Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752543AbdLMJbp (ORCPT ); Wed, 13 Dec 2017 04:31:45 -0500 Received: from mail-pg0-f68.google.com ([74.125.83.68]:33077 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752433AbdLMJb2 (ORCPT ); Wed, 13 Dec 2017 04:31:28 -0500 X-Google-Smtp-Source: ACJfBovYjfFbGtMQrwiaDfJD00mYR/QJ9yNHhZivri2Lr65+y8YalX3OlAIq4dmItsSzBer2+kskbQ== From: Michal Hocko To: Michael Kerrisk Cc: linux-api@vger.kernel.org, Khalid Aziz , Michael Ellerman , Andrew Morton , Russell King - ARM Linux , Andrea Arcangeli , , LKML , linux-arch@vger.kernel.org, Florian Weimer , John Hubbard , Matthew Wilcox , Jann Horn , Mike Rapoport , Cyril Hrubis , Pavel Machek , Michal Hocko Subject: [PATCH 2/2] mmap.2: MAP_FIXED updated documentation Date: Wed, 13 Dec 2017 10:31:10 +0100 Message-Id: <20171213093110.3550-2-mhocko@kernel.org> X-Mailer: git-send-email 2.15.0 In-Reply-To: <20171213093110.3550-1-mhocko@kernel.org> References: <20171213092550.2774-1-mhocko@kernel.org> <20171213093110.3550-1-mhocko@kernel.org> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2733 Lines: 75 From: John Hubbard -- Expand the documentation to discuss the hazards in enough detail to allow avoiding them. -- Mention the upcoming MAP_FIXED_SAFE flag. -- Enhance the alignment requirement slightly. CC: Michael Ellerman CC: Jann Horn CC: Matthew Wilcox CC: Michal Hocko CC: Mike Rapoport CC: Cyril Hrubis CC: Pavel Machek Acked-by: Michal Hocko Signed-off-by: John Hubbard Signed-off-by: Michal Hocko --- man2/mmap.2 | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/man2/mmap.2 b/man2/mmap.2 index 02d391697ce6..cb8789daec2d 100644 --- a/man2/mmap.2 +++ b/man2/mmap.2 @@ -212,8 +212,9 @@ Don't interpret .I addr as a hint: place the mapping at exactly that address. .I addr -must be a multiple of the page size. -If the memory region specified by +must be suitably aligned: for most architectures a multiple of page +size is sufficient; however, some architectures may impose additional +restrictions. If the memory region specified by .I addr and .I len @@ -226,6 +227,33 @@ Software that aspires to be portable should use this option with care, keeping in mind that the exact layout of a process' memory map is allowed to change significantly between kernel versions, C library versions, and operating system releases. +.IP +Furthermore, this option is extremely hazardous (when used on its own), because +it forcibly removes pre-existing mappings, making it easy for a multi-threaded +process to corrupt its own address space. +.IP +For example, thread A looks through +.I /proc//maps +and locates an available +address range, while thread B simultaneously acquires part or all of that same +address range. Thread A then calls mmap(MAP_FIXED), effectively overwriting +the mapping that thread B created. +.IP +Thread B need not create a mapping directly; simply making a library call +that, internally, uses +.I dlopen(3) +to load some other shared library, will +suffice. The dlopen(3) call will map the library into the process's address +space. Furthermore, almost any library call may be implemented using this +technique. +Examples include brk(2), malloc(3), pthread_create(3), and the PAM libraries +(http://www.linux-pam.org). +.IP +Newer kernels +(Linux 4.16 and later) have a +.B MAP_FIXED_SAFE +option that avoids the corruption problem; if available, MAP_FIXED_SAFE +should be preferred over MAP_FIXED. .TP .BR MAP_FIXED_SAFE " (since Linux 4.16)" Similar to MAP_FIXED with respect to the -- 2.15.0