Bug 174628
| Summary: | mmap(2) CAN return mappings at location 0 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | William Kucharski <kucharsk> |
| Component: | kernel | Assignee: | Ingo Molnar <mingo> |
| Status: | CLOSED WONTFIX | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7 | CC: | davej, triage, varekova, wtogami |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-06-17 01:11:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This has been this way for a long time, I think it's the manpage at fault. This falls into a VERY grey area, and my thinking is this: * I believe the ability to map at location 0 in conjunction with the MAP_FIXED flag is intentional and should be documented in the man page. However... * I believe the behavior when passing in a hint of -1, where the hint address is rounded up to the next page, or 0, due to overflow, is UNINTENTIONAL. I would think in such a case the correct behavior would be to choose a mapping address for the user, as is the case when a mapping already exists, rather than assume the user really meant to map the request at address 0. This is further exacerbated by the fact that if MAP_FIXED is not set, address 0 is a magic token meaning "pick a mapping address for me," so the wraparound to 0 could be seen as either a bug OR a feature. If you disagree with the current behaviour, I recommend taking it upstream, as any change in behaviour would have to happen there. Well, that's why I filed the bug here; I figured RedHat would occasionally kick issues like this upstream for resolution or at least some type of ruling as to whether the behavior or the man pages are in error on this. Man-pages are fixed (the fixed version is man-pages-2.16-2). The remaining part is kernel problem, so I'm reassigning this bug. there is no kernel bug. the documenation wsa the only fault. How can you say the behavior of wrapping a hint address in the range of 0xfffff001 - 0xffffffff around to 0 isn't a bug? Even if you quite reasonably believe the case of passing MAP_FIXED an address of 0 should work, I find it hard to believe that behavior that rounds an address hint up to 0 is intentional. Judging from other operating systems, when passed an address that gets rounded to 0, mmap should either fail with ENOMEM or it should pick an address to map at, the same as if 0 were actually passed. Someone should verify this behavior is intentional with the kernel developers before closing this bug as "not a bug." As a side note, I'm not trying to be pedantic here; I'm more than willing to accept whatever behavior the community at large defines as proper to be the final word on this. This is a mass-update to all currently open kernel bugs. A new kernel update has been released (Version: 2.6.15-1.1830_FC4) based upon a new upstream kernel release. Please retest against this new kernel, as a large number of patches go into each upstream release, possibly including changes that may address this problem. This bug has been placed in NEEDINFO_REPORTER state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. If this bug is a problem preventing you from installing the release this version is filed against, please see bug 169613. Thank you. This bug is still present in 2.6.15-1.1831_FC4. NEEDINFO_ENG has been deprecated in favor of NEEDINFO or ASSIGNED. Changing status to ASSIGNED for ENG review. [This comment added as part of a mass-update to all open FC4 kernel bugs] FC4 has now transitioned to the Fedora legacy project, which will continue to release security related updates for the kernel. As this bug is not security related, it is unlikely to be fixed in an update for FC4, and has been migrated to FC5. Please retest with Fedora Core 5. Thank you. See above; the "round up to 0" bug still exists in FC5. A new kernel update has been released (Version: 2.6.18-1.2200.fc5) based upon a new upstream kernel release. Please retest against this new kernel, as a large number of patches go into each upstream release, possibly including changes that may address this problem. This bug has been placed in NEEDINFO state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. In the last few updates, some users upgrading from FC4->FC5 have reported that installing a kernel update has left their systems unbootable. If you have been affected by this problem please check you only have one version of device-mapper & lvm2 installed. See bug 207474 for further details. If this bug is a problem preventing you from installing the release this version is filed against, please see bug 169613. If this bug has been fixed, but you are now experiencing a different problem, please file a separate bug for the new problem. Thank you. This bug is still present in 2.6.18-1.2200.fc5smp. Fedora Core 5 is no longer maintained. Is this bug still present in Fedora 7 or Fedora 8? Yes, mmap(2) still operates the same way in kernel 2.6.23.15-80.fc7: $ ./a.out mmap #1 succeeded, ptr @ 0x(nil) = 0x636e6923 mmap #2 succeeded, ptr @ 0x(nil) = 0x636e6923 (In reply to comment #19) > Fedora Core 5 is no longer maintained. Is this bug still present in Fedora 7 or > Fedora 8? This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists. Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs: http://docs.fedoraproject.org/release-notes/ The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. Fedora 7 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 Description of problem: The man page for mmap(2) states: "The actual place where the object is mapped is returned by mmap, and is never 0." In fact, I can generate mappings in two different ways: 1) Call mmap with the MAP_FIXED flag set and pass in "start" as 0 2) Call mmap with a "start" address of -1. Since mmap will round passed address hints up to a PAGESIZE alignment, mmap will internally round the address hint to 0. Version-Release number of selected component (if applicable): kernel-2.6.14-1.1637_FC4 How reproducible: Always Steps to Reproduce: 1. Compile the following program, m.c: #include <sys/mman.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> int main() { void *ptr; int fd; if ((fd = open("m.c", O_RDWR)) < 0) { perror("m.c"); exit(1); } if ((ptr = mmap((void *)-1, 0x500, PROT_READ, MAP_SHARED, fd, 0)) == MAP_FAILED) { perror("mmap"); (void) close(fd); exit (1); } printf("mmap #1 succeeded, ptr @ 0x%p = 0x%x\n", ptr, *(int *)ptr); if ((ptr = mmap(0, 0x500, PROT_READ, MAP_SHARED|MAP_FIXED, fd, 0)) == MAP_FAILED) perror("mmap"); else printf("mmap #2 succeeded, ptr @ 0x%p = 0x%x\n", ptr, *(int *)ptr); (void) close(fd); exit(0); } 2. Execute a.out Actual Results: mmap #1 succeeded, ptr @ 0x(nil) = 0x636e6923 mmap #2 succeeded, ptr @ 0x(nil) = 0x636e6923 Expected Results: Both mapping attempts should have failed if the man page is correct in stating that an address of 0 is never returned. Additional info: