Hildenbrand, David and Schulz, Martin and Amit, Nadav

Architectural Support for Programming Languages & Operating Systems (ASPLOS), 2023

Operating systems utilize Copy-on-Write (COW) to conserve memory and improve performance. During the last two decades, a series of COW-related bugs — that compromised security, corrupted memory and degraded performance — was found. The majority of these bugs is related to page “pinning,” which operating systems employ to access process memory efficiently and to perform direct I/O. We claim that the true cause of these bugs is not well understood, resulting in incomplete bug fixes. We substantiate this claim by: (1) surveying previously reported pinning-related COW bugs; (2) uncovering new such bugs in Linux, FreeBSD, and NetBSD; and (3) showing that they occur because the COW logic does not consider page pins correctly, resulting in incorrect behavior (e.g., I/O of stale data). We address this problem by defining when/how shared pages must be copied and under which conditions pinned pages can be shared to maintain correctness. We introduce the “Copy-on-Pin (COP)” scheme, an extension of the COW mechanism that handles pinned pages correctly by ensuring pinned pages and shared pages are mutually exclusive. However, we find that a naive implementation of this scheme hampers performance and increases complexity if pages are copied only when strictly necessary. To compensate, we introduce a relaxed-COP design, which does not require precise tracking of page sharing, maintains correctness without increasing complexity, and (while potentially needlessly copying pages in some corner cases) marginally improves performance. Our relaxed-COP solution has been integrated into Linux 5.19.