[dfs] fixup: file_mmap and page cache

Including cache maintenance, potential dereference of null pointer and the use-after-free issue in page cache Signed-off-by: shell <smokewood@qq.com>
2023-10-23 17:24:28 +08:00 · 2023-10-23 17:24:28 +08:00 · b40d106bdc
parent 50bb71e458
commit b40d106bdc
2 changed files with 48 additions and 23 deletions
--- a/components/dfs/dfs_v2/src/dfs_file_mmap.c
+++ b/components/dfs/dfs_v2/src/dfs_file_mmap.c
@ -272,7 +272,7 @@ rt_err_t on_varea_shrink(struct rt_varea *varea, void *new_vaddr, rt_size_t size
        rm_start = varea_start + size;
        rm_end = varea_start + varea->size;
    }
-    else if (varea_start < (char *)new_vaddr)
+    else
    {
        rm_start = varea_start;
        rm_end = new_vaddr;
@ -293,6 +293,7 @@ rt_err_t on_varea_expand(struct rt_varea *varea, void *new_vaddr, rt_size_t size

 rt_err_t on_varea_split(struct rt_varea *existed, void *unmap_start, rt_size_t unmap_len, struct rt_varea *subset)
 {
+    rt_err_t rc;
    struct dfs_file *file = dfs_mem_obj_get_file(existed->mem_obj);

    if (file)
@ -307,12 +308,15 @@ rt_err_t on_varea_split(struct rt_varea *existed, void *unmap_start, rt_size_t u
            LOG_I("file: %s%s", file->dentry->mnt->fullpath, file->dentry->pathname);
        }

-        unmap_pages(existed, unmap_start, (char *)unmap_start + unmap_len);
+        rc = unmap_pages(existed, unmap_start, (char *)unmap_start + unmap_len);
+        if (!rc)
+        {
+            rc = unmap_pages(existed, subset->start, (char *)subset->start + subset->size);
+            if (!rc)
+                on_varea_open(subset);
+        }

-        subset->data = existed->data;
-        rt_atomic_add(&(file->ref_count), 1);
-
-        return RT_EOK;
+        return rc;
    }
    else
    {
@ -338,8 +342,7 @@ rt_err_t on_varea_merge(struct rt_varea *merge_to, struct rt_varea *merge_from)
        }

        dfs_aspace_unmap(file, merge_from);
-        merge_from->data = RT_NULL;
-        rt_atomic_sub(&(file->ref_count), 1);
+        on_varea_close(merge_from);

        return RT_EOK;
    }
@ -406,7 +409,9 @@ int dfs_file_mmap(struct dfs_file *file, struct dfs_mmap2_args *mmap2)

    LOG_I("mmap2 args addr: %p length: 0x%x prot: %d flags: 0x%x pgoffset: 0x%x",
           mmap2->addr, mmap2->length, mmap2->prot, mmap2->flags, mmap2->pgoffset);
-    if (file && file->vnode && file->vnode->aspace)
+    if (file && file->vnode)
+    {
+        if (file->vnode->aspace)
        {
            /* create a va area in user space (lwp) */
            rt_varea_t varea = dfs_map_user_varea_data(mmap2, file);
@ -424,10 +429,11 @@ int dfs_file_mmap(struct dfs_file *file, struct dfs_mmap2_args *mmap2)
                ret = -ENOMEM;
            }
        }
-    else if (file->vnode->aspace == RT_NULL)
+        else
        {
            LOG_E("File mapping is not supported, file: %s%s", file->dentry->mnt->fullpath, file->dentry->pathname);
        }
+    }

    return ret;
 }
--- a/components/dfs/dfs_v2/src/dfs_pcache.c
+++ b/components/dfs/dfs_v2/src/dfs_pcache.c
@ -6,6 +6,7 @@
 * Change Logs:
 * Date           Author       Notes
 * 2023-05-05     RTT          Implement mnt in dfs v2.0
+ * 2023-10-23     Shell        fix synchronization of data to icache
 */

 #include "dfs_pcache.h"
@ -15,6 +16,8 @@
 #include <mmu.h>
 #include <tlb.h>

+#include <rthw.h>
+
 #ifdef RT_USING_PAGECACHE

 #define DBG_TAG "dfs.pcache"
@ -1270,6 +1273,21 @@ void *dfs_aspace_mmap(struct dfs_file *file, struct rt_varea *varea, void *vaddr
            int err = rt_varea_map_range(varea, vaddr, pg_paddr, page->size);
            if (err == RT_EOK)
            {
+                /**
+                 * Note: While the page is mapped into user area, the data writing into the page
+                 * is not guaranteed to be visible for machines with the *weak* memory model and
+                 * those Harvard architecture (especially for those ARM64) cores for their
+                 * out-of-order pipelines of data buffer. Besides if the instruction cache in the
+                 * L1 memory system is a VIPT cache, there are chances to have the alias matching
+                 * entry if we reuse the same page frame and map it into the same virtual address
+                 * of the previous one.
+                 *
+                 * That's why we have to do synchronization and cleanup manually to ensure that
+                 * fetching of the next instruction can see the coherent data with the data cache,
+                 * TLB, MMU, main memory, and all the other observers in the computer system.
+                 */
+                rt_hw_cpu_icache_ops(RT_HW_CACHE_INVALIDATE, vaddr, ARCH_PAGE_SIZE);
+
                ret = page->page;
                map->varea = varea;
                dfs_aspace_lock(aspace);
@ -1358,6 +1376,7 @@ int dfs_aspace_page_unmap(struct dfs_file *file, struct rt_varea *varea, void *v
        {
            rt_list_t *node, *tmp;
            struct dfs_mmap *map;
+            rt_varea_unmap_page(varea, vaddr);

            node = page->mmap_head.next;