threaded process, the address space can change in response to virtually any library call. This is because almost any library call may be implemented by using dlopen(3) to load another shared library, which will be mapped into the process's address space. The PAM libraries are an excellent example, as well as more obvious examples like brk(2), malloc(3) and even pthread_create(3)." What do you think? -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <20171202221910.GA8228-PfSpb0PWhxZc2C7mugBRk2EX/6BAtgUQ@public.gmane.org>]
* Re: [PATCH] mmap.2: MAP_FIXED is no longer discouraged [not found] ` <20171202221910.GA8228-PfSpb0PWhxZc2C7mugBRk2EX/6BAtgUQ@public.gmane.org> @ 2017-12-03 0:22 ` John Hubbard 2017-12-03 4:06 ` John Hubbard 1 sibling, 0 replies; 6+ messages in thread From: John Hubbard @ 2017-12-03 0:22 UTC (permalink / raw) To: Matthew Wilcox, Jann Horn Cc: Michael Kerrisk, linux-man, Linux API, Michael Ellerman, linux-mm-Bw31MaZKKs3YtjvyW6yDsg, LKML, linux-arch, Michal Hocko On 12/02/2017 02:19 PM, Matthew Wilcox wrote: > On Sat, Dec 02, 2017 at 07:49:20PM +0100, Jann Horn wrote: >> On Sat, Dec 2, 2017 at 4:05 PM, Matthew Wilcox <willy-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> wrote: >>> On Fri, Dec 01, 2017 at 06:16:26PM -0800, john.hubbard-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote: >>>> MAP_FIXED has been widely used for a very long time, yet the man >>>> page still claims that "the use of this option is discouraged". >>> >>> I think we should continue to discourage the use of this option, but >>> I'm going to include some of your text in my replacement paragraph ... >>> >>> -Because requiring a fixed address for a mapping is less portable, >>> -the use of this option is discouraged. >>> +The use of this option is discouraged because it forcibly unmaps any >>> +existing mapping at that address. Programs which use this option need >>> +to be aware that their memory map may change significantly from one run to >>> +the next, depending on library versions, kernel versions and random numbers. >> >> How about adding something explicit about when it's okay to use MAP_FIXED? >> "This option should only be used to displace an existing mapping that is >> controlled by the caller, or part of such a mapping." or something like that? >> >>> +In a threaded process, checking the existing mappings can race against >>> +a new dynamic library being loaded >> >> malloc() and its various callers can also cause mmap() calls, which is probably >> more relevant than library loading. > > That's a bit more expected though. "I called malloc and my address > space changed". Well, yeah. But "I called getpwnam and my address > space changed" is a bit more surprising. Don't you think? > > Maybe that should be up front rather than buried at the end of the sentence. > > "In a multi-threaded process, the address space can change in response to > virtually any library call. This is because almost any library call may be > implemented by using dlopen(3) to load another shared library, which will be > mapped into the process's address space. The PAM libraries are an excellent > example, as well as more obvious examples like brk(2), malloc(3) and even > pthread_create(3)." > > What do you think? > I'm working on some updated wording to capture these points. I'm even slower at writing than I am at coding, so there will be a somewhat-brief pause here... :) thanks, John Hubbard NVIDIA ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mmap.2: MAP_FIXED is no longer discouraged [not found] ` <20171202221910.GA8228-PfSpb0PWhxZc2C7mugBRk2EX/6BAtgUQ@public.gmane.org> 2017-12-03 0:22 ` John Hubbard @ 2017-12-03 4:06 ` John Hubbard 1 sibling, 0 replies; 6+ messages in thread From: John Hubbard @ 2017-12-03 4:06 UTC (permalink / raw) To: Matthew Wilcox, Jann Horn Cc: Michael Kerrisk, linux-man, Linux API, Michael Ellerman, linux-mm-Bw31MaZKKs3YtjvyW6yDsg, LKML, linux-arch, Michal Hocko On 12/02/2017 02:19 PM, Matthew Wilcox wrote: > On Sat, Dec 02, 2017 at 07:49:20PM +0100, Jann Horn wrote: >> On Sat, Dec 2, 2017 at 4:05 PM, Matthew Wilcox <willy-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> wrote: >>> On Fri, Dec 01, 2017 at 06:16:26PM -0800, john.hubbard-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote: [...] > > Maybe that should be up front rather than buried at the end of the sentence. > > "In a multi-threaded process, the address space can change in response to > virtually any library call. This is because almost any library call may be > implemented by using dlopen(3) to load another shared library, which will be > mapped into the process's address space. The PAM libraries are an excellent > example, as well as more obvious examples like brk(2), malloc(3) and even > pthread_create(3)." > > What do you think? > Hi Matthew, Here is a new version, based on your and Jann's comments. I also added a reference to MAP_FIXED_SAFE. If it looks close, I'll send a v2 with proper formatting applied. I did wonder briefly if your ATM reference was a oblique commentary about security, but then realized...you probably just needed some cash. :) ----- This option is extremely hazardous (when used on its own) and moderately non-portable. On portability: a process's memory map may change significantly from one run to the next, depending on library versions, kernel versions and ran‐ dom numbers. On hazards: this option forcibly removes pre-existing mappings, making it easy for a multi-threaded process to corrupt its own address space. For example, thread A looks through /proc/<pid>/maps and locates an available address range, while thread B simultaneously acquires part or all of that same address range. Thread A then calls mmap(MAP_FIXED), effectively overwriting thread B's mapping. Thread B need not create a mapping directly; simply making a library call that, internally, uses dlopen(3) to load some other shared library, will suffice. The dlopen(3) call will map the library into the process's address space. Furthermore, almost any library call may be implemented using this technique. Examples include brk(2), malloc(3), pthread_cre‐ ate(3), and the PAM libraries (http://www.linux-pam.org). Given the above limitations, one of the very few ways to use this option safely is: mmap() a region, without specifying MAP_FIXED. Then, within that region, call mmap(MAP_FIXED) to suballocate regions. This avoids both the portability problem (because the first mmap call lets the ker‐ nel pick the address), and the address space corruption problem (because the region being overwritten is already owned by the calling thread). Newer kernels (Linux 4.16 and later) have a MAP_FIXED_SAFE option that avoids the corruption problem; if available, MAP_FIXED_SAFE should be preferred over MAP_FIXED. thanks, John Hubbard NVIDIA ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-12-03 4:06 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-02 2:16 [PATCH] mmap.2: MAP_FIXED is no longer discouraged john.hubbard-Re5JQEeQqe8AvxtiuMwx3w
2017-12-02 15:05 ` Matthew Wilcox
2017-12-02 18:49 ` Jann Horn
[not found] ` <CAG48ez2u3fjBDCMH4x3EUhG6ZD6VUa=A1p441P9fg=wUdzwHNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-02 22:19 ` Matthew Wilcox
[not found] ` <20171202221910.GA8228-PfSpb0PWhxZc2C7mugBRk2EX/6BAtgUQ@public.gmane.org>
2017-12-03 0:22 ` John Hubbard
2017-12-03 4:06 ` John Hubbard
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).