From: Hugh Dickins <hugh@veritas.com>
To: Robin Holt <holt@sgi.com>
Cc: Roland McGrath <roland@redhat.com>, linux-mm@kvack.org
Subject: Re: get_user_pages() with write=1 and force=1 gets read-only pages.
Date: Sat, 30 Jul 2005 23:13:06 +0100 (BST) [thread overview]
Message-ID: <Pine.LNX.4.61.0507302255390.5143@goblin.wat.veritas.com> (raw)
In-Reply-To: <20050730205319.GA1233@lnx-holt.americas.sgi.com>
On Sat, 30 Jul 2005, Robin Holt wrote:
> I am chasing a bug which I think I understand, but would like some
> confirmation.
>
> I believe I have two processes calling get_user_pages at approximately
> the same time. One is calling with write=0. The other with write=1
> and force=1. The vma has the vm_ops->nopage set to filemap_nopage.
>
> Both faulters get to the point in do_no_page of being ready to insert
> the pte. The first one to get the mm->page_table_lock must be the reader.
> The readable pte gets inserted and results in the writer detecting the
> pte and returning VM_FAULT_MINOR.
>
> Upon return, the writer the does 'lookup_write = write && !force;'
> and then calls follow_page without having the write flag set.
>
> Am I on the right track with this?
I do believe you are. Twice I've inserted fault code to cope with that
"surely no longer have a shared page we shouldn't write" assumption,
but I think you've just demonstrated that it's inherently unsafe.
Certainly goes against the traditional grain of fault handlers, which can
just try again when in doubt - as in the pte_same checks you've observed.
> Is the correct fix to not just pass in the write flag untouched?
I don't understand you there. Suspect you're confusing me with that
"not", which perhaps expresses hesitancy, but shouldn't be there?
But the correct fix would not be to pass in the write flag untouched:
it's trying to avoid an endless loop of finding the pte not writable
when ptrace is modifying a page which the user is currently protected
against writing to (setting a breakpoint in readonly text, perhaps?).
get_user_pages is hard! I don't know the right answer offhand,
but thank you for posing a good question.
> I believe the change was made by Roland
> McGrath, but I don't see an email address for him.
I've CC'ed roland@redhat.com
Hugh
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2005-07-30 22:13 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-30 20:53 Robin Holt
2005-07-30 22:13 ` Hugh Dickins [this message]
2005-07-31 1:52 ` Nick Piggin
2005-07-31 10:52 ` Robin Holt
2005-07-31 11:07 ` Nick Piggin
2005-07-31 11:30 ` Robin Holt
2005-07-31 11:39 ` Robin Holt
2005-07-31 12:09 ` Robin Holt
2005-07-31 22:27 ` Nick Piggin
2005-08-01 3:22 ` Roland McGrath
2005-08-01 8:21 ` [patch 2.6.13-rc4] fix get_user_pages bug Nick Piggin
2005-08-01 9:19 ` Ingo Molnar
2005-08-01 9:27 ` Nick Piggin
2005-08-01 10:15 ` Ingo Molnar
2005-08-01 10:57 ` Nick Piggin
2005-08-01 19:43 ` Hugh Dickins
2005-08-01 20:08 ` Linus Torvalds
2005-08-01 21:06 ` Hugh Dickins
2005-08-01 21:51 ` Linus Torvalds
2005-08-01 22:01 ` Linus Torvalds
2005-08-02 12:01 ` Martin Schwidefsky
2005-08-02 12:26 ` Hugh Dickins
2005-08-02 12:28 ` Nick Piggin
2005-08-02 15:19 ` Martin Schwidefsky
2005-08-02 15:30 ` Linus Torvalds
2005-08-02 16:03 ` Hugh Dickins
2005-08-02 16:25 ` Linus Torvalds
2005-08-02 17:02 ` Linus Torvalds
2005-08-02 17:27 ` Hugh Dickins
2005-08-02 17:21 ` Hugh Dickins
2005-08-02 18:47 ` Linus Torvalds
2005-08-02 19:20 ` Hugh Dickins
2005-08-02 19:54 ` Linus Torvalds
2005-08-02 20:55 ` Hugh Dickins
2005-08-03 10:24 ` Nick Piggin
2005-08-03 11:47 ` Hugh Dickins
2005-08-03 12:13 ` Nick Piggin
2005-08-03 16:12 ` Linus Torvalds
2005-08-03 16:39 ` Linus Torvalds
2005-08-03 16:42 ` Linus Torvalds
2005-08-03 17:12 ` Hugh Dickins
2005-08-03 23:03 ` Nick Piggin
2005-08-04 14:14 ` Alexander Nyberg
2005-08-04 14:30 ` Nick Piggin
2005-08-04 15:00 ` Alexander Nyberg
2005-08-04 15:35 ` Hugh Dickins
2005-08-04 16:32 ` Russell King
2005-08-04 15:36 ` Linus Torvalds
2005-08-04 16:29 ` Russell King
2005-08-03 10:24 ` Martin Schwidefsky
2005-08-03 11:57 ` Hugh Dickins
2005-08-02 16:44 ` Martin Schwidefsky
2005-08-01 15:42 ` Linus Torvalds
2005-08-01 18:18 ` Linus Torvalds
2005-08-03 8:24 ` Robin Holt
2005-08-03 11:31 ` Hugh Dickins
2005-08-04 11:48 ` Robin Holt
2005-08-04 13:04 ` Hugh Dickins
2005-08-01 19:29 ` Hugh Dickins
2005-08-01 19:48 ` Linus Torvalds
2005-08-02 8:07 ` Martin Schwidefsky
2005-08-01 19:57 ` Andrew Morton
2005-08-01 20:16 ` Linus Torvalds
2005-08-02 0:14 ` Nick Piggin
2005-08-02 1:27 ` Nick Piggin
2005-08-02 3:45 ` Linus Torvalds
2005-08-02 4:25 ` Nick Piggin
2005-08-02 4:35 ` Linus Torvalds
2005-08-01 20:03 ` Hugh Dickins
2005-08-01 20:12 ` Andrew Morton
2005-08-01 20:26 ` Linus Torvalds
2005-08-01 20:51 ` Hugh Dickins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.61.0507302255390.5143@goblin.wat.veritas.com \
--to=hugh@veritas.com \
--cc=holt@sgi.com \
--cc=linux-mm@kvack.org \
--cc=roland@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox