Bugs on your remap_file_pages protections implementations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Ingo, I'm the young UML hacker you met at OLS and who got your UML patches 
sent ;-)

I've been studying your patch (and the whole Linux VM, indeed) in the past 
days, and I have some remarks, about the version of the code in 2.6.4-rc2-mm1 
(which is the same you sent me) - I've now downloaded the version dropped 
from 2.6.5-mm1, but it doesn't seem to address those problems.

Btw, I've now seen why that patch was dropped, but not why it wasn't resubmit.

*) with your patch, remapped pages without MAP_INHERIT are IMHO not safe 
across swapout; re-swapping them in will pass through the arch-specific fault 
handler, which will check VMA's protections, and fail if the VMA originally 
had MAP_NONE. Or am I missing something?

*) with the same binary, a call to mprotect() on a nonlinear VMA will no more 
change the protections over fremap'ed PTEs (more exactly, PTEs going through 
handle_pte_fault->do_file_page(), but it seems that _PAGE_FILE is only set by 
fremap()).

Currently mprotect fixes up the VMA and changes the protections for present 
pages (see mm/mprotect.c:change_pte_range(), it's a no-op on not-present 
pages). On not-present pages, the new VMA protections are loaded, even in 
do_file_page.

I propose adding a VM_NOINHERIT flag (reusing VM_MAPPED_COPY on MMU archs) to 
be set on VMA's on which protections are not to be inherited.

Normal VMA's behave as before, as soon as I remap_file_pages without 
MAP_INHERIT (or with MAP_NOINHERIT, see below) that flag is set on the VMA, 
on which, then, mprotect won't work.

*) btw, adding a new syscall is not needed, adding a MAP_NOINHERIT flag for 
remap_file_pages to ask for the new behaviour is more than enough:

(inside sys_remap_file_pages)
-       if (__prot)
-               return err;
+       if (prot && !(flags & MAP_NOINHERIT))
+               goto out;

Also, I've seen that a lot of fixes from your code haven't been merged; in 
particular, currently MAP_PRIVATE |  MAP_POPULATE is broken (while it was 
fixed by your patch, which only required VM_SHARED on the VMA if there was an 
actual non-linear mapping).

*) I don't understand this hunk (inside filemap_populate, not replicated 
inside shmem_populate):

        struct page *page;
        int err;

+       /*
+        * mapping-removal fastpath:
+        */
+       if ((vma->vm_flags & VM_SHARED) &&
+                       (pgprot_val(prot) == pgprot_val(PAGE_NONE))) {
+               zap_page_range(vma, addr, len);
+               return 0;
+       }
+
        if (!nonblock)
                force_page_cache_readahead(mapping, vma->vm_file,

I understand why it's done, but zap_page_range() will totally clear the PTE's, 
it won't set _PAGE_FILE on the PTEs (as far as I can see), causing the pages 
to be faulted again in, and this time linearly. This hunk is still in 
2.6.5-mm1 (or so it seems).

*) I don't understand at all the attached hunks in your patch (there's a long 
description about them). Verified they hadn't been dropped from the patch in 
2.6.5-mm1 (or so it seems).

Note: for 2.6.5-mm1, I'm referring to the patch inside the "dropped" directory 
in the archives.

Bye and thanks for your attention.
-- 
Inform me of my mistakes, so I can keep imitating Homer Simpson's "Doh!".
Paolo Giarrusso, aka Blaisorblade (Skype ID "PaoloGiarrusso", ICQ 215621894)
http://www.user-mode-linux.org/~blaisorblade
This is wrong because both routines can be called from within do_file_page,
which is called when !pte_present(pte) && !pte_none(pte) && pte_file(pte). I.e.
the pte is not zeroed, so it has been used, but the page has been swapped out,
or .

Actually, in that situation ->populate is called with nonblock == 0, so only
install_page can be called there. If ->populate fails, the faulting process
will get a SIGBUS; and this *could* happen.

The other caller is sys_remap_file_page. In that situation, we fail if
!(vma->vm_flags & VM_SHARED), so we don't call ->populate.

Actually, however, we could be called inside mmap for MAP_POPULATE. However,
even in that case, old mappings have already been unmapped away.

And actually, in Ingo's patch things were different, because if
remap_file_pages was called only to change protections, without creating
non-linear mappings, we didn't punt even if the VM was not shared. So,
currently MAP_POPULATE will fail (though without returning any error) if the VMA
is private and not shared, without a real reason to do so.

But again, after mmap'ing an area, even with MAP_POPULATE, old mappings should
have been cleared, so what are we bothering about here?

diff -puN mm/fremap.c~remap-file-pages-prot-2.6.13-rc3-A2 mm/fremap.c
--- linux-2.6.git/mm/fremap.c~remap-file-pages-prot-2.6.13-rc3-A2	2005-08-03 12:41:36.000000000 +0200
+++ linux-2.6.git-paolo/mm/fremap.c	2005-08-03 12:41:36.000000000 +0200
@@ -90,6 +90,14 @@ int install_page(struct mm_struct *mm, s
 	if (!page->mapping || page->index >= size)
 		goto err_unlock;
 
+	/*
+	 * Only install a new page for a non-shared mapping if it's
+	 * not existent yet:
+	 */
+	err = -EEXIST;
+	if (!pte_none(*pte) && !(vma->vm_flags & VM_SHARED))
+		goto err_unlock;
+
 	zap_pte(mm, vma, addr, pte);
 
 	inc_mm_counter(mm,rss);
@@ -136,6 +146,13 @@ int install_file_pte(struct mm_struct *m
 	err = 0;
 	if (linear && pte_none(*pte))
 		goto err_unlock;
+	/*
+	 * Only install a new page for a non-shared mapping if it's
+	 * not existent yet:
+	 */
+	err = -EEXIST;
+	if (!pte_none(*pte) && !(vma->vm_flags & VM_SHARED))
+		goto err_unlock;
 
 	zap_pte(mm, vma, addr, pte);
 


# vim: tw=80


[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux