Re: [PATCH v2] arm: cmpxchg syscall should data abort if page not write

From: Po-Yu Chuang
Date: Thu Mar 17 2011 - 05:18:28 EST

Dear Russell King,

On Tue, Mar 15, 2011 at 2:13 PM, Po-Yu Chuang <ratbert.chuang@xxxxxxxxx> wrote:
> From: Po-Yu Chuang <ratbert@xxxxxxxxxxxxxxxx>
> If the page to cmpxchg is user mode read only (not write),
> we should simulate a data abort first.
> Signed-off-by: Po-Yu Chuang <ratbert@xxxxxxxxxxxxxxxx>
> ---
> v2:
> remove !pte_young() check
> Âarch/arm/kernel/traps.c | Â Â2 +-
> Â1 files changed, 1 insertions(+), 1 deletions(-)
> diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
> index 446aee9..eac7c05 100644
> --- a/arch/arm/kernel/traps.c
> +++ b/arch/arm/kernel/traps.c
> @@ -563,7 +563,7 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs)
> Â Â Â Â Â Â Â Âif (!pmd_present(*pmd))
> Â Â Â Â Â Â Â Â Â Â Â Âgoto bad_access;
> Â Â Â Â Â Â Â Âpte = pte_offset_map_lock(mm, pmd, addr, &ptl);
> - Â Â Â Â Â Â Â if (!pte_present(*pte) || !pte_dirty(*pte)) {
> + Â Â Â Â Â Â Â if (!pte_present(*pte) || !pte_write(*pte) || !pte_dirty(*pte)) {
> Â Â Â Â Â Â Â Â Â Â Â Âpte_unmap_unlock(pte, ptl);
> Â Â Â Â Â Â Â Â Â Â Â Âgoto bad_access;
> Â Â Â Â Â Â Â Â}
> --

I think maybe I should describe more details of the problem.
Here is the story.

There is a lock with value 0. After fork(), the page containing the lock
becomes user mode read only for COW later. Process 0 writes 1 to
the lock with cmpxchg syscall. This write should cause COW.
The value of lock of Process 0 should become 1 and the value of lock
of Porcess 1 should still be 0 in the COWed page.


P0:cmpxchg -> COW
P0:lock=1 P1:lock=0

However, because cmpxchg syscall did not check user mode read only,
it wrote 1 to the lock value directly. After returning to user mode,
Process 0 wrote another variable, say foo, on the same page and
caused COW. The value of lock of Process 1 became 1 which is


P0:foo=123 -> COW
P0:lock=1 P1:lock=1

best regards,
Po-Yu Chuang
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at