| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Jul 2016 23:24:26 +0800
From: "Leizhen (ThunderTown)" <thunder.leizhen@...wei.com>
To: Catalin Marinas <catalin.marinas@....com>
CC: Steve Capper <Steve.Capper@....com>,
David Woods <dwoods@...hip.com>,
Tianhong Ding <dingtianhong@...wei.com>,
Will Deacon <will.deacon@....com>,
linux-kernel <linux-kernel@...r.kernel.org>,
Xinwei Hu <huxinwei@...wei.com>, Zefan Li <lizefan@...wei.com>,
Hanjun Guo <guohanjun@...wei.com>,
linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH 1/1] arm64/hugetlb: clear PG_dcache_clean if the page is
dirty when munmap
On 2016/7/8 21:54, Catalin Marinas wrote:
> On Fri, Jul 08, 2016 at 11:36:57AM +0800, Leizhen (ThunderTown) wrote:
>> On 2016/7/7 23:37, Catalin Marinas wrote:
>>> On Thu, Jul 07, 2016 at 08:09:04PM +0800, Zhen Lei wrote:
>>>> At present, PG_dcache_clean is only cleared when the related huge page
>>>> is about to be freed. But sometimes, there maybe a process is in charge
>>>> to copy binary codes into a shared memory, and notifies other processes
>>>> to execute base on that. For the first time, there is no problem, because
>>>> the default value of page->flags is PG_dcache_clean cleared. So the cache
>>>> will be maintained at the time of set_pte_at for other processes. But if
>>>> the content of the shared memory have been updated again, there is no
>>>> cache operations, because the PG_dcache_clean is still set.
>>>>
>>>> For example:
>>>> Process A
>>>> open a hugetlbfs file
>>>> mmap it as a shared memory
>>>> copy some binary codes into it
>>>> munmap
>>>>
>>>> Process B
>>>> open the hugetlbfs file
>>>> mmap it as a shared memory, executable
>>>> invoke the functions in the shared memory
>>>> munmap
>>>>
>>>> repeat the above steps.
>>>
>>> Does this work as you would expect with small pages (and for example
>>> shared file mmap)? I don't want to have a different behaviour between
>>> small and huge pages.
>>
>> The small pages also have this problem, I will try to fix it too.
>
> Have you run the above tests on a standard file (with small pages)? It's
> strange that we haven't hit this so far with gcc or something else
> generating code (unless they don't use mmap but just sequential writes).
The test code should be randomly generated, to make sure the context
in ICache is always stale. I have attached the simplified testcase demo.
The main portion is picked as below:
srand(time(NULL));
ptr = (unsigned int *)share_mem;
*ptr++ = 0xd2800000; //mov x0, #0
for (i = 0, total = 0; i < 100; i++) {
value = 0xfff & rand();
total += value;
*ptr++ = 0xb1000000 | (value << 10); //adds x0, x0, #value
}
*ptr = 0xd65f03c0; //ret
>
> If both cases need solving, we might better move the fix in the
> __sync_icache_dcache() function. Untested:
Yes.
At first I also want to fix it as below. But I'm not sure which time the PageDirty
will be cleared, and if two or more processes mmap it as executable, cache operations
will be duplicated. At present, I really have not found any good place to clear
PG_dcache_clean. So the below modification may be the best choice, concisely and clearly.
>
> ------------8<----------------
> diff --git a/arch/arm64/mm/flush.c b/arch/arm64/mm/flush.c
> index dbd12ea8ce68..c753fa804165 100644
> --- a/arch/arm64/mm/flush.c
> +++ b/arch/arm64/mm/flush.c
> @@ -75,7 +75,8 @@ void __sync_icache_dcache(pte_t pte, unsigned long addr)
> if (!page_mapping(page))
> return;
>
> - if (!test_and_set_bit(PG_dcache_clean, &page->flags))
> + if (!test_and_set_bit(PG_dcache_clean, &page->flags) ||
> + PageDirty(page))
> sync_icache_aliases(page_address(page),
> PAGE_SIZE << compound_order(page));
> else if (icache_is_aivivt())
> ----------------8<---------------------
>
> BTW, can you make your tests (source) available somewhere?
Both cases worked well with this patch.
>
> Thanks.
>
View attachment "tst_mmap.c" of type "text/plain" (2258 bytes)
Powered by blists - more mailing lists