Re: [PATCH v3] futex: Fix regression with read only mappings

From: Peter Zijlstra
Date: Tue Jun 28 2011 - 06:58:52 EST

Next message: Linus Walleij: "Re: [PATCH] gpio: ab8500: fix MODULE_ALIAS for ab8500"
Previous message: Stijn Devriendt: "Re: linux-next: build failure after merge of the tip tree"
In reply to: Shawn Bohrer: "[PATCH v3] futex: Fix regression with read only mappings"
Next in thread: Darren Hart: "Re: [PATCH v3] futex: Fix regression with read only mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2011-06-27 at 17:22 -0500, Shawn Bohrer wrote:
> commit 7485d0d3758e8e6491a5c9468114e74dc050785d (futexes: Remove rw
> parameter from get_futex_key()) in 2.6.33 introduced a user-mode
> regression in that it additionally prevented futex operations on a
> region within a read only memory mapped file. For example this breaks
> workloads that have one or more reader processes doing a FUTEX_WAIT on a
> futex within a read only shared mapping, and a writer processes that has
> a writable mapping issuing the FUTEX_WAKE.
>
> This fixes the regression for futex operations that should be valid on
> RO mappings by trying a RO get_user_pages_fast() when the RW
> get_user_pages_fast() fails so as not to slow down the common path of
> writable anonymous maps and bailing when we used the RO path on
> anonymous memory.
>
> While fixing the regression this patch opens up two possible bad
> scenarios as identified by KOSAKI Motohiro:
>
> 1) This patch also allows FUTEX_WAIT on RO private mappings which have
> the following corner case.
>
> Thread-A: call futex(FUTEX_WAIT, memory-region-A).
> get_futex_key() return inode based key.
> sleep on the key
> Thread-B: call mprotect(PROT_READ|PROT_WRITE, memory-region-A)
> Thread-B: write memory-region-A.
> COW happen. This process's memory-region-A become related
> to new COWed private (ie PageAnon=1) page.
> Thread-B: call futex(FUETX_WAKE, memory-region-A).
> get_futex_key() return mm based key.
> IOW, we fail to wake up Thread-A.
>
> 2) Current futex code doesn't handle zero page properly.
>
> Read mode get_user_pages() can return zero page, but current futex
> code doesn't handle it at all. Then, zero page makes infinite loop
> internally.
>
> This Patch is based on Peter Zijlstra's initial patch with modifications to
> only allow RO mappings for futex operations that need VERIFY_READ access.
>
> Reported-by: David Oliver <david@xxxxxxxxxxxxxxx>
> Signed-off-by: Shawn Bohrer <sbohrer@xxxxxxxxxxxxxxx>

Acked-by: Peter Zijlstra <a.p.zijlstra@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Walleij: "Re: [PATCH] gpio: ab8500: fix MODULE_ALIAS for ab8500"
Previous message: Stijn Devriendt: "Re: linux-next: build failure after merge of the tip tree"
In reply to: Shawn Bohrer: "[PATCH v3] futex: Fix regression with read only mappings"
Next in thread: Darren Hart: "Re: [PATCH v3] futex: Fix regression with read only mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]