Re: [bugfix] try_to_unmap_cluster() passes out-of-bounds pte to pte_unmap()

From: Hugh Dickins
Date: Mon May 23 2005 - 23:39:07 EST

Next message: Benjamin Herrenschmidt: "RE: ide-cd vs. DMA"
Previous message: Chad Kitching: "RE: ide-cd vs. DMA"
In reply to: William Lee Irwin III: "Re: [bugfix] try_to_unmap_cluster() passes out-of-bounds pte to pte_unmap()"
Next in thread: Richard Purdie: "Re: 2.6.12-rc4-mm2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 23 May 2005, William Lee Irwin III wrote:
> On Mon, May 23, 2005 at 05:14:06PM -0700, Andrew Morton wrote:
> > I must say that I continue to find this approach a bit queazifying.
> > After some reading of the code I'd agree that yes, it's not possible for us
> > to get here with `pte' pointing at the first slot of the pte page, but it's
> > not 100% obvious and it's possible that someone will come along later and
> > will change things in try_to_unmap_cluster() which cause this unmap to
> > suddenly do the wrong thing in rare circumstances.
> > IOW: I'd sleep better at night if we took a temporary and actually unmapped
> > the thing which we we got back from pte_offset_map().. Am I being silly?

There's a similar argument for queasiness in all the other (8 or more)
instances of the idiom. I think we originally adopted (and I furthered)
this pte_unmap(pte - 1) idiom because in the majority of architecture's
configurations pte_unmap does nothing at all, so we resented assigning
a pointless variable in some critical loops.

> Not at all. I merely attempt to minimize diffsize by default. An
> alternative implementation follows (changelog etc. to be taken
> from the prior patch) in case it saves the time (however short) needed
> to write it yourself.

Either of wli's patches is fine with me. There are several levels on
which try_to_unmap_cluster is harder to understand than the others,
and no good reason to resist the variable assignment.

We could rewrite pte_unmap to avoid the issue completely, since its
job is to unmap (or pretend to unmap) KM_PTE0's pte if the address
is in the fixmap area: but changing it to tolerate an off-by-one
address gives a queasy feeling too.

Thanks,
Hugh
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Benjamin Herrenschmidt: "RE: ide-cd vs. DMA"
Previous message: Chad Kitching: "RE: ide-cd vs. DMA"
In reply to: William Lee Irwin III: "Re: [bugfix] try_to_unmap_cluster() passes out-of-bounds pte to pte_unmap()"
Next in thread: Richard Purdie: "Re: 2.6.12-rc4-mm2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]