From: Andrew Morton <akpm@linux-foundation.org>
To: Cyril Hrubis <chrubis@suse.cz>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm/mmap: Check for RLIMIT_AS before unmapping
Date: Thu, 11 Apr 2013 15:57:34 -0700 [thread overview]
Message-ID: <20130411155734.911dc8bf8e555b169191be5a@linux-foundation.org> (raw)
In-Reply-To: <20130402095402.GA6568@rei>
On Tue, 2 Apr 2013 11:54:03 +0200 Cyril Hrubis <chrubis@suse.cz> wrote:
> This patch fixes corner case for MAP_FIXED when requested mapping length
> is larger than rlimit for virtual memory. In such case any overlapping
> mappings are unmapped before we check for the limit and return ENOMEM.
>
> The check is moved before the loop that unmaps overlapping parts of
> existing mappings. When we are about to hit the limit (currently mapped
> pages + len > limit) we scan for overlapping pages and check again
> accounting for them.
>
> This fixes situation when userspace program expects that the previous
> mappings are preserved after the mmap() syscall has returned with error.
> (POSIX clearly states that successfull mapping shall replace any
> previous mappings.)
>
> This corner case was found and can be tested with LTP testcase:
>
> testcases/open_posix_testsuite/conformance/interfaces/mmap/24-2.c
>
> In this case the mmap, which is clearly over current limit, unmaps
> dynamic libraries and the testcase segfaults right after returning into
> userspace.
>
> I've also looked at the second instance of the unmapping loop in the
> do_brk(). The do_brk() is called from brk() syscall and from vm_brk().
> The brk() syscall checks for overlapping mappings and bails out when
> there are any (so it can't be triggered from the brk syscall). The
> vm_brk() is called only from binmft handlers so it shouldn't be
> triggered unless binmft handler created overlapping mappings.
>
> ...
>
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -33,6 +33,7 @@
> #include <linux/uprobes.h>
> #include <linux/rbtree_augmented.h>
> #include <linux/sched/sysctl.h>
> +#include <linux/kernel.h>
>
> #include <asm/uaccess.h>
> #include <asm/cacheflush.h>
> @@ -543,6 +544,34 @@ static int find_vma_links(struct mm_struct *mm, unsigned long addr,
> return 0;
> }
>
> +static unsigned long count_vma_pages_range(struct mm_struct *mm,
> + unsigned long addr, unsigned long end)
> +{
> + unsigned long nr_pages = 0;
> + struct vm_area_struct *vma;
> +
> + /* Find first overlaping mapping */
> + vma = find_vma_intersection(mm, addr, end);
> + if (!vma)
> + return 0;
> +
> + nr_pages = (min(end, vma->vm_end) -
> + max(addr, vma->vm_start)) >> PAGE_SHIFT;
urgh, these things always make my head spin. Is it guaranteed that
end, vm_end, addr and vm_start are all multiples of PAGE_SIZE? If not,
we have a problem don't we?
WARNING: multiple messages have this Message-ID (diff)
From: Andrew Morton <akpm@linux-foundation.org>
To: Cyril Hrubis <chrubis@suse.cz>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm/mmap: Check for RLIMIT_AS before unmapping
Date: Thu, 11 Apr 2013 15:57:34 -0700 [thread overview]
Message-ID: <20130411155734.911dc8bf8e555b169191be5a@linux-foundation.org> (raw)
In-Reply-To: <20130402095402.GA6568@rei>
On Tue, 2 Apr 2013 11:54:03 +0200 Cyril Hrubis <chrubis@suse.cz> wrote:
> This patch fixes corner case for MAP_FIXED when requested mapping length
> is larger than rlimit for virtual memory. In such case any overlapping
> mappings are unmapped before we check for the limit and return ENOMEM.
>
> The check is moved before the loop that unmaps overlapping parts of
> existing mappings. When we are about to hit the limit (currently mapped
> pages + len > limit) we scan for overlapping pages and check again
> accounting for them.
>
> This fixes situation when userspace program expects that the previous
> mappings are preserved after the mmap() syscall has returned with error.
> (POSIX clearly states that successfull mapping shall replace any
> previous mappings.)
>
> This corner case was found and can be tested with LTP testcase:
>
> testcases/open_posix_testsuite/conformance/interfaces/mmap/24-2.c
>
> In this case the mmap, which is clearly over current limit, unmaps
> dynamic libraries and the testcase segfaults right after returning into
> userspace.
>
> I've also looked at the second instance of the unmapping loop in the
> do_brk(). The do_brk() is called from brk() syscall and from vm_brk().
> The brk() syscall checks for overlapping mappings and bails out when
> there are any (so it can't be triggered from the brk syscall). The
> vm_brk() is called only from binmft handlers so it shouldn't be
> triggered unless binmft handler created overlapping mappings.
>
> ...
>
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -33,6 +33,7 @@
> #include <linux/uprobes.h>
> #include <linux/rbtree_augmented.h>
> #include <linux/sched/sysctl.h>
> +#include <linux/kernel.h>
>
> #include <asm/uaccess.h>
> #include <asm/cacheflush.h>
> @@ -543,6 +544,34 @@ static int find_vma_links(struct mm_struct *mm, unsigned long addr,
> return 0;
> }
>
> +static unsigned long count_vma_pages_range(struct mm_struct *mm,
> + unsigned long addr, unsigned long end)
> +{
> + unsigned long nr_pages = 0;
> + struct vm_area_struct *vma;
> +
> + /* Find first overlaping mapping */
> + vma = find_vma_intersection(mm, addr, end);
> + if (!vma)
> + return 0;
> +
> + nr_pages = (min(end, vma->vm_end) -
> + max(addr, vma->vm_start)) >> PAGE_SHIFT;
urgh, these things always make my head spin. Is it guaranteed that
end, vm_end, addr and vm_start are all multiples of PAGE_SIZE? If not,
we have a problem don't we?
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2013-04-11 22:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-02 9:54 [PATCH] mm/mmap: Check for RLIMIT_AS before unmapping Cyril Hrubis
2013-04-02 10:56 ` Mel Gorman
2013-04-02 10:56 ` Mel Gorman
2013-04-02 12:29 ` Wanpeng Li
2013-04-02 12:29 ` Wanpeng Li
2013-04-11 22:57 ` Andrew Morton [this message]
2013-04-11 22:57 ` Andrew Morton
2013-04-12 13:42 ` chrubis
2013-04-12 13:42 ` chrubis
-- strict thread matches above, loose matches on Subject: below --
2013-03-25 13:24 Cyril Hrubis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130411155734.911dc8bf8e555b169191be5a@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=chrubis@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.