Re: [RFC] invalidate_mmap_range() misses remap_file_pages()-affected targets

[William Lee Irwin III <wli@holomorphy.com>]

On Sun, Oct 12, 2003 at 04:53:32AM -0700, Andrew Morton wrote:
> I was going to just not bother about this wart.  After all, we get to write
> the standard on remap_file_pages(), and we can say "the
> truncate-causes-SIGBUS thing doesn't work".  After all, it is not very
> useful.
> But I wonder if this effect could be used maliciously.  Say, user A has
> read-only access to user B's file, and uses that access to set up a
> nonlinear mapping thereby causing user B's truncate to not behave
> correctly.  But this example is OK, isn't it?  User A will just receive an
> anonymous page for his troubles.
> Can you think of any stability or security scenario which says that we
> _should_ implement the conventional truncate behaviour?

At some point we burned a bit of effort to ensure we wiped all the ptes
and all the faulting looped until we finished when we vmtruncate();
not handling is a loophole in that, and if anything assumes it won't
find vmtruncate()'s orphans in-kernel, it will break. Apart from that
it's not so large an issue. I'm not so much attached to coddling
userspace (remap_file_pages() users should not be naive) as to shoring
up invalidate_mmap_range() with its intent (unmapping file offset ranges
instead of virtualspace ranges). Someone else might scream later.

Also, tlb_remove_tlb_entry()'s ordering with ptep_get_and_clear() seems
to be handled on ppc* by not having ptep_get_and_clear() fully clear the
pte, which is disturbing, but a sign ppc* maintainers already handle it.


-- wli