Re: [PATCH v2] arm: cmpxchg syscall should data abort if page not write

From: Po-Yu Chuang
Date: Thu Mar 17 2011 - 05:18:28 EST

Next message: Madhavi Manchala: "Support for ARM940T core Samsung S3C2510A MCU under Linux"
Previous message: Peter Zijlstra: "Re: [PATCH 2/2 v2] watchdog: Always return NOTIFY_OK during cpuup/down events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Russell King,

On Tue, Mar 15, 2011 at 2:13 PM, Po-Yu Chuang <ratbert.chuang@xxxxxxxxx> wrote:
>
> From: Po-Yu Chuang <ratbert@xxxxxxxxxxxxxxxx>
>
> If the page to cmpxchg is user mode read only (not write),
> we should simulate a data abort first.
>
> Signed-off-by: Po-Yu Chuang <ratbert@xxxxxxxxxxxxxxxx>
> ---
> v2:
> remove !pte_young() check
>
> Âarch/arm/kernel/traps.c | Â Â2 +-
> Â1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
> index 446aee9..eac7c05 100644
> --- a/arch/arm/kernel/traps.c
> +++ b/arch/arm/kernel/traps.c
> @@ -563,7 +563,7 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs)
> Â Â Â Â Â Â Â Âif (!pmd_present(*pmd))
> Â Â Â Â Â Â Â Â Â Â Â Âgoto bad_access;
> Â Â Â Â Â Â Â Âpte = pte_offset_map_lock(mm, pmd, addr, &ptl);
> - Â Â Â Â Â Â Â if (!pte_present(*pte) || !pte_dirty(*pte)) {
> + Â Â Â Â Â Â Â if (!pte_present(*pte) || !pte_write(*pte) || !pte_dirty(*pte)) {
> Â Â Â Â Â Â Â Â Â Â Â Âpte_unmap_unlock(pte, ptl);
> Â Â Â Â Â Â Â Â Â Â Â Âgoto bad_access;
> Â Â Â Â Â Â Â Â}
> --
> 1.6.3.3
>

I think maybe I should describe more details of the problem.
Here is the story.

There is a lock with value 0. After fork(), the page containing the lock
becomes user mode read only for COW later. Process 0 writes 1 to
the lock with cmpxchg syscall. This write should cause COW.
The value of lock of Process 0 should become 1 and the value of lock
of Porcess 1 should still be 0 in the COWed page.

(CORRECT)

P0:lock=0
P0:fork
P0:cmpxchg -> COW
P0:lock=1 P1:lock=0

However, because cmpxchg syscall did not check user mode read only,
it wrote 1 to the lock value directly. After returning to user mode,
Process 0 wrote another variable, say foo, on the same page and
caused COW. The value of lock of Process 1 became 1 which is
incorrect.

(INCORRECT)

P0:lock=0
P0:fork
P0:cmpxchg
P0:lock=1
P0:foo=123 -> COW
P0:lock=1 P1:lock=1

best regards,
Po-Yu Chuang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Madhavi Manchala: "Support for ARM940T core Samsung S3C2510A MCU under Linux"
Previous message: Peter Zijlstra: "Re: [PATCH 2/2 v2] watchdog: Always return NOTIFY_OK during cpuup/down events"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]