Jann, Micha, On 04/16/2018 11:11 PM, Michal Hocko wrote: > On Mon 16-04-18 22:17:40, Jann Horn wrote: >> On Mon, Apr 16, 2018 at 9:57 PM, Michal Hocko <mhocko@xxxxxxxxxx> wrote: >>> On Mon 16-04-18 21:30:09, Jann Horn wrote: >>>> On Mon, Apr 16, 2018 at 9:18 PM, Michal Hocko <mhocko@xxxxxxxxxx> wrote: >>> [...] >>>>> Yes, reasonably well written application will not have this problem. >>>>> That, however, requires an external synchronization and that's why >>>>> called it error prone and racy. I guess that was the main motivation for >>>>> that part of the man page. >>>> >>>> What requires external synchronization? I still don't understand at >>>> all what you're talking about. >>>> >>>> The following code: >>>> >>>> void *try_to_alloc_addr(void *hint, size_t len) { >>>> char *x = mmap(hint, len, ...); >>>> if (x == MAP_FAILED) return NULL; >>>> if (x == hint) return x; >>> >>> Any other thread can modify the address space at this moment. >> >> But not parts of the address space that were returned by this mmap() call. > ? >>> Just >>> consider that another thread would does mmap(x, MAP_FIXED) (or any other >>> address overlapping [x, x+len] range) >> >> If the other thread does that without previously having created a >> mapping covering the area in question, that would be a bug in the >> other thread. > > MAP_FIXED is sometimes used without preallocated address ranges. > >> MAP_FIXED on an unmapped address is almost always a bug >> (excluding single-threaded cases with no library code, and even then >> it's quite weird) - for example, any malloc() call could also cause >> libc to start using the memory range you're trying to map with >> MAP_FIXED. > > Yeah and that's why we there is such a large paragraph in the man page > ;) > >>> becaus it is seemingly safe as x >>> != hint. >> >> I don't understand this part. Are you talking about a hypothetical >> scenario in which a programmer attempts to segment the virtual memory >> space into areas that are exclusively used by threads without creating >> memory mappings for those areas? > > Yeah, that doesn't sound all that over-exaggerated, right? And yes, > such a code would be subtle and most probably buggy. I am not trying to > argue for those hypothetical cases. All I am saying is that MAP_FIXED is > subtle. > > I _do_ agree that using it solely on the preallocated and _properly_ > managed address ranges is safe. I still maintain my position on error > prone though. And besides that there are usecases which do not operate > on preallocated address ranges so people really have to be careful. > > I do not really care what is the form. I find the current wording quite > informative and showing examples of how things might be broken. I do > agree with your remark that "MAP_FIXED on preallocated ranges is safe" > should be added. But MAP_FIXED is dangerous API and should have few big > fat warnings. So, at this stage, is any further patch needed to the text describing MAP_FIXED/MAP_FIXED_REPLACE? Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/