On Sat, May 19, 2007 at 10:53:20AM -0700, William Lee Irwin III wrote: > On Fri, May 18, 2007 at 04:42:10PM +0100, Hugh Dickins wrote: > > Sooner rather than later, don't we need those 8 bytes to expand from > > atomic_t to atomic64_t _count and _mapcount? Not that we really need > > all 64 bits of both, but I don't know how to work atomically with less. > > (Why do I have this sneaking feeling that you're actually wanting > > to stick something into the lower bits of page->virtual?) > > I wonder how close we get to overflow on ->_mapcount and ->_count. > (untested/uncompiled).
I think the problem is that an attacker can deliberately overflow ->_count, not that it can happen innocuously. By mmaping, say, the page of libc that contains memcpy() several million times, and forking enough, can't you make ->_mapcount hit 0? I'm not a VM guy, I just vaguely remember people talking about this before. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
