From: Chris Mason <mason@suse.com>
To: linux-kernel@vger.kernel.org, akpm@osdl.org, andrea@suse.de
Subject: [RFC] copy_from_user races with readpage
Date: Wed, 19 Apr 2006 13:18:45 -0400 [thread overview]
Message-ID: <200604191318.45738.mason@suse.com> (raw)
Hello everyone,
I've been working with IBM on a long standing bug where zeros unexpectedly pop
up during a disk certification test. We tracked it down to copy_from_user.
A simplified form of the test works like this:
memset(buffer, 0x5a, 4096);
fd = open("/dev/some_disk", O_RDWR);
write(fd, buffer, 4096);
pid = fork();
if (pid) {
while(1) {
lseek(fd, 0, 0);
read(fd, buf2, 4096);
}
} else {
while(1) {
lseek(fd, 0, 0);
write(fd, buffer, 4096);
}
}
First we fill a given block in the file with a specific pattern. Then we
fork. One proc writes that exact same pattern over and over, and the other
proc reads from the block over and over.
The reads and writes race, but you would expect the read to always see the
0x5a pattern. If we introduce enough memory pressure, sometimes the read
sees zeros instead of the pattern because of kmap_atomic:
cpu1 cpu2
file_write
(page now up to date)
file_write file_read
__copy_from_user (atomic)
file_read_actor
copy_to_user
__copy_from_user (non-atomic)
The first copy_from_user fails because of a page fault. So, the destination
page is zero filled, which is the data found by file_read_actor(). The second
copy_from_user succeeds and puts the proper data in the page.
The solution seems to be a non-zeroing copy_from_user, but this is only
required on arches where kmap_atomic incs the preemption count. Andrea has a
patch for i386 that does this (small and obvious), along with some memsets to
zero out the kernel page when copy_from_user fails.
This feature has been present for quite a while, and I think it should be
fixed. But before we go through making a patch for ppc (any other arches
affected?) I wanted to poll here and make sure people agreed the zeros are
not correct.
-chris
next reply other threads:[~2006-04-19 17:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-19 17:18 Chris Mason [this message]
2006-04-19 20:41 ` [RFC] copy_from_user races with readpage Andrew Morton
2006-04-19 21:38 ` Andrew Morton
2006-04-19 22:18 ` Neil Brown
2006-04-19 23:36 ` Andrea Arcangeli
2006-04-28 2:04 ` [PATCH INTRO] Re: [RFC] copy_from_user races with readpage, [PATCH 000 of 2] Introduction NeilBrown
2006-04-28 2:10 ` [PATCH 001 of 2] Prepare for __copy_from_user_inatomic to not zero missed bytes NeilBrown
2006-04-28 2:10 ` [PATCH 002 of 2] Make copy_from_user_inatomic NOT zero the tail on i386 NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200604191318.45738.mason@suse.com \
--to=mason@suse.com \
--cc=akpm@osdl.org \
--cc=andrea@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox