Re: Change in functionality of futex() system call.

From: Darren Hart
Date: Tue Jun 07 2011 - 15:01:40 EST




On 06/07/2011 11:43 AM, Andrew Lutomirski wrote:
> On Tue, Jun 7, 2011 at 11:58 AM, Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote:
>> Le mardi 07 juin 2011 à 10:44 -0400, Andy Lutomirski a écrit :
>>> On 06/06/2011 11:13 PM, Darren Hart wrote:
>>>>
>>>>
>>>> On 06/06/2011 11:11 AM, Eric Dumazet wrote:
>>>>> Le lundi 06 juin 2011 à 10:53 -0700, Darren Hart a écrit :
>>>>>>
>>>>>
>>>>>> If I understand the problem correctly, RO private mapping really doesn't
>>>>>> make any sense and we should probably explicitly not support it, while
>>>>>> special casing the RO shared mapping in support of David's scenario.
>>>>>>
>>>>>
>>>>> We supported them in 2.6.18 kernels, apparently. This might sounds
>>>>> stupid but who knows ?
>>>>
>>>>
>>>> I guess this is actually the key point we need to agree on to provide a
>>>> solution. This particular case "worked" in 2.6.18 kernels, but that
>>>> doesn't necessarily mean it was supported, or even intentional.
>>>>
>>>> It sounds to me that we agree that we should support RO shared mappings.
>>>> The question remains about whether we should introduce deliberate
>>>> support of RO private mappings, and if so, if the forced COW approach is
>>>> appropriate or not.
>>>>
>>>
>>> I disagree.
>>>
>>> FUTEX_WAIT has side-effects. Specifically, it eats one wakeup sent by
>>> FUTEX_WAKE. So if something uses futexes on a file mapping, then a
>>> process with only read access could (if the semantics were changed) DoS
>>> the other processes by spawning a bunch of threads and FUTEX_WAITing
>>> from each of them.
>>>
>>> If there were a FUTEX_WAIT_NOCONSUME that did not consume a wakeup and
>>> worked on RO mappings, I would drop my objection.
>>
>> If a group of cooperating processes uses a memory segment to exchange
>> critical information, do you really think this memory segment will be
>> readable by other unrelated processes on the machine ?
>
> Depends on the design.
>
> I have some software I'm working on that uses shared files and could
> easily use futexes. I don't want random read-only processes to
> interfere with the futex protocol.


So don't use world readable files.


>>
>> How is this related to futex code ?
>
> Because this usage is currently safe and would become unsafe with the
> proposed change.
>
>>
>> Same problem for legacy IPC (shm, msg, sem) : Appropriate protections
>> are needed, obviously.
>>
>> BTW, kernel/futex.c uses a global hash table (futex_queues[256]) and a
>> very predictable hash_futex(), so its easy to slow down futex users...
>
> There's a difference between slowing down users by abusing a kernel
> hash and deadlocking users by eating a wakeup. (If you eat a wakeup
> the wakeup won't magically come back later. It's gone.)

That's the nature of SHARED, you have to protect the mapping independent
of the futex mechanism.

--
Darren Hart
Intel Open Source Technology Center
Yocto Project - Linux Kernel
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/