From: Peter Horton <pdh@colonel-panic.org>
To: Ralf Baechle <ralf@linux-mips.org>
Cc: Peter Horton <pdh@colonel-panic.org>,
linux-mips@linux-mips.org, linux-kernel@vger.kernel.org
Subject: Re: Possible shared mapping bug in 2.4.23 (at least MIPS/Sparc)
Date: Sat, 13 Dec 2003 18:08:28 +0000 [thread overview]
Message-ID: <20031213180828.GA480@skeleton-jack> (raw)
In-Reply-To: <20031213160536.GA13271@linux-mips.org>
On Sat, Dec 13, 2003 at 05:05:36PM +0100, Ralf Baechle wrote:
> On Sat, Dec 13, 2003 at 11:41:34AM +0000, Peter Horton wrote:
>
> > The current MIPS 2.4 kernel (from CVS) currently allows fixed shared
> > mappings to violate D-cache aliasing constraints.
> >
> > The check for illegal fixed mappings is done in
> > arch_get_unmapped_area(), but these mappings are granted in
> > get_unmapped_area() and arch_get_unmapped_area() is never called.
> >
> > A quick look at sparc and sparc64 seem to show the same problem.
>
> Ehh... <asm/pgtable.h> defines HAVE_ARCH_UNMAPPED_AREA therefore
> get_unmapped_area calls the arch's version of arch_get_unmapped_area
> instead of the generic version in mm/mmap.c
>
arch_get_unmapped_area() never get called because get_unmapped_area()
notices the MAP_FIXED flag and returns success.
In the example below the second mmap() should fail because it violates
the shm_align_mask.
P.
pdh@qube2:~$ uname -a
Linux qube2 2.4.23 #2 Sat Dec 13 18:03:10 GMT 2003 mips unknown
pdh@qube2:~$ ./shared
0xdeadbeef 0
pdh@qube2:~$ cat shared.c
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/user.h>
int main(int argc, char *argv[])
{
static char zero;
void *p1, *p2;
int fd;
fd = open("/tmp/test.shared", O_CREAT|O_RDWR|O_TRUNC, 0664);
if(fd == -1)
return 1;
unlink("/tmp/test.shared");
lseek(fd, PAGE_SIZE - 1, SEEK_SET);
if(write(fd, &zero, 1) != 1)
return 1;
p1 = mmap(NULL, PAGE_SIZE, PROT_READ, MAP_SHARED, fd, 0);
if(p1 == MAP_FAILED)
return 1;
p2 = mmap(p1 + PAGE_SIZE, PAGE_SIZE, PROT_WRITE, MAP_SHARED|MAP_FIXED, fd, 0);
if(p2 == MAP_FAILED || p2 - p1 != PAGE_SIZE)
return 1;
*(int *) p2 = 0xdeadbeef;
printf("%#x %#x\n", *(int *) p2, *(int *) p1);
return 0;
}
pdh@qube2:~$
next prev parent reply other threads:[~2003-12-13 18:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-13 11:41 Possible shared mapping bug in 2.4.23 (at least MIPS/Sparc) Peter Horton
2003-12-13 16:05 ` Ralf Baechle
2003-12-13 18:08 ` Peter Horton [this message]
2003-12-13 22:26 ` Jamie Lokier
2003-12-14 1:41 ` Linus Torvalds
2003-12-14 4:20 ` Jamie Lokier
2003-12-14 10:38 ` Peter Horton
2003-12-14 17:16 ` Jamie Lokier
2003-12-25 13:03 ` Ralf Baechle
2003-12-14 18:05 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20031213180828.GA480@skeleton-jack \
--to=pdh@colonel-panic.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=ralf@linux-mips.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox