Race in check_stack_guard_page?

From: Andy Lutomirski
Date: Mon Nov 25 2013 - 18:30:54 EST

Next message: Tomasz Figa: "Re: [PATCH] watchdog: s3c2410_wdt: Only register for cpufreq on CPU_FREQ_S3C24XX"
Previous message: Greg Kroah-Hartman: "Re: [PATCH v3 1/3] msi: free msi_desc entry only after we'vereleased the kobject"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I was looking at the stack expansion code, and I'm not convinced it's
safe. Aside from the obvious scariness of down_read(&mmap_sem) not
actually preventing vma changes, I think there's a real race. Suppose
that you have a VM_GROWSDOWN vma above a VM_GROWSUP vma with a
single-page gap between them. Suppose further that they have
different anon_vma roots.

If one ends up in expand_downwards and the other ends up in
expand_upwards at the same time, then each one can take
page_table_lock without re-checking that there's still room to expand.
The result will be two vmas that share a page.

(This is presumably only possible on ia64.)

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tomasz Figa: "Re: [PATCH] watchdog: s3c2410_wdt: Only register for cpufreq on CPU_FREQ_S3C24XX"
Previous message: Greg Kroah-Hartman: "Re: [PATCH v3 1/3] msi: free msi_desc entry only after we'vereleased the kobject"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]