From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45]) by kanga.kvack.org (Postfix) with ESMTP id 728096B0253 for ; Wed, 11 Nov 2015 12:03:56 -0500 (EST) Received: by wmdw130 with SMTP id w130so121105409wmd.0 for ; Wed, 11 Nov 2015 09:03:55 -0800 (PST) Received: from mx2.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id b8si12214440wjx.62.2015.11.11.09.03.54 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 11 Nov 2015 09:03:54 -0800 (PST) Date: Wed, 11 Nov 2015 09:03:47 -0800 From: Davidlohr Bueso Subject: Re: [PATCH, RESEND] ipc/shm: handle removed segments gracefully in shm_mmap() Message-ID: <20151111170347.GA3502@linux-uzut.site> References: <1447232220-36879-1-git-send-email-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <1447232220-36879-1-git-send-email-kirill.shutemov@linux.intel.com> Sender: owner-linux-mm@kvack.org List-ID: To: "Kirill A. Shutemov" Cc: Andrew Morton , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Dmitry Vyukov On Wed, 11 Nov 2015, Kirill A. Shutemov wrote: >remap_file_pages(2) emulation can reach file which represents removed >IPC ID as long as a memory segment is mapped. It breaks expectations >of IPC subsystem. > >Test case (rewritten to be more human readable, originally autogenerated >by syzkaller[1]): > > #define _GNU_SOURCE > #include > #include > #include > #include > > #define PAGE_SIZE 4096 > > int main() > { > int id; > void *p; > > id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0); > p = shmat(id, NULL, 0); > shmctl(id, IPC_RMID, NULL); > remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0); > > return 0; > } > >The patch changes shm_mmap() and code around shm_lock() to propagate >locking error back to caller of shm_mmap(). > >[1] http://github.com/google/syzkaller So this is a very similar approach that I posted back when this discussion arose: https://lkml.org/lkml/2015/10/12/959 -- There are a few differences for which I prefer mine :) o My shm_check_vma_validity() also deals with IPC_RMID as we do the ipc_valid_object() check. o We have a new WARN where necessary, instead of having one now is shm_open. o My no-ops explicitly pair. [...] > ret = sfd->file->f_op->mmap(sfd->file, vma); >- if (ret != 0) >+ if (ret) { >+ shm_close(vma); > return ret; >+ } Hmm what's this shm_close() about? Thanks, Davidlohr -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org