Sharing memory through the direct mapping of physical addresses
QNX SDP8.0Programmer's GuideDeveloper
Don't do it!
Note:
Sharing memory through the direct mapping of physical addresses is extremely dangerous, and
you should avoid it.
Let's consider some scenarios.
Scenario 1: communicating using physical addresses
Process A allocates some memory, maps it, determines the physical address, and gives the address to process B so that it can map the memory. Process B uses direct mapping.
What can go wrong in this scenario?
- There's no memory object, and no lifecycle. The kernel doesn't keep track of the object.
- Process A can free the memory, and the memory could then be given to another process, while B continues to use it. This could cause a process or even the kernel to crash later because of a mishmash of data in the memory object. This type of problem can be very difficult to debug.
- The memory could be unlocked and then be paged out or replaced. In this case, the physical address given to process B is no longer valid.
- If process A terminates, its mapping is destroyed, and process B once again has a physical address that's no longer valid.
- Process B needs the MAP_PHYS ability (see procmgr_ability() in the C Library Reference) to map physical memory anywhere in the system, even if it needs to do so only to access process A's buffer.
- It's easy to make mistakes, and there's little to no enforcement.
It's a safety and security nightmare!
Scenario 2: mapping into a peer process
Process A allocates memory and uses mmap_peer() to establish a mapping for process B. This scenario isn't as bad as the one above; instead of letting process B map the physical address, process A does it for process B, and then injects the mapping into process B's address space.
What's wrong in this scenario?
- Process B is completely at the mercy of process A.
- Process A can map anything anywhere in process B's address space. Even worse, process A can unmap anthing anywhere in process B's address space. Process B may not be ready for the mapping or unmapping.
- It violates the notion of separation.
- It violates the principle of least privilege.
At the very least, the processes have to coordinate with each other.
Page updated: