Jann, Micha,
On 04/16/2018 11:11 PM, Michal Hocko wrote:
> On Mon 16-04-18 22:17:40, Jann Horn wrote:
>> On Mon, Apr 16, 2018 at 9:57 PM, Michal Hocko <mhocko@xxxxxxxxxx> wrote:
>>> On Mon 16-04-18 21:30:09, Jann Horn wrote:
>>>> On Mon, Apr 16, 2018 at 9:18 PM, Michal Hocko <mhocko@xxxxxxxxxx> wrote:
>>> [...]
>>>>> Yes, reasonably well written application will not have this problem.
>>>>> That, however, requires an external synchronization and that's why
>>>>> called it error prone and racy. I guess that was the main motivation for
>>>>> that part of the man page.
>>>>
>>>> What requires external synchronization? I still don't understand at
>>>> all what you're talking about.
>>>>
>>>> The following code:
>>>>
>>>> void *try_to_alloc_addr(void *hint, size_t len) {
>>>> char *x = mmap(hint, len, ...);
>>>> if (x == MAP_FAILED) return NULL;
>>>> if (x == hint) return x;
>>>
>>> Any other thread can modify the address space at this moment.
>>
>> But not parts of the address space that were returned by this mmap() call.
> ?
>>> Just
>>> consider that another thread would does mmap(x, MAP_FIXED) (or any other
>>> address overlapping [x, x+len] range)
>>
>> If the other thread does that without previously having created a
>> mapping covering the area in question, that would be a bug in the
>> other thread.
>
> MAP_FIXED is sometimes used without preallocated address ranges.
>
>> MAP_FIXED on an unmapped address is almost always a bug
>> (excluding single-threaded cases with no library code, and even then
>> it's quite weird) - for example, any malloc() call could also cause
>> libc to start using the memory range you're trying to map with
>> MAP_FIXED.
>
> Yeah and that's why we there is such a large paragraph in the man page
> ;)
>
>>> becaus it is seemingly safe as x
>>> != hint.
>>
>> I don't understand this part. Are you talking about a hypothetical
>> scenario in which a programmer attempts to segment the virtual memory
>> space into areas that are exclusively used by threads without creating
>> memory mappings for those areas?
>
> Yeah, that doesn't sound all that over-exaggerated, right? And yes,
> such a code would be subtle and most probably buggy. I am not trying to
> argue for those hypothetical cases. All I am saying is that MAP_FIXED is
> subtle.
>
> I _do_ agree that using it solely on the preallocated and _properly_
> managed address ranges is safe. I still maintain my position on error
> prone though. And besides that there are usecases which do not operate
> on preallocated address ranges so people really have to be careful.
>
> I do not really care what is the form. I find the current wording quite
> informative and showing examples of how things might be broken. I do
> agree with your remark that "MAP_FIXED on preallocated ranges is safe"
> should be added. But MAP_FIXED is dangerous API and should have few big
> fat warnings.
So, at this stage, is any further patch needed to the text describing
MAP_FIXED/MAP_FIXED_REPLACE?
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
