From: Andrea Arcangeli <aarcange@redhat.com>
To: Nick Piggin <npiggin@gmail.com>
Cc: Jeff Moyer <jmoyer@redhat.com>,
KOSAKI Motohiro <kosaki.motohiro@gmail.com>,
Jan Kara <jack@suse.cz>, Michael Kerrisk <mtk.manpages@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-man@vger.kernel.org, linux-mm@kvack.org, mgorman@suse.de,
Woodman <lwoodman@redhat.com>
Subject: Re: [PATCH] Describe race of direct read and fork for unaligned buffers
Date: Wed, 2 May 2012 01:51:13 +0200 [thread overview]
Message-ID: <20120501235113.GC22923@redhat.com> (raw)
In-Reply-To: <CAPa8GCCgLUt1EDAy7-O-mo0qir6Bf5Pi3Va1EsQ3ZW5UU=+37g@mail.gmail.com>
Hi Nick!
On Wed, May 02, 2012 at 01:50:46AM +1000, Nick Piggin wrote:
> KOSAKI-san is correct, I think.
>
> The race is something like this:
>
> DIO-read
> page = get_user_pages()
> fork()
> COW(page)
> touch(page)
> DMA(page)
> page_cache_release(page);
Yes. More in general this race happens every time the kernel wrprotect
a writable anon pte, if get_user_pages had a pin on the page while the
pte is being wrprotected.
fork can't just abort (like KSM does) when it notices mapcount <
page_count.
The only way to avoid this, is that somehow the GUP-pinned page should
remain pointed at all times by the pte of the process that pinned the
page (no matter the cows), and that's not happening.
> So whether parent or child touches the page, determines who gets the
> actual DMA target, and who gets the copy.
Correct, so far there are two reproducers, triggering two different
kind of corruption.
The corruption may appear in different ways:
1) we could lose the direct-io read in the parent (if the forked child
does nothing and just quits), that was the basic case in dma_thread.c,
a dummy fork was run just to mark the pte wrprotected
2) the destination of the direct-io read may also become visible to the
child if the child written to the page before the I/O is complete,
leading to random mm corruption in the child
3) it's a direct-io write, then the child could write random data to
disk by accident without noticing, if the DMA wasn't started yet and
the child got the pinned page mapped in the child pte
We had two working fixes for this and personally I'd prefer to apply
them than to document the bug. The probability that who writes code
that can hit the bug is reading the note in the manpage seems pretty
small, especially in the short/mid term. This lkml thread as reminder
may actually have higher chance of being noticed than the manpage
maybe. Nevertheless documenting it is better than nothing if the fixes
aren't applied :). However I'm afraid after we officially document it
the chances of fixing it becomes zero.
> 2 threads are not required, but it makes the race easier to code and a
> larger window, I suspect.
>
> It can also be hit with a single thread, using AIO.
Yes, it requires running fork in the same process that pinned a page
with GUP, and then writing to a buffer in the same page that is under
the GUP pin before the GUP pin is released.
It's not just direct-io, and not just direct-io read (see point 3).
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2012-05-01 23:51 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-30 9:30 [PATCH] Describe race of direct read and fork for unaligned buffers Jan Kara
2012-04-30 13:41 ` Jeff Moyer
2012-04-30 14:30 ` Mel Gorman
2012-05-01 5:50 ` Michael Kerrisk (man-pages)
2012-05-01 6:49 ` Nick Piggin
2012-05-01 14:31 ` KOSAKI Motohiro
2012-05-01 14:37 ` KOSAKI Motohiro
2012-05-01 15:11 ` Jeff Moyer
2012-05-01 15:34 ` KOSAKI Motohiro
2012-05-01 15:38 ` Jeff Moyer
2012-05-01 15:50 ` Nick Piggin
2012-05-01 23:51 ` Andrea Arcangeli [this message]
2012-05-02 8:17 ` Jan Kara
2012-05-02 9:09 ` Nick Piggin
2012-05-02 9:18 ` Jan Kara
2012-05-02 19:14 ` KOSAKI Motohiro
2012-05-02 19:23 ` Jan Kara
2012-05-02 19:25 ` KOSAKI Motohiro
2012-05-05 11:28 ` Michael Kerrisk (man-pages)
2012-05-05 15:29 ` KOSAKI Motohiro
2012-05-08 23:10 ` Nick Piggin
2012-05-09 5:35 ` Michael Kerrisk (man-pages)
2012-05-09 7:01 ` Nick Piggin
2012-05-09 7:18 ` Michael Kerrisk (man-pages)
2012-05-10 15:00 ` Jan Kara
2012-05-01 16:15 ` KOSAKI Motohiro
2012-05-01 17:56 ` Michael Kerrisk (man-pages)
2012-05-02 0:34 ` Nick Piggin
2012-05-02 3:04 ` Hugh Dickins
2012-05-02 3:10 ` Nick Piggin
2012-05-02 9:20 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120501235113.GC22923@redhat.com \
--to=aarcange@redhat.com \
--cc=jack@suse.cz \
--cc=jmoyer@redhat.com \
--cc=kosaki.motohiro@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lwoodman@redhat.com \
--cc=mgorman@suse.de \
--cc=mtk.manpages@gmail.com \
--cc=npiggin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).