论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2012-04-13 20:12 |只看该作者 |倒序浏览

copy_mm在子进程中设置指向父进程用户空间的页表项，却没有设置指向内核空间的页表项，也就是说，子进程的pgd中768项以后都没设置，那子进程不是没法执行内核代码了

static int copy_mm(unsigned long clone_flags, struct task_struct * tsk)
{
struct mm_struct * mm, *oldmm;
int retval;

tsk->min_flt = tsk->maj_flt = 0;
tsk->nvcsw = tsk->nivcsw = 0;

tsk->mm = NULL;
tsk->active_mm = NULL;

/*
   * Are we cloning a kernel thread?
   *
   * We need to steal a active VM for that..
   */
oldmm = current->mm;
if (!oldmm)
return 0;

if (clone_flags & CLONE_VM) {
atomic_inc(&oldmm->mm_users);
mm = oldmm;
/*
   * There are cases where the PTL is held to ensure no
   * new threads start up in user mode using an mm, which
   * allows optimizing out ipis; the tlb_gather_mmu code
   * is an example.
   */
spin_unlock_wait(&oldmm->page_table_lock);
goto good_mm;
}

retval = -ENOMEM;
mm = allocate_mm();
if (!mm)
goto fail_nomem;

/* Copy the current MM stuff.. */
memcpy(mm, oldmm, sizeof(*mm));
if (!mm_init(mm))  // 为子进程分配一个新的pgd
goto fail_nomem;

if (init_new_context(tsk,mm))
goto fail_nocontext;

retval = dup_mmap(mm, oldmm); // 在子进程的页表中填入父进程的用户空间页
if (retval)
goto free_pt;

mm->hiwater_rss = mm->rss;
mm->hiwater_vm = mm->total_vm;

good_mm:
tsk->mm = mm;
tsk->active_mm = mm;
return 0;

free_pt:
mmput(mm);
fail_nomem:
return retval;

fail_nocontext:
/*
   * If init_new_context() failed, we cannot use mmput() to free the mm
   * because it calls destroy_context()
   */
mm_free_pgd(mm);
free_mm(mm);
return retval;
}

文库|博客

瀚海书香

版主

论坛徽章:: 6

2楼 [报告]

发表于 2012-04-15 09:26 |只看该作者

回复 1# littlenewer

copy_mm在子进程中设置指向父进程用户空间的页表项，却没有设置指向内核空间的页表项，也就是说，子进程的pgd中768项以后都没设置，那子进程不是没法执行内核代码了

所有进程共享内核空间的页表，在mm_init中，会复制内核空间的页表swapper_pg_dir的768项以后的信息到新进程页目录的768项以后（1:3模型下）

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

littlenewer

稍有积蓄

论坛徽章:: 0

3楼 [报告]

发表于 2012-04-16 11:07 |只看该作者

回复 2# 瀚海书香

我把代码都贴上来了，可是没找到你说的copy的过程

static struct mm_struct * mm_init(struct mm_struct * mm)
{
atomic_set(&mm->mm_users, 1);
atomic_set(&mm->mm_count, 1);
init_rwsem(&mm->mmap_sem);
INIT_LIST_HEAD(&mm->mmlist);
mm->core_waiters = 0;
mm->nr_ptes = 0;
spin_lock_init(&mm->page_table_lock);
rwlock_init(&mm->ioctx_list_lock);
mm->ioctx_list = NULL;
mm->default_kioctx = (struct kioctx)INIT_KIOCTX(mm->default_kioctx, *mm);
mm->free_area_cache = TASK_UNMAPPED_BASE;

if (likely(!mm_alloc_pgd(mm))) {
mm->def_flags = 0;
return mm;
}
free_mm(mm);
return NULL;
}

static inline int mm_alloc_pgd(struct mm_struct * mm)
{
mm->pgd = pgd_alloc(mm);
if (unlikely(!mm->pgd))
return -ENOMEM;
return 0;
}

pgd_t *pgd_alloc(struct mm_struct *mm)
{
int i;
pgd_t *pgd = kmem_cache_alloc(pgd_cache, GFP_KERNEL);

if (PTRS_PER_PMD == 1 || !pgd)
return pgd;

for (i = 0; i < USER_PTRS_PER_PGD; ++i) {
pmd_t *pmd = kmem_cache_alloc(pmd_cache, GFP_KERNEL);
if (!pmd)
goto out_oom;
set_pgd(&pgd, __pgd(1 + __pa(pmd)));
}
return pgd;

out_oom:
for (i--; i >= 0; i--)
kmem_cache_free(pmd_cache, (void *)__va(pgd_val(pgd)-1));
kmem_cache_free(pgd_cache, pgd);
return NULL;
}