From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Andrew Morton <akpm@osdl.org>,
Linux Kernel list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ppc64: Fix possible race with set_pte on a present PTE
Date: Mon, 24 May 2004 14:13:08 +1000 [thread overview]
Message-ID: <1085371988.15281.38.camel@gaston> (raw)
In-Reply-To: <Pine.LNX.4.58.0405232046210.25502@ppc970.osdl.org>
On Mon, 2004-05-24 at 13:47, Linus Torvalds wrote:
> On Mon, 24 May 2004, Benjamin Herrenschmidt wrote:
> >
> > There is a subtle race which can cause set_pte to be called on ppc64 on
> > a PTE that is already present (that normally doesn't happen for us) and
> > which itself, in the proper race condition, can trigger a duplicate hash
> > entry to be added to the hash table (very bad).
>
> So how exactly can the pte already be present? It's definitely illegal,
> since if that actually happened, that would imply a memory leak (whatever
> previous page was there just got silently dropped).
Paulus and I identified a couple of cases in the page fault path. One typical is
the software accessed bit thing at the end of handle_pte_fault() where we cab
do
entry = pte_mkyoung(entry);
ptep_establish(vma, address, pte, entry);
update_mmu_cache(vma, address, entry);
On a PTE that is present. That normally shouldn't happen as since the PTE is
present, we shouldn't have reached do_page_fault() in the first place, but
there is a window where that can happen, though that would be broken userspace
code.
Typically, you can have a thread faulting on a page. It goes through hash_page,
doesn't find the entry, and gets to do_page_fault(). However, just before it
takes the mm sem, another thread actually mmap's that page in. Thus we end up
in handle_pte_fault() with a present PTE which has a valid mapping already.
The risk here is that since we have a present PTE, we can at any time (another
thread/cpu ?) get it into the hash table. Our set_pte would then possibly replace
the PTE valid entry (with the same valid PTE entry) except that we lost the
HASH_PTE bit and hash index, thus we lose track of the one already in the hash
table in any. That mean we leave a dangling PTE in the hash, which is a very
bad thing.
I agree the race is very small and only possible with broken userland code I
suppose, but it could create all sort of bad things with the kernel, so it
needs to be fixed anyway. (It can panic on iSeries for example, or cause
undefined MMU behaviour).
There might be other similar cases where we set_pte a present PTE, that's
the one we have analyzed.
Ben.
next prev parent reply other threads:[~2004-05-24 4:14 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-24 3:29 [PATCH] ppc64: Fix possible race with set_pte on a present PTE Benjamin Herrenschmidt
2004-05-24 3:47 ` Linus Torvalds
2004-05-24 4:13 ` Benjamin Herrenschmidt [this message]
2004-05-24 4:36 ` Linus Torvalds
2004-05-24 4:44 ` Benjamin Herrenschmidt
2004-05-24 5:10 ` Linus Torvalds
2004-05-24 5:34 ` Benjamin Herrenschmidt
2004-05-24 5:38 ` Benjamin Herrenschmidt
2004-05-24 5:52 ` Benjamin Herrenschmidt
2004-05-24 7:39 ` Ingo Molnar
2004-05-24 5:39 ` Benjamin Herrenschmidt
2004-05-25 3:43 ` Andrea Arcangeli
2004-05-25 4:00 ` Linus Torvalds
2004-05-25 4:17 ` Benjamin Herrenschmidt
2004-05-25 4:37 ` Andrea Arcangeli
2004-05-25 4:40 ` Benjamin Herrenschmidt
2004-05-25 4:20 ` Andrea Arcangeli
2004-05-25 4:39 ` Linus Torvalds
2004-05-25 4:44 ` Linus Torvalds
2004-05-25 4:59 ` Andrea Arcangeli
2004-05-25 5:09 ` Andrea Arcangeli
2004-05-25 4:50 ` Andrea Arcangeli
2004-05-25 4:59 ` Linus Torvalds
2004-05-25 4:43 ` David Mosberger
2004-05-25 4:53 ` Andrea Arcangeli
2004-05-27 21:56 ` David Mosberger
2004-05-27 22:00 ` Benjamin Herrenschmidt
2004-05-27 22:12 ` David Mosberger
2004-05-25 11:44 ` Matthew Wilcox
2004-05-25 14:48 ` Linus Torvalds
2004-05-25 15:35 ` Keith M Wesolowski
2004-05-25 16:19 ` Linus Torvalds
2004-05-25 17:25 ` David S. Miller
2004-05-25 17:49 ` Linus Torvalds
2004-05-25 17:54 ` David S. Miller
2004-05-25 18:05 ` Linus Torvalds
2004-05-25 20:30 ` Linus Torvalds
2004-05-25 20:35 ` David S. Miller
2004-05-25 20:49 ` Linus Torvalds
2004-05-25 20:57 ` David S. Miller
2004-05-26 6:20 ` Keith M Wesolowski
2004-05-25 21:40 ` Benjamin Herrenschmidt
2004-05-25 21:54 ` Linus Torvalds
2004-05-25 22:00 ` Linus Torvalds
2004-05-25 22:07 ` Benjamin Herrenschmidt
2004-05-25 22:14 ` Linus Torvalds
2004-05-26 0:21 ` Benjamin Herrenschmidt
2004-05-26 0:50 ` Linus Torvalds
2004-05-26 3:25 ` Benjamin Herrenschmidt
2004-05-26 4:08 ` Linus Torvalds
2004-05-26 4:12 ` Benjamin Herrenschmidt
2004-05-26 4:18 ` Benjamin Herrenschmidt
2004-05-26 4:50 ` Linus Torvalds
2004-05-26 4:49 ` Benjamin Herrenschmidt
2004-05-26 4:28 ` Linus Torvalds
2004-05-26 4:46 ` Benjamin Herrenschmidt
2004-05-26 4:54 ` Linus Torvalds
2004-05-26 4:55 ` Benjamin Herrenschmidt
2004-05-26 5:41 ` Benjamin Herrenschmidt
2004-05-26 5:59 ` [PATCH] (signoff) " Benjamin Herrenschmidt
2004-05-26 6:55 ` Benjamin Herrenschmidt
2004-05-26 7:11 ` [PATCH] ppc32 implementation of ptep_set_access_flags Benjamin Herrenschmidt
2004-05-26 15:22 ` Linus Torvalds
2004-05-26 18:49 ` David S. Miller
2004-05-26 21:43 ` Benjamin Herrenschmidt
2004-05-28 1:29 ` David Mosberger
2004-05-25 22:05 ` [PATCH] ppc64: Fix possible race with set_pte on a present PTE Benjamin Herrenschmidt
2004-05-25 22:09 ` Linus Torvalds
2004-05-25 22:19 ` Benjamin Herrenschmidt
2004-05-25 22:24 ` Linus Torvalds
2004-05-25 21:27 ` Andrea Arcangeli
2004-05-25 21:43 ` Linus Torvalds
2004-05-25 21:55 ` Andrea Arcangeli
2004-05-25 22:01 ` Linus Torvalds
2004-05-25 22:18 ` Ivan Kokshaysky
2004-05-25 22:42 ` Andrea Arcangeli
2004-05-26 2:26 ` Linus Torvalds
2004-05-26 7:06 ` Andrea Arcangeli
2004-05-25 21:44 ` Andrea Arcangeli
-- strict thread matches above, loose matches on Subject: below --
2004-06-01 12:04 Martin Schwidefsky
2004-06-01 12:10 Martin Schwidefsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1085371988.15281.38.camel@gaston \
--to=benh@kernel.crashing.org \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox