From: Michel Lespinasse <walken@google.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Robert Święcki" <robert@swiecki.net>,
"Hugh Dickins" <hughd@google.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Miklos Szeredi" <miklos@szeredi.hu>,
"Eric W. Biederman" <ebiederm@xmission.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
"Peter Zijlstra" <a.p.zijlstra@chello.nl>,
"Rik van Riel" <riel@redhat.com>
Subject: Re: [PATCH] mm: fix possible cause of a page_mapped BUG
Date: Wed, 4 May 2011 17:09:40 -0700 [thread overview]
Message-ID: <BANLkTi=D+oe_zyxA1Oj5S36F6Tk0J+26iQ@mail.gmail.com> (raw)
In-Reply-To: <BANLkTingV3eiHEco+36YyM4YTDHFHc9_jA@mail.gmail.com>
FYI, the attached code causes an infinite loop in kernels that have
the 95042f9eb7 commit:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <linux/futex.h>
int *get_stack_guard(void)
{
FILE *map;
char buf[1000];
map = fopen("/proc/self/maps", "r");
if (!map)
return NULL;
while(fgets(buf, 1000, map)) {
long a, b;
char c[1000], d[1000], e[1000], f[1000], g[1000];
if (sscanf(buf, "%lx-%lx %s %s %s %s %s", &a, &b, c, d, e, f, g) == 7 &&
!strcmp(g, "[stack]")) {
fclose(map);
return (int *)(a - 4096);
}
}
fclose(map);
return NULL;
}
int main(void)
{
int *uaddr = get_stack_guard();
syscall(SYS_futex, uaddr, FUTEX_LOCK_PI_PRIVATE, 0, NULL, NULL, 0);
return 0;
}
Linus, I am not sure as to what would be the preferred way to fix
this. One option could be to modify fault_in_user_writeable so that it
passes a non-NULL page pointer, and just does a put_page on it
afterwards. While this would work, this is kinda ugly and would slow
down futex operations somewhat. A more conservative alternative could
be to enable the guard page special case under an new GUP flag, but
this loses much of the elegance of your original proposal...
On Mon, Apr 18, 2011 at 2:15 PM, Michel Lespinasse <walken@google.com> wrote:
> This second patch looks more attractive than the first, but is also
> harder to prove correct. Hugh looked at all gup call sites and
> convinced himself that the change was safe, except for the
> fault_in_user_writeable() site in futex.c which he asked me to look
> at. I am worried that we would have an issue there, as places like
> futex_wake_op() or fixup_pi_state_owner() operate on user memory with
> page faults disabled, and expect fault_in_user_writeable() to set up
> the user page so that they can retry if the initial access failed.
> With this proposal, fault_in_user_writeable() would become inoperative
> when the address is within the guard page; this could cause some
> malicious futex operation to create an infinite loop.
--
Michel "Walken" Lespinasse
A program is never fully debugged until the last user dies.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-05-05 0:09 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-24 5:39 [PATCH] mm: fix possible cause of a page_mapped BUG Hugh Dickins
2011-02-28 23:35 ` Robert Święcki
2011-03-17 15:40 ` Robert Święcki
2011-03-19 5:34 ` Hugh Dickins
2011-04-01 14:34 ` Robert Święcki
2011-04-01 15:44 ` Linus Torvalds
2011-04-01 16:21 ` Robert Święcki
2011-04-01 16:35 ` Linus Torvalds
2011-04-02 4:01 ` Hui Zhu
2011-04-04 13:02 ` Robert Święcki
2011-04-02 1:46 ` Hugh Dickins
2011-04-04 12:46 ` Robert Święcki
2011-04-04 18:30 ` Hugh Dickins
2011-04-05 12:21 ` Robert Święcki
2011-04-05 15:37 ` Linus Torvalds
2011-04-06 14:47 ` Hugh Dickins
2011-04-06 15:32 ` Linus Torvalds
2011-04-06 15:43 ` Hugh Dickins
2011-04-06 15:59 ` Linus Torvalds
2011-04-06 17:54 ` Robert Święcki
2011-04-07 12:41 ` Robert Święcki
2011-04-07 14:24 ` Hugh Dickins
2011-04-12 9:58 ` Robert Święcki
2011-04-12 14:21 ` Linus Torvalds
[not found] ` <BANLkTik6U21r91DYiUsz9A0P--=5QcsBrA@mail.gmail.com>
2011-04-12 16:17 ` Robert Święcki
2011-04-12 17:19 ` Linus Torvalds
2011-04-12 18:59 ` Linus Torvalds
2011-04-12 19:02 ` Robert Święcki
2011-04-12 19:38 ` Linus Torvalds
2011-04-18 21:15 ` Michel Lespinasse
2011-05-05 0:09 ` Michel Lespinasse [this message]
2011-05-05 0:38 ` Linus Torvalds
2011-05-05 1:18 ` Michel Lespinasse
2011-05-05 1:40 ` Linus Torvalds
2011-05-05 3:37 ` Linus Torvalds
2011-05-05 4:26 ` Michel Lespinasse
2011-04-07 14:17 ` Hugh Dickins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='BANLkTi=D+oe_zyxA1Oj5S36F6Tk0J+26iQ@mail.gmail.com' \
--to=walken@google.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=miklos@szeredi.hu \
--cc=riel@redhat.com \
--cc=robert@swiecki.net \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).