From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Peter Zijlstra <peterz@infradead.org>
Cc: torvalds@linux-foundation.org, paulmck@linux.vnet.ibm.com,
tglx@linutronix.de, akpm@linux-foundation.org, riel@redhat.com,
mgorman@suse.de, oleg@redhat.com, mingo@redhat.com,
minchan@kernel.org, kamezawa.hiroyu@jp.fujitsu.com,
viro@zeniv.linux.org.uk, laijs@cn.fujitsu.com, dave@stgolabs.net,
linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [RFC][PATCH 3/6] mm: VMA sequence count
Date: Wed, 22 Oct 2014 14:26:57 +0300 [thread overview]
Message-ID: <20141022112657.GG30588@node.dhcp.inet.fi> (raw)
In-Reply-To: <20141020222841.361741939@infradead.org>
On Mon, Oct 20, 2014 at 11:56:36PM +0200, Peter Zijlstra wrote:
> Wrap the VMA modifications (vma_adjust/unmap_page_range) with sequence
> counts such that we can easily test if a VMA is changed.
>
> The unmap_page_range() one allows us to make assumptions about
> page-tables; when we find the seqcount hasn't changed we can assume
> page-tables are still valid.
>
> The flip side is that we cannot distinguish between a vma_adjust() and
> the unmap_page_range() -- where with the former we could have
> re-checked the vma bounds against the address.
You only took care about changing size of VMA or unmap. What about other
aspects of VMA. How would you care about race with mprotect(2)?
CPU0 CPU1
mprotect()
mprotect_fixup()
vma_merge()
[ maybe update vm_sequence ]
[ page fault kicks in ]
do_anonymous_page()
entry = mk_pte(page, fe->vma->vm_page_prot);
vma_set_page_prot(vma)
[ update vma->vm_page_prot ]
change_protection()
pte_map_lock()
[ vm_sequence is ok ]
set_pte_at(entry) // With old vm_page_prot!!!
This can end up a security issue.
This particular case can be fixed pretty easily: we should move
vm_page_prot reference under the ptl and make sure that we walk over
virtual addresses in same (direct) order everywhere (this is seems true).
But who knows what else we're missing?
--
Kirill A. Shutemov
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2014-10-22 11:27 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-20 21:56 [RFC][PATCH 0/6] Another go at speculative page faults Peter Zijlstra
2014-10-20 21:56 ` [RFC][PATCH 1/6] mm: Dont assume page-table invariance during faults Peter Zijlstra
2014-10-20 21:56 ` [RFC][PATCH 2/6] mm: Prepare for FAULT_FLAG_SPECULATIVE Peter Zijlstra
2014-10-20 21:56 ` [RFC][PATCH 3/6] mm: VMA sequence count Peter Zijlstra
2014-10-22 11:26 ` Kirill A. Shutemov [this message]
2014-10-22 11:39 ` Peter Zijlstra
2014-10-22 11:53 ` Kirill A. Shutemov
2014-10-22 12:15 ` Peter Zijlstra
2014-10-22 13:44 ` Peter Zijlstra
2014-10-23 12:36 ` Kirill A. Shutemov
2014-10-23 14:22 ` Peter Zijlstra
2014-10-23 15:05 ` Kirill A. Shutemov
2014-10-20 21:56 ` [RFC][PATCH 4/6] SRCU free VMAs Peter Zijlstra
2014-10-20 23:41 ` Linus Torvalds
2014-10-21 8:07 ` Peter Zijlstra
2014-10-24 15:16 ` Christoph Lameter
2014-10-24 15:51 ` Peter Zijlstra
2014-10-24 17:08 ` Christoph Lameter
2014-10-21 8:22 ` Peter Zijlstra
2014-10-23 10:14 ` Lai Jiangshan
2014-10-23 11:03 ` Peter Zijlstra
2014-10-24 3:33 ` Lai Jiangshan
2014-10-24 7:26 ` Peter Zijlstra
2014-10-20 21:56 ` [RFC][PATCH 5/6] mm: Provide speculative fault infrastructure Peter Zijlstra
2014-10-21 8:35 ` Kirill A. Shutemov
2014-10-21 10:41 ` Peter Zijlstra
2014-10-21 19:00 ` Peter Zijlstra
2014-10-20 21:56 ` [RFC][PATCH 6/6] mm,x86: Add speculative pagefault handling Peter Zijlstra
2014-10-21 0:07 ` [RFC][PATCH 0/6] Another go at speculative page faults Andy Lutomirski
2014-10-21 8:11 ` Peter Zijlstra
2014-10-21 16:23 ` Ingo Molnar
2014-10-21 17:09 ` Kirill A. Shutemov
2014-10-21 17:56 ` Peter Zijlstra
2014-10-23 10:40 ` Lai Jiangshan
2014-10-23 11:04 ` Peter Zijlstra
2014-10-24 7:54 ` Ingo Molnar
2014-10-24 13:14 ` Peter Zijlstra
2014-10-28 5:32 ` Namhyung Kim
2014-10-21 17:25 ` Peter Zijlstra
2014-10-22 12:35 ` Ingo Molnar
2014-10-22 7:34 ` Davidlohr Bueso
2014-10-22 11:29 ` Kirill A. Shutemov
2014-10-22 11:45 ` Peter Zijlstra
2014-10-22 11:55 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141022112657.GG30588@node.dhcp.inet.fi \
--to=kirill@shutemov.name \
--cc=akpm@linux-foundation.org \
--cc=dave@stgolabs.net \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=laijs@cn.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mgorman@suse.de \
--cc=minchan@kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).