Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752037AbXA2R0v (ORCPT ); Mon, 29 Jan 2007 12:26:51 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752043AbXA2R0v (ORCPT ); Mon, 29 Jan 2007 12:26:51 -0500 Received: from extu-mxob-2.symantec.com ([216.10.194.135]:25263 "EHLO extu-mxob-2.symantec.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752037AbXA2R0u (ORCPT ); Mon, 29 Jan 2007 12:26:50 -0500 X-AuditID: d80ac287-a257fbb000007e48-32-45be3082230e Date: Mon, 29 Jan 2007 17:26:56 +0000 (GMT) From: Hugh Dickins X-X-Sender: hugh@blonde.wat.veritas.com To: Ken Chen cc: Adam Litke , Andrew Morton , William Irwin , David Gibson , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] Don't allow the stack to grow into hugetlb reserved regions In-Reply-To: Message-ID: References: <20070125214052.22841.33449.stgit@localhost.localdomain> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-OriginalArrivalTime: 29 Jan 2007 17:26:48.0833 (UTC) FILETIME=[A83C5710:01C743CA] X-Brightmail-Tracker: AAAAAA== Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1634 Lines: 35 On Sun, 28 Jan 2007, Ken Chen wrote: > > For ia64, the hugetlb address region is reserved at the top of user > space address. Stacks are below that region. Throw in the mix, we > have two stacks, one memory stack that grows down and one register > stack backing store that grows up. These two stacks are always in > pair and grow towards each other. And lastly, we have virtual address > holes in between regions. It's just impossible to grow any of these > two stacks into hugetlb region no matter how I played it. > > So, AFAICS this bug doesn't apply to ia64 (and certainly not x86). The > new check of is_hugepage_only_range() is really a noop for both arches. Certainly not a problem on x86. But, never mind hugetlb, you still not quite convinced me that there's no problem at all with get_user_pages find_extend_vma growing on ia64. I repeat that ia64_do_page_fault has REGION tests to guard against expanding either kind of stack across into another region. ia64_brk, ia64_mmap_check and arch_get_unmapped_area have RGN_MAP_LIMIT checks. But where is the equivalent paranoia when ptrace calls get_user_pages calls find_extend_vma? If your usual stacks face each other across the same region, they're not going to pose problem. But what if someone mmaps MAP_GROWSDOWN near the base of a region, then uses ptrace to touch an address near the top of the region below? Hugh - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/