Date: Fri, 6 Mar 2009 22:55:25 +0000
From: Russell King - ARM Linux <linux@arm.linux.org.uk>
To: Steven Walter <stevenrwalter@gmail.com>
Cc: linux-arm-kernel@lists.arm.linux.org.uk, linux-kernel@vger.kernel.org
Subject: Re: cache aliasing in dup_mmap
Message-ID: <20090306225525.GB3212@n2100.arm.linux.org.uk>
References: <e06498070903061426o5875ad13hc6328aa0d3f08ed7@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <e06498070903061426o5875ad13hc6328aa0d3f08ed7@mail.gmail.com>
User-Agent: Mutt/1.4.2.1i
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1336
Lines: 35

On Fri, Mar 06, 2009 at 05:26:24PM -0500, Steven Walter wrote:
> I've been tracking down an instance of userspace data corruption, and I
> believe I have found a window during fork where data can be lost.  The
> corruption is occurring on an ARMv5 system with VIVT caches.  Here's the
> scenario in question.  Thread A is forking, Thread B is running in
> userspace:

With VIVT caches, you're missing a few things here:

> Thread A: flush_cache_mm (dup_mmap)

-- cache written back and invalidated

> Thread B: writes to a page in the above mm

-- cache written back and invalidated

> Thread A: pte_wrprotect the above page (copy_one_pte)

-- cache written back and invalidated

> Thread B: writes to the same page again
> 
> During thread B's second write, he'll take a fault and enter the do_wp_page
> case.  We'll end up calling copy_page, which notably uses the kernel virtual
> addresses for the old and new pages.  This means that the new page does not
> necessarily have the data from the first write.

Given the additional flushing I've mentioned above, where could the
problem be?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/