| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+5PVA4AcTWHsUskGqxdka2G7JMsDpjtdhw23vSHafgAGg4opQ@mail.gmail.com> Date: Thu, 1 Mar 2012 17:40:41 -0500 From: Josh Boyer <jwboyer@...il.com> To: Andrew Morton <akpm@...ux-foundation.org> Cc: "Aneesh Kumar K.V" <aneesh.kumar@...ux.vnet.ibm.com>, linux-mm@...ck.org, mgorman@...e.de, kamezawa.hiroyu@...fujitsu.com, dhillf@...il.com, viro@...iv.linux.org.uk, hughd@...gle.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH -V2] hugetlbfs: Drop taking inode i_mutex lock from hugetlbfs_read On Thu, Mar 1, 2012 at 5:10 PM, Andrew Morton <akpm@...ux-foundation.org> wrote: > On Thu, 1 Mar 2012 14:48:50 +0530 > "Aneesh Kumar K.V" <aneesh.kumar@...ux.vnet.ibm.com> wrote: > >> Taking i_mutex lock in hugetlbfs_read can result in deadlock with mmap >> as explained below >> Thread A: >> read() on hugetlbfs >> hugetlbfs_read() called >> i_mutex grabbed >> hugetlbfs_read_actor() called >> __copy_to_user() called >> page fault is triggered >> Thread B, sharing address space with A: >> mmap() the same file >> ->mmap_sem is grabbed on task_B->mm->mmap_sem >> hugetlbfs_file_mmap() is called >> attempt to grab ->i_mutex and block waiting for A to give it up >> Thread A: >> pagefault handled blocked on attempt to grab task_A->mm->mmap_sem, >> which happens to be the same thing as task_B->mm->mmap_sem. Block waiting >> for B to give it up. >> >> AFAIU i_mutex lock got added to hugetlbfs_read as per >> http://lkml.indiana.edu/hypermail/linux/kernel/0707.2/3066.html >> to take care of the race between truncate and read. This patch fix >> this by looking at page->mapping under page_lock (find_lock_page()) >> to ensure; the inode didn't get truncated in the range during a >> parallel read. >> >> Ideally we can extend the patch to make sure we don't increase i_size >> in mmap. But that will break userspace, because application will now >> have to use truncate(2) to increase i_size in hugetlbfs. > > Looks OK to me. > > Given that the bug has been there for four years, I'm assuming that > we'll be OK merging this fix into 3.4. Or we could merge it into 3.4 > and tag it for backporting into earlier kernels - it depends on whether > people are hurting from it, which I don't know? We've gotten a few lockdep reports about it in Fedora on various kernels. A CC to stable might be nice. josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists