From: kanoj@google.engr.sgi.com (Kanoj Sarcar)
To: Erik Corry <erik@arbat.com>
Cc: ak-uu@muc.de, Linux-MM@kvack.org
Subject: Re: Assumed Failure rates in Various o.s's ?
Date: Fri, 21 May 1999 10:23:06 -0700 (PDT) [thread overview]
Message-ID: <199905211723.KAA67838@google.engr.sgi.com> (raw)
In-Reply-To: <19990521120725.A581384@daimi.au.dk> from "Erik Corry" at May 21, 99 12:07:25 pm
>
> > Now for a proposal: I don't see a down(mm->mmap_sem) being done
> > in the code path leading up to calls to __verify_write. Am I missing
> > it? If a down(mm->mmap_sem) were added around __verify_write, you could
> > quit worrying about simultaneous munmaps while an user access function
> > was executing.
>
> I think this is the wrong place. As far as I understand it,
> the verify_write runs before the actual copying takes place.
> So after verify_write has run, while the copy_to_user is
> taking place there can be a page fault (is that even necessary
> on SMP?). While that is happening, the black hat user can do
> an mmap/munmap in another thread. But I haven't really looked
> into it much, I am relying mostly on hearsay here.
>
Note that verify_write loops thru pages, making them go to the
proper state. While the pages in the first vma have been verified,
the code might fault verifying pages in the second vma. It gives
up the kernel lock, letting another thread munmap the already
verified vma, and replace it with a readonly vma. I didn't
see any checks to prevent this .. thus my proposal for the mmap_sem
in this path. On a differnt note, check out
http://humbolt.nl.linux.org/lists/linux-mm/1999-05/msg00022.html
about why the mmap_sem is needed anyways for correctness.
If this were done, say the copy_to_user faults (with the kernel_lock
held by caller of copy_to_user). Then, the fault handling code will
grab mmap_sem, before possibly going to sleep releasing the kernel_lock.
No munmaps can happen since mmap_sem is held.
Kanoj
--
To unsubscribe, send a message with 'unsubscribe linux-mm my@address'
in the body to majordomo@kvack.org. For more info on Linux MM,
see: http://humbolt.geo.uu.nl/Linux-MM/
prev parent reply other threads:[~1999-05-21 17:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <199905191428.QAA1295681@beryllium.daimi.au.dk>
1999-05-19 17:37 ` Kanoj Sarcar
1999-05-21 10:07 ` Erik Corry
1999-05-21 14:25 ` Benjamin C.R. LaHaise
1999-05-21 14:54 ` Erik Corry
1999-05-21 16:02 ` Benjamin C.R. LaHaise
1999-05-21 17:06 ` Kanoj Sarcar
1999-05-21 17:23 ` Kanoj Sarcar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=199905211723.KAA67838@google.engr.sgi.com \
--to=kanoj@google.engr.sgi.com \
--cc=Linux-MM@kvack.org \
--cc=ak-uu@muc.de \
--cc=erik@arbat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox